nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-22 03:53:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/plasma5: remove pointless setuid wrappers

Browse Source 
The module for Plasma 5 contained two pointless setuid wrappers:
* kscreenlocker_greet was introduced when the kscreenlocker package
  dropped kcheckpass. However, this was actually replaced by making
  proper use of PAM (which finally calls its unix_chkpwd setuid binary).
  kscreenlocker_greet itself was never intended to be setuid.
  Fortunately, this is not exploitable, because QCoreApplication
  immediately aborts if it detects setuid. The wrapper is still
  incorrect and pointless, so remove it.
* start_kdeinit can optionally use setuid root or setcap
  CAP_SYS_RESOURCE to reduce its OOM killer score. However, with systemd
  startup, start_kdeinit does not get used at all. So in this case, the
  setuid wrapper is pointless, and so is removed as well. Ideally, the
  case where systemd startup is not enabled would use a capability
  wrapper instead, but since systemd startup is the default in NixOS and
  kinit is deprecated upstream for KF6, I don't bother any more.
This commit is contained in:
Alois Wohlschlager 2023-09-08 19:21:22 +02:00
parent a552311804
commit bd0cbb43ec
No known key found for this signature in database
GPG Key ID: E0F59EA5E5216914
1 changed files with 7 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
nixos/modules/services/x11/desktop-managers/plasma5.nix
View File

@ -172,24 +172,19 @@ in
(mkIf (cfg.enable || cfg.mobile.enable || cfg.bigscreen.enable) {
security.wrappers = {
kscreenlocker_greet = {
setuid = true;
owner = "root";
group = "root";
source = "${getBin libsForQt5.kscreenlocker}/libexec/kscreenlocker_greet";
};
start_kdeinit = {
setuid = true;
owner = "root";
group = "root";
source = "${getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
};
kwin_wayland = {
owner = "root";
group = "root";
capabilities = "cap_sys_nice+ep";
source = "${getBin plasma5.kwin}/bin/kwin_wayland";
};
} // mkIf (!cfg.runUsingSystemd) {
start_kdeinit = {
setuid = true;
owner = "root";
group = "root";
source = "${getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
};
};
environment.systemPackages =