diff options
| author | Parnell Springmeyer <parnell@awakenetworks.com> | 2016-09-01 19:06:21 -0500 |
|---|---|---|
| committer | Parnell Springmeyer <parnell@awakenetworks.com> | 2016-09-01 19:21:06 -0500 |
| commit | 98c058a1ee338731d72d33f320da48c95fecd0e0 (patch) | |
| tree | fe83f2050163abfe9a73ad36ac1368fbe283cd39 | |
| parent | 390ab0b3eff809052d5b9d9b5335413b36898481 (diff) | |
| download | nixpkgs-98c058a1ee338731d72d33f320da48c95fecd0e0.tar nixpkgs-98c058a1ee338731d72d33f320da48c95fecd0e0.tar.gz nixpkgs-98c058a1ee338731d72d33f320da48c95fecd0e0.tar.bz2 nixpkgs-98c058a1ee338731d72d33f320da48c95fecd0e0.tar.lz nixpkgs-98c058a1ee338731d72d33f320da48c95fecd0e0.tar.xz nixpkgs-98c058a1ee338731d72d33f320da48c95fecd0e0.tar.zst nixpkgs-98c058a1ee338731d72d33f320da48c95fecd0e0.zip | |
Adapting everything for the merged permissions wrappers work.
55 files changed, 162 insertions, 131 deletions
diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index f458bc39ada..54dd6f6570f 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -169,7 +169,7 @@ in ${cfg.extraInit} # The setuid wrappers override other bin directories. - export PATH="${config.security.wrapperDir}:$PATH" + export PATH="${config.security.permissionsWrapperDir}:$PATH" # ~/bin if it exists overrides other bin directories. export PATH="$HOME/bin:$PATH" diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index f9412ed444e..27c03ff9792 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -262,7 +262,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate # Ask the user to set a root password. if [ -z "$noRootPasswd" ] && [ -x $mountPoint/var/setuid-wrappers/passwd ] && [ -t 0 ]; then echo "setting root password..." - chroot $mountPoint /var/setuid-wrappers/passwd + chroot $mountPoint /var/permissions-wrappers/passwd fi diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix index c3ea6b5e973..30767a03291 100644 --- a/nixos/modules/programs/kbdlight.nix +++ b/nixos/modules/programs/kbdlight.nix @@ -15,7 +15,7 @@ in security.permissionsWrappers.setuid = [ { program = "kbdlight"; source = "${pkgs.kbdlight.out}/bin/kbdlight"; - user = "root"; + owner = "root"; group = "root"; setuid = true; }]; diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix index d141eaf66f7..c89f8e93721 100644 --- a/nixos/modules/programs/light.nix +++ b/nixos/modules/programs/light.nix @@ -25,7 +25,7 @@ in security.permissionsWrappers.setuid = [ { program = "light"; source = "${pkgs.light.out}/bin/light"; - user = "root"; + owner = "root"; group = "root"; setuid = true; }]; diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 8ee324eaf63..f40faa1ca5f 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -102,18 +102,18 @@ in chgpasswd = { rootOK = true; }; }; - security.setuidPrograms = + security.permissionsWrappers.setuid = [ { program = "su"; source = "${pkgs.shadow.su}/bin/su"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } { program = "chfn"; source = "${pkgs.shadow.out}/bin/chfn"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } diff --git a/nixos/modules/programs/unity3d.nix b/nixos/modules/programs/unity3d.nix new file mode 100644 index 00000000000..47f1d1ef160 --- /dev/null +++ b/nixos/modules/programs/unity3d.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.programs.unity3d; +in { + + options = { + programs.unity3d.enable = mkEnableOption "Unity3D, a game development tool"; + }; + + config = mkIf cfg.enable { + security.permissionsWrappers.setuid = [{ + program = "unity-chrome-sandbox"; + source = "${pkgs.unity3d.sandbox}/bin/unity-chrome-sandbox"; + owner = "root"; + #group = "root"; + setuid = true; + #setgid = true; + }]; + + environment.systemPackages = [ pkgs.unity3d ]; + }; + +} diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index 4a6d61d2676..799f27b6708 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -19,7 +19,7 @@ with lib; config = mkIf (cfg.confineSUIDApplications) { security.apparmor.profiles = [ (pkgs.writeText "ping" '' #include <tunables/global> - /var/setuid-wrappers/ping { + /var/permissions-wrappers/ping { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> @@ -33,7 +33,7 @@ with lib; ${pkgs.attr.out}/lib/libattr.so* mr, ${pkgs.iputils}/bin/ping mixr, - /var/setuid-wrappers/ping.real r, + /var/permissions-wrappers/ping.real r, #/etc/modules.conf r, diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 202218c915c..b5e1417fc89 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -198,7 +198,7 @@ in [ { program = "login_duo"; source = "${pkgs.duo-unix.out}/bin/login_duo"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 4c6b54f0274..1c5e6862da6 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -444,34 +444,35 @@ in security.permissionsWrappers.setuid = [ - (optionals config.security.pam.enableEcryptfs - { program = "mount.ecryptfs_private" - source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; - user = "root"; - group = "root"; - setuid = true; - }) + { program = "unix_chkpwd"; + source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; + owner = "root"; + group = "root"; + setuid = true; + } + + - (optionals config.security.pam.enableEcryptfs - { program = "umount.ecryptfs_private"; - source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; - user = "root"; - group = "root"; - setuid = true; - }) - ] + ] ++ (optional config.security.pam.enableEcryptfs + { program = "umount.ecryptfs_private"; + source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + owner = "root"; + group = "root"; + setuid = true; + } + ) ++ (optional config.security.pam.enableEcryptfs + { program = "mount.ecryptfs_private"; + source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + owner = "root"; + group = "root"; + setuid = true; + } + ); environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; - security.setuidOwners = [ { - program = "unix_chkpwd"; - source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; - owner = "root"; - setuid = true; - } ]; - security.pam.services = { other.text = '' diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 699cf6306e1..53a7921a244 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -37,20 +37,19 @@ in [ { program = "pmount"; source = "${pkgs.pmount.out}/bin/pmount"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } { program = "pumount"; source = "${pkgs.pmount.out}/bin/pumount"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } ]; -setuidPrograms = [ "pmount" "pumount" ]; environment.systemPackages = [ pkgs.pmount ]; }; diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix index 5d4634daf78..6b0570faa40 100644 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ b/nixos/modules/security/permissions-wrappers/default.nix @@ -3,10 +3,17 @@ let inherit (config.security) permissionsWrapperDir; + isNotNull = v: if v != null then true else false; + cfg = config.security.permissionsWrappers; - setcapWrappers = import ./setcap-wrapper-drv.nix { }; - setuidWrappers = import ./setuid-wrapper-drv.nix { }; + setcapWrappers = import ./setcap-wrapper-drv.nix { + inherit config lib pkgs; + }; + + setuidWrappers = import ./setuid-wrapper-drv.nix { + inherit config lib pkgs; + }; ###### Activation script for the setcap wrappers configureSetcapWrapper = @@ -16,8 +23,7 @@ let , owner ? "nobody" , group ? "nogroup" , setcap ? false - }: - '' + }: '' cp ${setcapWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program} # Prevent races @@ -43,22 +49,22 @@ let ''; ###### Activation script for the setuid wrappers - makeSetuidWrapper = + configureSetuidWrapper = { program , source ? null , owner ? "nobody" + # Legacy code I can't find :( + , user ? null , group ? "nogroup" , setuid ? false , setgid ? false , permissions ? "u+rx,g+x,o+x" - }: - - '' + }: '' cp ${setuidWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program} # Prevent races chmod 0000 ${permissionsWrapperDir}/${program} - chown ${owner}.${group} ${permissionsWrapperDir}/${program} + chown ${if user != null then user else owner}.${group} ${permissionsWrapperDir}/${program} chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program} ''; @@ -68,12 +74,12 @@ in ###### interface options = { - security.permissionsWrappers.setcap = mkOption { - type = types.listOf types.attrs; + security.permissionsWrappers.setcap = lib.mkOption { + type = lib.types.listOf lib.types.attrs; default = []; example = [ { program = "ping"; - source = "${pkgs.iputils.out}/bin/ping" + source = "${pkgs.iputils.out}/bin/ping"; owner = "nobody"; group = "nogroup"; setcap = true; @@ -106,12 +112,12 @@ in ''; }; - security.permissionsWrappers.setuid = mkOption { - type = types.listOf types.attrs; + security.permissionsWrappers.setuid = lib.mkOption { + type = lib.types.listOf lib.types.attrs; default = []; example = [ { program = "sendmail"; - source = "${pkgs.sendmail.bin}/bin/sendmail"; + source = "/nix/store/.../bin/sendmail"; owner = "nobody"; group = "postdrop"; setuid = false; @@ -126,8 +132,8 @@ in ''; }; - security.permissionsWrapperDir = mkOption { - type = types.path; + security.permissionsWrapperDir = lib.mkOption { + type = lib.types.path; default = "/var/permissions-wrappers"; internal = true; description = '' @@ -152,7 +158,7 @@ in ###### setcap activation script system.activationScripts.setcap = - stringAfter [ "users" ] + lib.stringAfter [ "users" ] '' # Look in the system path and in the default profile for # programs to be wrapped. @@ -168,12 +174,12 @@ in # Concatenate the generated shell slices to configure # wrappers for each program needing specialized capabilities. - ${concatMapStrings configureSetcapWrapper cfg.setcap} + ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)} ''; ###### setuid activation script system.activationScripts.setuid = - stringAfter [ "users" ] + lib.stringAfter [ "users" ] '' # Look in the system path and in the default profile for # programs to be wrapped. @@ -189,7 +195,7 @@ in # Concatenate the generated shell slices to configure # wrappers for each program needing specialized capabilities. - ${concatMapStrings configureSetuidWrapper cfg.setuid} + ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)} ''; }; diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix index f64c683f6e8..adae9009fbe 100644 --- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix +++ b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix @@ -13,7 +13,7 @@ let source=/nix/var/nix/profiles/default/bin/${program} fi - gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \ + gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper ''; in @@ -32,6 +32,6 @@ pkgs.stdenv.mkDerivation { # Concat together all of our shell splices to compile # binary wrapper programs for all configured setcap programs. - ${concatMapStrings mkSetcapWrapper cfg.setcap} + ${lib.concatMapStrings mkSetcapWrapper cfg.setcap} ''; -}; +} diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix index 15dc1918b5c..e244364aa45 100644 --- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix +++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix @@ -13,7 +13,7 @@ let source=/nix/var/nix/profiles/default/bin/${program} fi - gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \ + gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper ''; in @@ -31,6 +31,6 @@ pkgs.stdenv.mkDerivation { # Concat together all of our shell splices to compile # binary wrapper programs for all configured setcap programs. - ${concatMapStrings mkSetuidWrapper cfg.setuid} + ${lib.concatMapStrings mkSetuidWrapper cfg.setuid} ''; -}; +} diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index db078667acf..098319d5ded 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -87,20 +87,18 @@ in [ { program = "pkexec"; source = "${pkgs.polkit.out}/bin/pkexec"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } - ]; - security.setuidOwners = [ - { program = "polkit-agent-helper-1"; - owner = "root"; - group = "root"; - setuid = true; - source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; - } - ]; + { program = "polkit-agent-helper-1"; + owner = "root"; + group = "root"; + setuid = true; + source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + } + ]; system.activationScripts.polkit = '' diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 06dde14cd1c..8a8f1525df4 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -85,14 +85,14 @@ in [ { program = "sudo"; source = "${pkgs.sudo.out}/bin/sudo"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } - { program = "sudoedit" - source = "${pkgs.sudo.out}/bin/sudo"; - user = "root"; + { program = "sudoedit"; + source = "${pkgs.sudo.out}/bin/sudoedit"; + owner = "root"; group = "root"; setuid = true; } diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index 3a85fa60fe7..755599ff621 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -29,8 +29,8 @@ let }; cronJob = '' - @reboot logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} - 2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} + @reboot logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} + 2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} ''; writeIgnoreRule = name: {level, regex, ...}: diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index f239dda564a..7848288850a 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -13,7 +13,7 @@ let '' base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} - sendmail_path = /var/setuid-wrappers/sendmail + sendmail_path = /var/permissions-wrappers/sendmail '' (if isNull cfg.sslServerCert then '' diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index aad497cbc71..6dfb8fdef11 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -70,7 +70,7 @@ in etc."exim.conf".text = '' exim_user = ${cfg.user} exim_group = ${cfg.group} - exim_path = /var/setuid-wrappers/exim + exim_path = /var/permissions-wrappers/exim spool_directory = ${cfg.spoolDir} ${cfg.config} ''; @@ -93,11 +93,11 @@ in [ { program = "exim"; source = "${pkgs.exim.out}/bin/exim"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } - ] + ]; systemd.services.exim = { description = "Exim Mail Daemon"; diff --git a/nixos/modules/services/mail/mail.nix b/nixos/modules/services/mail/mail.nix index 63e8d78b5b0..e8b16349f1a 100644 --- a/nixos/modules/services/mail/mail.nix +++ b/nixos/modules/services/mail/mail.nix @@ -26,7 +26,7 @@ with lib; config = mkIf (config.services.mail.sendmailSetuidWrapper != null) { - security.setuidOwners = [ config.services.mail.sendmailSetuidWrapper ]; + security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ]; }; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index aaa041ad4cd..08ba161d38b 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -34,7 +34,7 @@ let cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file) wrapProgram $file \ - --set PATH "/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ + --set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ --set MUNIN_LIBDIR "${pkgs.munin}/lib" \ --set MUNIN_PLUGSTATE "/var/run/munin" @@ -182,7 +182,7 @@ in mkdir -p /etc/munin/plugins rm -rf /etc/munin/plugins/* - PATH="/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash + PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash ''; serviceConfig = { ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/"; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index 1017005226b..b67519b3424 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -124,7 +124,7 @@ in }; mailer = mkOption { - default = "/var/setuid-wrappers/sendmail"; + default = "/var/permissions-wrappers/sendmail"; type = types.path; description = '' Sendmail-compatible binary to be used to send the messages. diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index a186982ec9c..91f1a333be7 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -30,7 +30,7 @@ let '' [ global ] security = ${cfg.securityType} - passwd program = /var/setuid-wrappers/passwd %u + passwd program = /var/permissions-wrappers/passwd %u pam password change = ${smbToString cfg.syncPasswordsByPam} invalid users = ${smbToString cfg.invalidUsers} diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix index bc975159cdf..bc9b884f11b 100644 --- a/nixos/modules/services/networking/gale.nix +++ b/nixos/modules/services/networking/gale.nix @@ -141,7 +141,7 @@ in setgid = false; }; - security.setuidOwners = [ cfg.setuidWrapper ]; + security.permissionsWrappers.setuid = [ cfg.setuidWrapper ]; systemd.services.gale-galed = { description = "Gale messaging daemon"; diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index cb8fe6bf4fe..4e1d66bc110 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -18,7 +18,7 @@ let var_prefix = "${stateDir}" prayer_user = "${prayerUser}" prayer_group = "${prayerGroup}" - sendmail_path = "/var/setuid-wrappers/sendmail" + sendmail_path = "/var/permissions-wrappers/sendmail" use_http_port ${cfg.port} diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 2070b2ffa01..9c4f8d59faa 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -42,8 +42,10 @@ in config = mkIf cfg.enable { - security.setuidOwners = map (program: { + security.permissionsWrappers.setuid = map (program: { inherit program; + + source = "${pkgs.atd}/bin/${program}"; owner = "atd"; group = "atd"; setuid = true; diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index 541fbb7ee64..e33961658f0 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -20,7 +20,7 @@ let cronNixosPkg = pkgs.cron.override { # The mail.nix nixos module, if there is any local mail system enabled, # should have sendmail in this path. - sendmailPath = "/var/setuid-wrappers/sendmail"; + sendmailPath = "/var/permissions-wrappers/sendmail"; }; allFiles = @@ -61,7 +61,7 @@ in A list of Cron jobs to be appended to the system-wide crontab. See the manual page for crontab for the expected format. If you want to get the results mailed you must setuid - sendmail. See <option>security.setuidOwners</option> + sendmail. See <option>security.permissionsWrappers.setuid</option> If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root will is allowed to have its own crontab file. The /var/cron/cron.deny file @@ -99,7 +99,7 @@ in [ { program = "crontab"; source = "${pkgs.cronNixosPkg.out}/bin/crontab"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index 6e8465ab08f..5804f0ee72f 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -96,7 +96,7 @@ in fcronallow = /etc/fcron.allow fcrondeny = /etc/fcron.deny shell = /bin/sh - sendmail = /var/setuid-wrappers/sendmail + sendmail = /var/permissions-wrappers/sendmail editor = /run/current-system/sw/bin/vi ''; target = "fcron.conf"; @@ -110,7 +110,7 @@ in [ { program = "fcrontab"; source = "${pkgs.fcron.out}/bin/fcrontab"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index 8bcd6f01656..df93fcd2bdb 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -30,7 +30,7 @@ let mkdir -p $out sed '${./dbus-system-local.conf.in}' \ - -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \ + -e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \ -e 's,@extra@,${systemExtraxml},' \ > "$out/system-local.conf" @@ -102,9 +102,9 @@ in systemd.packages = [ pkgs.dbus.daemon ]; - security.setuidOwners = singleton + security.permissionsWrappers.setuid = singleton { program = "dbus-daemon-launch-helper"; - source = "${pkgs.dbus_daemon.out}/libexec/dbus-daemon-launch-helper"; + source = "${pkgs.dbus_daemon}/libexec/dbus-daemon-launch-helper"; owner = "root"; group = "messagebus"; setuid = true; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index b55950c6373..90803ede9d9 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -66,7 +66,7 @@ in [ { program = "e_freqset"; source = "${e.enlightenment.out}/bin/e_freqset"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix index 1927341e45d..88b3c3a1016 100644 --- a/nixos/modules/services/x11/desktop-managers/kde4.nix +++ b/nixos/modules/services/x11/desktop-managers/kde4.nix @@ -119,7 +119,7 @@ in ''; }; - security.setuidOwners = singleton + security.permissionsWrappers.setuid = singleton { program = "kcheckpass"; source = "${kde_workspace}/lib/kde4/libexec/kcheckpass"; owner = "root"; diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix index bc010d1ce1c..7856ff03f16 100644 --- a/nixos/modules/services/x11/desktop-managers/kde5.nix +++ b/nixos/modules/services/x11/desktop-managers/kde5.nix @@ -47,7 +47,7 @@ in ''; }; - security.setuidOwners = [ + security.permissionsWrappers.setuid = [ { program = "kcheckpass"; source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass"; diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index ce4abecd676..ee8569d3c0c 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -63,7 +63,7 @@ in boot.extraModulePackages = [ virtualbox ]; environment.systemPackages = [ virtualbox ]; - security.setuidOwners = let + security.permissionsWrappers.setuid = let mkSuid = program: { inherit program; source = "${virtualbox}/libexec/virtualbox/${program}"; diff --git a/pkgs/applications/editors/sublime3/default.nix b/pkgs/applications/editors/sublime3/default.nix index 4eb428f37d8..9e7b52e40d4 100644 --- a/pkgs/applications/editors/sublime3/default.nix +++ b/pkgs/applications/editors/sublime3/default.nix @@ -1,5 +1,5 @@ { fetchurl, stdenv, glib, xorg, cairo, gtk, pango, makeWrapper, openssl, bzip2, - pkexecPath ? "/var/setuid-wrappers/pkexec", libredirect, + pkexecPath ? "/var/permissions-wrappers/pkexec", libredirect, gksuSupport ? false, gksu}: assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux"; diff --git a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch index f9c3e3c5592..9a83fc09e4e 100644 --- a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch +++ b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch @@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644 + is_nixos=no +fi + -+if [ -u /var/setuid-wrappers/gksign ]; then ++if [ -u /var/permissions-wrappers/gksign ]; then + cat <<EOM + +Gale appears to have already been set up via the NixOS module system (check diff --git a/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch b/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch index 35b54c79e8f..3d38cf3b604 100644 --- a/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch +++ b/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch @@ -4,7 +4,7 @@ Date: Thu, 26 Nov 2015 21:03:35 +0100 Subject: [PATCH] Lookup dumpcap in PATH NixOS patch: Look for dumpcap in PATH first, because there may be a -dumpcap setuid-wrapper that we want to use instead of the default +dumpcap permissions-wrapper that we want to use instead of the default non-setuid dumpcap binary. Also change execv() to execvp() because we've set argv[0] to "dumpcap" @@ -27,7 +27,7 @@ index 970688e..49914d5 100644 - exename = g_strdup_printf("%s/dumpcap", progfile_dir); + /* + * NixOS patch: Look for dumpcap in PATH first, because there may be a -+ * dumpcap setuid-wrapper that we want to use instead of the default ++ * dumpcap permissions-wrapper that we want to use instead of the default + * non-setuid dumpcap binary. + */ + if (system("command -v dumpcap >/dev/null") == 0) { diff --git a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch index a8a0542a882..fb5b9e1d39d 100644 --- a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch +++ b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch @@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644 - # # arguments: '-i -t' - # # } + config.action_mailer.sendmail_settings = { -+ location: '/var/setuid-wrappers/sendmail', ++ location: '/var/permissions-wrappers/sendmail', + arguments: '-i -t' + } config.action_mailer.perform_deliveries = true diff --git a/pkgs/applications/virtualization/virtualbox/hardened.patch b/pkgs/applications/virtualization/virtualbox/hardened.patch index 37d2ad3a515..cae4abe8612 100644 --- a/pkgs/applications/virtualization/virtualbox/hardened.patch +++ b/pkgs/applications/virtualization/virtualbox/hardened.patch @@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644 /* get the path to the executable */ char szPath[RTPATH_MAX]; - RTPathAppPrivateArch(szPath, sizeof(szPath) - 1); -+ RTStrCopy(szPath, sizeof(szPath) - 1, "/var/setuid-wrappers"); ++ RTStrCopy(szPath, sizeof(szPath) - 1, "/var/permissions-wrappers"); size_t cchBufLeft = strlen(szPath); szPath[cchBufLeft++] = RTPATH_DELIMITER; szPath[cchBufLeft] = 0; @@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644 +RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath) +{ -+ return RTStrCopy(pszPath, cchPath, "/var/setuid-wrappers"); ++ return RTStrCopy(pszPath, cchPath, "/var/permissions-wrappers"); +} + + @@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644 + * will cut off everything after the rightmost / as this function is analogous + * to RTProcGetExecutablePath(). + */ -+#define SUIDDIR "/var/setuid-wrappers/" ++#define SUIDDIR "/var/permissions-wrappers/" + +RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath) +{ diff --git a/pkgs/build-support/build-fhs-userenv/env.nix b/pkgs/build-support/build-fhs-userenv/env.nix index 1dc71987f54..f69338cb16c 100644 --- a/pkgs/build-support/build-fhs-userenv/env.nix +++ b/pkgs/build-support/build-fhs-userenv/env.nix @@ -51,7 +51,7 @@ let export PS1='${name}-chrootenv:\u@\h:\w\$ ' export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32' - export PATH='/var/setuid-wrappers:/usr/bin:/usr/sbin' + export PATH='/var/permissions-wrappers:/usr/bin:/usr/sbin' export PKG_CONFIG_PATH=/usr/lib/pkgconfig # Force compilers to look in default search paths diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix index b86eba685bb..4cedd6f8e8f 100644 --- a/pkgs/development/libraries/libgksu/default.nix +++ b/pkgs/development/libraries/libgksu/default.nix @@ -57,8 +57,8 @@ stdenv.mkDerivation rec { # Fix some binary paths sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c - sed -i -e 's|/usr/bin/sudo|/var/setuid-wrappers/sudo|g' libgksu/libgksu.c - sed -i -e 's|/bin/su\([^d]\)|/var/setuid-wrappers/su\1|g' libgksu/libgksu.c + sed -i -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|g' libgksu/libgksu.c + sed -i -e 's|/bin/su\([^d]\)|/var/permissions-wrappers/su\1|g' libgksu/libgksu.c touch NEWS README ''; diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix index ab1943b8590..f33ee3917f1 100644 --- a/pkgs/development/libraries/polkit/default.nix +++ b/pkgs/development/libraries/polkit/default.nix @@ -5,7 +5,7 @@ let system = "/var/run/current-system/sw"; - setuid = "/var/setuid-wrappers"; #TODO: from <nixos> config.security.wrapperDir; + setuid = "/var/permissions-wrappers"; #TODO: from <nixos> config.security.wrapperDir; foolVars = { SYSCONF = "/etc"; diff --git a/pkgs/development/tools/unity3d/default.nix b/pkgs/development/tools/unity3d/default.nix index 0a72e6bb91e..287422282cb 100644 --- a/pkgs/development/tools/unity3d/default.nix +++ b/pkgs/development/tools/unity3d/default.nix @@ -94,7 +94,7 @@ in stdenv.mkDerivation rec { unitydir="$out/opt/Unity/Editor" mkdir -p $unitydir mv Editor/* $unitydir - ln -sf /var/setuid-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox + ln -sf /var/permissions-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox mkdir -p $out/share/applications sed "/^Exec=/c\Exec=$out/bin/unity-editor" \ diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix index d86eb2a9756..9f63ae4f35a 100644 --- a/pkgs/os-specific/linux/fuse/default.nix +++ b/pkgs/os-specific/linux/fuse/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { # Ensure that FUSE calls the setuid wrapper, not # $out/bin/fusermount. It falls back to calling fusermount in # $PATH, so it should also work on non-NixOS systems. - export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/setuid-wrappers\"" + export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/permissions-wrappers\"" sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c ''; diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix index 3fa7e2ba8d1..531d55a7f12 100644 --- a/pkgs/os-specific/linux/mdadm/default.nix +++ b/pkgs/os-specific/linux/mdadm/default.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { preConfigure = '' sed -e 's@/lib/udev@''${out}/lib/udev@' \ -e 's@ -Werror @ @' \ - -e 's@/usr/sbin/sendmail@/var/setuid-wrappers/sendmail@' -i Makefile + -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile ''; meta = { diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix index d84c6224eeb..196af58183f 100644 --- a/pkgs/os-specific/linux/pam/default.nix +++ b/pkgs/os-specific/linux/pam/default.nix @@ -34,7 +34,7 @@ stdenv.mkDerivation rec { postInstall = '' mv -v $out/sbin/unix_chkpwd{,.orig} - ln -sv /var/setuid-wrappers/unix_chkpwd $out/sbin/unix_chkpwd + ln -sv /var/permissions-wrappers/unix_chkpwd $out/sbin/unix_chkpwd ''; /* rm -rf $out/etc mkdir -p $modules/lib diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index 4d4a22fc720..11444c57f9a 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { --enable-last --enable-mesg --disable-use-tty-group - --enable-fs-paths-default=/var/setuid-wrappers:/var/run/current-system/sw/bin:/sbin + --enable-fs-paths-default=/var/permissions-wrappers:/var/run/current-system/sw/bin:/sbin ${if ncurses == null then "--without-ncurses" else ""} ${if systemd == null then "" else '' --with-systemd diff --git a/pkgs/servers/interlock/default.nix b/pkgs/servers/interlock/default.nix index 5842495e323..d3c143617dd 100644 --- a/pkgs/servers/interlock/default.nix +++ b/pkgs/servers/interlock/default.nix @@ -30,7 +30,7 @@ buildGoPackage rec { -e 's|/bin/chown|${coreutils}/bin/chown|' \ -e 's|/bin/date|${coreutils}/bin/date|' \ -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \ - -e 's|/usr/bin/sudo|/var/setuid-wrappers/sudo|' \ + -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|' \ -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|' ''; } diff --git a/pkgs/servers/mail/petidomo/default.nix b/pkgs/servers/mail/petidomo/default.nix index 3ecb00b64fc..c112af567fd 100644 --- a/pkgs/servers/mail/petidomo/default.nix +++ b/pkgs/servers/mail/petidomo/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/setuid-wrappers/sendmail" }: +{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/permissions-wrappers/sendmail" }: stdenv.mkDerivation rec { name = "petidomo-4.3"; diff --git a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix index 79180f17241..695211a177d 100644 --- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix +++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix @@ -16,8 +16,8 @@ stdenv.mkDerivation rec { # configured on the build machine). preConfigure= " configureFlagsArray=( - --with-ping-command='/var/setuid-wrappers/ping -n -U -w %d -c %d %s' - --with-ping6-command='/var/setuid-wrappers/ping6 -n -U -w %d -c %d %s' + --with-ping-command='/var/permissions-wrappers/ping -n -U -w %d -c %d %s' + --with-ping6-command='/var/permissions-wrappers/ping6 -n -U -w %d -c %d %s' ) "; diff --git a/pkgs/tools/X11/x11vnc/default.nix b/pkgs/tools/X11/x11vnc/default.nix index a8c249116c0..5f96a35af6f 100644 --- a/pkgs/tools/X11/x11vnc/default.nix +++ b/pkgs/tools/X11/x11vnc/default.nix @@ -20,10 +20,10 @@ stdenv.mkDerivation rec { configureFlags="--mandir=$out/share/man" substituteInPlace x11vnc/unixpw.c \ - --replace '"/bin/su"' '"/var/setuid-wrappers/su"' \ + --replace '"/bin/su"' '"/var/permissions-wrappers/su"' \ --replace '"/bin/true"' '"${coreutils}/bin/true"' - sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/setuid-wrappers/su|g' x11vnc/ssltools.h + sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/permissions-wrappers/su|g' x11vnc/ssltools.h ''; meta = { diff --git a/pkgs/tools/admin/certbot/default.nix b/pkgs/tools/admin/certbot/default.nix index 80805666a3a..518c3763994 100644 --- a/pkgs/tools/admin/certbot/default.nix +++ b/pkgs/tools/admin/certbot/default.nix @@ -29,7 +29,7 @@ pythonPackages.buildPythonApplication rec { buildInputs = [ dialog ] ++ (with pythonPackages; [ nose mock gnureadline ]); patchPhase = '' - substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/setuid-wrappers/sendmail" + substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/permissions-wrappers/sendmail" substituteInPlace certbot/le_util.py --replace "sw_vers" "/usr/bin/sw_vers" ''; diff --git a/pkgs/tools/misc/debian-devscripts/default.nix b/pkgs/tools/misc/debian-devscripts/default.nix index ece9c5ed382..15108852fbc 100644 --- a/pkgs/tools/misc/debian-devscripts/default.nix +++ b/pkgs/tools/misc/debian-devscripts/default.nix @@ -2,7 +2,7 @@ , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper , python3Packages , perlPackages, curl, gnupg, diffutils -, sendmailPath ? "/var/setuid-wrappers/sendmail" +, sendmailPath ? "/var/permissions-wrappers/sendmail" }: let diff --git a/pkgs/tools/security/ecryptfs/default.nix b/pkgs/tools/security/ecryptfs/default.nix index 582b5ceae11..a477b22f191 100644 --- a/pkgs/tools/security/ecryptfs/default.nix +++ b/pkgs/tools/security/ecryptfs/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { }; # TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir; - wrapperDir = "/var/setuid-wrappers"; + wrapperDir = "/var/permissions-wrappers"; postPatch = '' FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)" diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix index e2c69377df5..b0b19d750eb 100644 --- a/pkgs/tools/security/sudo/default.nix +++ b/pkgs/tools/security/sudo/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, coreutils, pam, groff -, sendmailPath ? "/var/setuid-wrappers/sendmail" +, sendmailPath ? "/var/permissions-wrappers/sendmail" , withInsults ? false }: diff --git a/pkgs/tools/system/at/default.nix b/pkgs/tools/system/at/default.nix index 9991adf4013..2fb5b9670c8 100644 --- a/pkgs/tools/system/at/default.nix +++ b/pkgs/tools/system/at/default.nix @@ -1,4 +1,4 @@ -{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/setuid-wrappers/sendmail" }: +{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/permissions-wrappers/sendmail" }: stdenv.mkDerivation { name = "at-3.1.16"; diff --git a/pkgs/tools/system/ts/default.nix b/pkgs/tools/system/ts/default.nix index cad1230ac87..1384ea04fb6 100644 --- a/pkgs/tools/system/ts/default.nix +++ b/pkgs/tools/system/ts/default.nix @@ -1,5 +1,5 @@ {stdenv, fetchurl, -sendmailPath ? "/var/setuid-wrappers/sendmail" }: +sendmailPath ? "/var/permissions-wrappers/sendmail" }: stdenv.mkDerivation rec { |