1 files changed, 27 insertions, 21 deletions
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index 5d4634daf78..6b0570faa40 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -3,10 +3,17 @@ let
 
   inherit (config.security) permissionsWrapperDir;
 
+  isNotNull = v: if v != null then true else false;
+
   cfg = config.security.permissionsWrappers;
 
-  setcapWrappers = import ./setcap-wrapper-drv.nix { };
-  setuidWrappers = import ./setuid-wrapper-drv.nix { };
+  setcapWrappers = import ./setcap-wrapper-drv.nix {
+    inherit config lib pkgs;
+  };
+
+  setuidWrappers = import ./setuid-wrapper-drv.nix {
+    inherit config lib pkgs;
+  };
 
   ###### Activation script for the setcap wrappers
   configureSetcapWrapper =
@@ -16,8 +23,7 @@ let
     , owner  ? "nobody"
     , group  ? "nogroup"
     , setcap ? false
-    }:
-    ''
+    }: ''
       cp ${setcapWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
 
       # Prevent races
@@ -43,22 +49,22 @@ let
     '';
 
   ###### Activation script for the setuid wrappers
-  makeSetuidWrapper =
+  configureSetuidWrapper =
     { program
     , source ? null
     , owner  ? "nobody"
+    # Legacy code I can't find :(
+    , user   ? null
     , group  ? "nogroup"
     , setuid ? false
     , setgid ? false
     , permissions ? "u+rx,g+x,o+x"
-    }:
-
-    ''
+    }: ''
       cp ${setuidWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
 
       # Prevent races
       chmod 0000 ${permissionsWrapperDir}/${program}
-      chown ${owner}.${group} ${permissionsWrapperDir}/${program}
+      chown ${if user != null then user else owner}.${group} ${permissionsWrapperDir}/${program}
 
       chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program}
     '';
@@ -68,12 +74,12 @@ in
   ###### interface
 
   options = {
-    security.permissionsWrappers.setcap = mkOption {
-      type    = types.listOf types.attrs;
+    security.permissionsWrappers.setcap = lib.mkOption {
+      type    = lib.types.listOf lib.types.attrs;
       default = [];
       example =
         [ { program = "ping";
-            source  = "${pkgs.iputils.out}/bin/ping"
+            source  = "${pkgs.iputils.out}/bin/ping";
             owner   = "nobody";
             group   = "nogroup";
             setcap  = true;
@@ -106,12 +112,12 @@ in
       '';
     };
 
-    security.permissionsWrappers.setuid = mkOption {
-      type = types.listOf types.attrs;
+    security.permissionsWrappers.setuid = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
       default = [];
       example =
         [ { program = "sendmail";
-            source = "${pkgs.sendmail.bin}/bin/sendmail";
+            source = "/nix/store/.../bin/sendmail";
             owner = "nobody";
             group = "postdrop";
             setuid = false;
@@ -126,8 +132,8 @@ in
       '';
     };
 
-    security.permissionsWrapperDir = mkOption {
-      type        = types.path;
+    security.permissionsWrapperDir = lib.mkOption {
+      type        = lib.types.path;
       default     = "/var/permissions-wrappers";
       internal    = true;
       description = ''
@@ -152,7 +158,7 @@ in
 
     ###### setcap activation script
     system.activationScripts.setcap =
-      stringAfter [ "users" ]
+      lib.stringAfter [ "users" ]
         ''
           # Look in the system path and in the default profile for
           # programs to be wrapped.
@@ -168,12 +174,12 @@ in
           # Concatenate the generated shell slices to configure
           # wrappers for each program needing specialized capabilities.
 
-          ${concatMapStrings configureSetcapWrapper cfg.setcap}
+          ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
         '';
 
     ###### setuid activation script
     system.activationScripts.setuid =
-      stringAfter [ "users" ]
+      lib.stringAfter [ "users" ]
         ''
           # Look in the system path and in the default profile for
           # programs to be wrapped.
@@ -189,7 +195,7 @@ in
           # Concatenate the generated shell slices to configure
           # wrappers for each program needing specialized capabilities.
 
-          ${concatMapStrings configureSetuidWrapper cfg.setuid}
+          ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
         '';
 
   };