From 42c677174442694e5ac3c289362afa9646ba71a9 Mon Sep 17 00:00:00 2001
From: Romanos Skiadas <rom.skiad@gmail.com>
Date: Mon, 19 Jul 2021 13:01:45 +0300
Subject: nixos/openrazer: Change plugdev group to openrazer

For security reasons, and generally, it is best to create a more fine
grained group than plugdev. This way users that wish to tweak razer
devices don't have access to the entire plugdev group's permissions.

This is of course a breaking change.
---
 nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 14 ++++++++++++++
 nixos/doc/manual/release-notes/rl-2111.section.md          |  2 ++
 nixos/modules/hardware/openrazer.nix                       | 14 +++++++++-----
 pkgs/development/python-modules/openrazer/daemon.nix       |  4 ++++
 pkgs/os-specific/linux/openrazer/driver.nix                |  6 ++++--
 5 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
index f241bff0760..5dc0f1b15b3 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@@ -646,6 +646,20 @@
           to use wildcards in the <literal>source</literal> argument.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The <literal>openrazer</literal> and
+          <literal>openrazer-daemon</literal> packages as well as the
+          <literal>hardware.openrazer</literal> module now require users
+          to be members of the <literal>openrazer</literal> group
+          instead of <literal>plugdev</literal>. With this change, users
+          no longer need be granted the entire set of
+          <literal>plugdev</literal> group permissions, which can
+          include permissions other than those required by
+          <literal>openrazer</literal>. This can be desirable from a
+          security point of view.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="sec-release-21.11-notable-changes">
diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md
index 13cb08e2c9a..be83ab2d6a4 100644
--- a/nixos/doc/manual/release-notes/rl-2111.section.md
+++ b/nixos/doc/manual/release-notes/rl-2111.section.md
@@ -164,6 +164,8 @@ pt-services.clipcat.enable).
 
 - `programs.neovim.runtime` switched to a `linkFarm` internally, making it impossible to use wildcards in the `source` argument.
 
+- The `openrazer` and `openrazer-daemon` packages as well as the `hardware.openrazer` module now require users to be members of the `openrazer` group instead of `plugdev`. With this change, users no longer need be granted the entire set of `plugdev` group permissions, which can include permissions other than those required by `openrazer`. This can be desirable from a security point of view.
+
 ## Other Notable Changes {#sec-release-21.11-notable-changes}
 
 - The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.
diff --git a/nixos/modules/hardware/openrazer.nix b/nixos/modules/hardware/openrazer.nix
index b5c3d674414..b4c1ddd1b33 100644
--- a/nixos/modules/hardware/openrazer.nix
+++ b/nixos/modules/hardware/openrazer.nix
@@ -49,7 +49,11 @@ in
 {
   options = {
     hardware.openrazer = {
-      enable = mkEnableOption "OpenRazer drivers and userspace daemon";
+      enable = mkEnableOption ''
+        OpenRazer drivers and userspace daemon.
+        Any users that wish to make use of the daemon need to be
+        members of the "openrazer" group.
+      '';
 
       verboseLogging = mkOption {
         type = types.bool;
@@ -106,10 +110,10 @@ in
     services.udev.packages = [ kernelPackages.openrazer ];
     services.dbus.packages = [ dbusServiceFile ];
 
-    # A user must be a member of the plugdev group in order to start
-    # the openrazer-daemon. Therefore we make sure that the plugdev
-    # group exists.
-    users.groups.plugdev = {};
+    # A user must be a member of the openrazer group in order to start
+    # the openrazer-daemon. Therefore we make sure that the group
+    # exists.
+    users.groups.openrazer = {};
 
     systemd.user.services.openrazer-daemon = {
       description = "Daemon to manage razer devices in userspace";
diff --git a/pkgs/development/python-modules/openrazer/daemon.nix b/pkgs/development/python-modules/openrazer/daemon.nix
index 8b1ff86fcab..8dcb9a9925d 100644
--- a/pkgs/development/python-modules/openrazer/daemon.nix
+++ b/pkgs/development/python-modules/openrazer/daemon.nix
@@ -38,6 +38,10 @@ buildPythonApplication (common // rec {
     setproctitle
   ];
 
+  postPatch = ''
+    substituteInPlace openrazer_daemon/daemon.py --replace "plugdev" "openrazer"
+  '';
+
   postBuild = ''
     DESTDIR="$out" PREFIX="" make install manpages
   '';
diff --git a/pkgs/os-specific/linux/openrazer/driver.nix b/pkgs/os-specific/linux/openrazer/driver.nix
index 07113e62862..6e387de0719 100644
--- a/pkgs/os-specific/linux/openrazer/driver.nix
+++ b/pkgs/os-specific/linux/openrazer/driver.nix
@@ -30,11 +30,13 @@ stdenv.mkDerivation (common // {
     install -m 644 -v -D install_files/udev/99-razer.rules $RAZER_RULES_OUT
     install -m 755 -v -D install_files/udev/razer_mount $RAZER_MOUNT_OUT
     substituteInPlace $RAZER_RULES_OUT \
-      --replace razer_mount $RAZER_MOUNT_OUT
+      --replace razer_mount $RAZER_MOUNT_OUT \
+      --replace plugdev openrazer
     substituteInPlace $RAZER_MOUNT_OUT \
       --replace /usr/bin/logger ${util-linux}/bin/logger \
       --replace chgrp ${coreutils}/bin/chgrp \
-      --replace "PATH='/sbin:/bin:/usr/sbin:/usr/bin'" ""
+      --replace "PATH='/sbin:/bin:/usr/sbin:/usr/bin'" "" \
+      --replace plugdev openrazer
 
     runHook postInstall
   '';
-- 
cgit 1.4.1