diff options
| author | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-29 04:11:01 -0600 |
|---|---|---|
| committer | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-29 04:11:01 -0600 |
| commit | 4aa0923009dac4d2307b5fe018b944180bfad6a2 (patch) | |
| tree | f3a9ae5ddb0d772936dd1d53534fbe677e67a838 | |
| parent | a8cb2afa981099889cf47185be33f4a831ff482b (diff) | |
| download | nixpkgs-4aa0923009dac4d2307b5fe018b944180bfad6a2.tar nixpkgs-4aa0923009dac4d2307b5fe018b944180bfad6a2.tar.gz nixpkgs-4aa0923009dac4d2307b5fe018b944180bfad6a2.tar.bz2 nixpkgs-4aa0923009dac4d2307b5fe018b944180bfad6a2.tar.lz nixpkgs-4aa0923009dac4d2307b5fe018b944180bfad6a2.tar.xz nixpkgs-4aa0923009dac4d2307b5fe018b944180bfad6a2.tar.zst nixpkgs-4aa0923009dac4d2307b5fe018b944180bfad6a2.zip | |
Getting rid of the var indirection and using a bin path instead
45 files changed, 86 insertions, 65 deletions
diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 36b1a47956d..57bc249360e 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -259,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate # Ask the user to set a root password. -if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then +if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then echo "setting root password..." - chroot $mountPoint /run/wrappers/passwd + chroot $mountPoint /run/wrappers/bin/passwd fi diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index e7b870864ee..dfbf5d859ba 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -19,7 +19,7 @@ with lib; config = mkIf (cfg.confineSUIDApplications) { security.apparmor.profiles = [ (pkgs.writeText "ping" '' #include <tunables/global> - /run/wrappers/ping { + /run/wrappers/bin/ping { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> @@ -33,7 +33,6 @@ with lib; ${pkgs.attr.out}/lib/libattr.so* mr, ${pkgs.iputils}/bin/ping mixr, - /run/wrappers/ping.real r, #/etc/modules.conf r, diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 0170da03689..8837ac35a53 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -17,7 +17,9 @@ let source=/nix/var/nix/profiles/default/bin/${program} fi - gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.wrapperDir}\" \ + parentWrapperDir=$(dirname ${wrapperDir}) + + gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \ -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include ''; @@ -155,7 +157,7 @@ in security.wrapperDir = lib.mkOption { type = lib.types.path; - default = "/run/wrappers"; + default = "/run/wrappers/bin"; internal = true; description = '' This option defines the path to the wrapper programs. It @@ -181,11 +183,36 @@ in # programs to be wrapped. WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin + if [ -d ${config.security.old-wrapperDir} ]; then + rm -rf ${config.security.old-wrapperDir} + fi + + parentWrapperDir="$(dirname ${wrapperDir})" + mkdir -p ${wrapperDir} - wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX) + wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX) chmod a+rx $wrapperDir ${lib.concatStringsSep "\n" mkWrappedPrograms} + + if [ -L ${wrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink ${wrapperDir}) + ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp + mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} + rm --force --recursive $old + elif [ -d ${wrapperDir} ]; then + # Compatibility with old state, just remove the folder and symlink + rm -f ${wrapperDir}/* + # if it happens to be a tmpfs + ${pkgs.utillinux}/bin/umount ${wrapperDir} || true + rm -d ${wrapperDir} + ln -d --symbolic $wrapperDir ${wrapperDir} + else + # For initial setup + ln --symbolic $wrapperDir ${wrapperDir} + fi ''; }; } diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index c933c496479..72925b95cae 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -29,8 +29,8 @@ let }; cronJob = '' - @reboot logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} - 2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} + @reboot logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} + 2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} ''; writeIgnoreRule = name: {level, regex, ...}: diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 7cea2f75439..3b25e41edb1 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -13,7 +13,7 @@ let '' base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} - sendmail_path = /run/wrappers/sendmail + sendmail_path = /run/wrappers/bin/sendmail '' (if isNull cfg.sslServerCert then '' diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index 71414bddd5d..b05344fa9b5 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -70,7 +70,7 @@ in etc."exim.conf".text = '' exim_user = ${cfg.user} exim_group = ${cfg.group} - exim_path = /run/wrappers/exim + exim_path = /run/wrappers/bin/exim spool_directory = ${cfg.spoolDir} ${cfg.config} ''; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index cd4a5125029..6d2ce538368 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -34,7 +34,7 @@ let cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file) wrapProgram $file \ - --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ + --set PATH "/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" \ --set MUNIN_LIBDIR "${pkgs.munin}/lib" \ --set MUNIN_PLUGSTATE "/var/run/munin" @@ -183,7 +183,7 @@ in mkdir -p /etc/munin/plugins rm -rf /etc/munin/plugins/* - PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash + PATH="/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash ''; serviceConfig = { ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/"; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index af02d73597f..4d10299a987 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -124,7 +124,7 @@ in }; mailer = mkOption { - default = "/run/wrappers/sendmail"; + default = "/run/wrappers/bin/sendmail"; type = types.path; description = '' Sendmail-compatible binary to be used to send the messages. diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 8cc8f21851c..09a11585bc9 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -30,7 +30,7 @@ let '' [ global ] security = ${cfg.securityType} - passwd program = /run/wrappers/passwd %u + passwd program = /run/wrappers/bin/passwd %u pam password change = ${smbToString cfg.syncPasswordsByPam} invalid users = ${smbToString cfg.invalidUsers} diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index 58e6ad8a683..8cd4a082353 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -18,7 +18,7 @@ let var_prefix = "${stateDir}" prayer_user = "${prayerUser}" prayer_group = "${prayerGroup}" - sendmail_path = "/run/wrappers/sendmail" + sendmail_path = "/run/wrappers/bin/sendmail" use_http_port ${cfg.port} diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index b7bb55f5508..eedc2759337 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -226,7 +226,7 @@ in sendmail = mkOption { type = types.nullOr types.path; default = null; - example = "/run/wrappers/sendmail"; + example = "/run/wrappers/bin/sendmail"; description = "Use this sendmail compatible script to deliver alerts"; }; smokeMailTemplate = mkOption { diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 7b4937b5c67..f3ada6b7496 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -42,13 +42,13 @@ in config = mkIf cfg.enable { - security.wrappers.setuid = map (program: "${program}" = { + security.wrappers = map (program: {"${program}" = { source = "${pkgs.atd}/bin/${program}"; owner = "atd"; group = "atd"; setuid = true; setgid = true; - }) [ "at" "atq" "atrm" "batch" ]; + };}) [ "at" "atq" "atrm" "batch" ]; environment.systemPackages = [ at ]; diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index 7bd1e481804..48c5f6be316 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -20,7 +20,7 @@ let cronNixosPkg = pkgs.cron.override { # The mail.nix nixos module, if there is any local mail system enabled, # should have sendmail in this path. - sendmailPath = "/run/wrappers/sendmail"; + sendmailPath = "/run/wrappers/bin/sendmail"; }; allFiles = diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index f0de996224f..339b0de66e9 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -96,7 +96,7 @@ in fcronallow = /etc/fcron.allow fcrondeny = /etc/fcron.deny shell = /bin/sh - sendmail = /run/wrappers/sendmail + sendmail = /run/wrappers/bin/sendmail editor = /run/current-system/sw/bin/vi ''; target = "fcron.conf"; diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index ffc0700806c..f827e530f87 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -131,11 +131,6 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then cat /etc/resolv.conf | resolvconf -m 1000 -a host fi -# Create /run/wrappers as a tmpfs. -rm -rf /run/wrappers -mkdir -m 0755 -p /run/wrappers -mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers - # Log the script output to /dev/kmsg or /run/log/stage-2-init.log. # Only at this point are all the necessary prerequisites ready for these commands. exec {logOutFd}>&1 {logErrFd}>&2 diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index 70ee44680ab..501ed9bc683 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -69,12 +69,12 @@ in environment.systemPackages = [ virtualbox ]; security.wrappers = let - mkSuid = program: "${program}" = { + mkSuid = program: {"${program}" = { source = "${virtualbox}/libexec/virtualbox/${program}"; owner = "root"; group = "vboxusers"; setuid = true; - }; + };}; in mkIf cfg.enableHardening (map mkSuid [ "VBoxHeadless" "VBoxNetAdpCtl" diff --git a/nixos/tests/smokeping.nix b/nixos/tests/smokeping.nix index 5e2d013abc5..4c77e4b7861 100644 --- a/nixos/tests/smokeping.nix +++ b/nixos/tests/smokeping.nix @@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : { mailHost = "127.0.0.2"; probeConfig = '' + FPing - binary = /run/wrappers/fping + binary = /run/wrappers/bin/fping offset = 0% ''; }; diff --git a/pkgs/applications/editors/sublime3/default.nix b/pkgs/applications/editors/sublime3/default.nix index 1c24ff4737b..f900a4e9147 100644 --- a/pkgs/applications/editors/sublime3/default.nix +++ b/pkgs/applications/editors/sublime3/default.nix @@ -1,5 +1,5 @@ { fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2, - pkexecPath ? "/run/wrappers/pkexec", libredirect, + pkexecPath ? "/run/wrappers/bin/pkexec", libredirect, gksuSupport ? false, gksu}: assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux"; diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index 7009cf17fab..c59d6b00945 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -83,9 +83,9 @@ in stdenv.mkDerivation { ed -v -s "$out/bin/chromium" << EOF 2i - if [ -x "/run/wrappers/${sandboxExecutableName}" ] + if [ -x "/run/wrappers/bin/${sandboxExecutableName}" ] then - export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}" + export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${sandboxExecutableName}" else export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}" fi diff --git a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch index 4b59f1a376d..33e3e09a96d 100644 --- a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch +++ b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch @@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644 + is_nixos=no +fi + -+if [ -u /run/wrappers/gksign ]; then ++if [ -u /run/wrappers/bin/gksign ]; then + cat <<EOM + +Gale appears to have already been set up via the NixOS module system (check diff --git a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch index 6603e8d4b60..dfd024a762a 100644 --- a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch +++ b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch @@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644 - # # arguments: '-i -t' - # # } + config.action_mailer.sendmail_settings = { -+ location: '/run/wrappers/sendmail', ++ location: '/run/wrappers/bin/sendmail', + arguments: '-i -t' + } config.action_mailer.perform_deliveries = true diff --git a/pkgs/applications/virtualization/virtualbox/hardened.patch b/pkgs/applications/virtualization/virtualbox/hardened.patch index a788a1df3ca..8d408d3494e 100644 --- a/pkgs/applications/virtualization/virtualbox/hardened.patch +++ b/pkgs/applications/virtualization/virtualbox/hardened.patch @@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644 /* get the path to the executable */ char szPath[RTPATH_MAX]; - RTPathAppPrivateArch(szPath, sizeof(szPath) - 1); -+ RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers"); ++ RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers/bin"); size_t cchBufLeft = strlen(szPath); szPath[cchBufLeft++] = RTPATH_DELIMITER; szPath[cchBufLeft] = 0; @@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644 +RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath) +{ -+ return RTStrCopy(pszPath, cchPath, "/run/wrappers"); ++ return RTStrCopy(pszPath, cchPath, "/run/wrappers/bin"); +} + + @@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644 + * will cut off everything after the rightmost / as this function is analogous + * to RTProcGetExecutablePath(). + */ -+#define SUIDDIR "/run/wrappers/" ++#define SUIDDIR "/run/wrappers/bin/" + +RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath) +{ diff --git a/pkgs/build-support/build-fhs-userenv/env.nix b/pkgs/build-support/build-fhs-userenv/env.nix index 98381d9023f..9a1897695a9 100644 --- a/pkgs/build-support/build-fhs-userenv/env.nix +++ b/pkgs/build-support/build-fhs-userenv/env.nix @@ -51,7 +51,7 @@ let export PS1='${name}-chrootenv:\u@\h:\w\$ ' export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32' - export PATH='/run/wrappers:/usr/bin:/usr/sbin' + export PATH='/run/wrappers/bin:/usr/bin:/usr/sbin' export PKG_CONFIG_PATH=/usr/lib/pkgconfig # Force compilers to look in default search paths diff --git a/pkgs/desktops/enlightenment/enlightenment.nix b/pkgs/desktops/enlightenment/enlightenment.nix index 65e3bf2d642..3949bffaba1 100644 --- a/pkgs/desktops/enlightenment/enlightenment.nix +++ b/pkgs/desktops/enlightenment/enlightenment.nix @@ -42,13 +42,13 @@ stdenv.mkDerivation rec { # this is a hack and without this cpufreq module is not working. does the following: # 1. moves the "freqset" binary to "e_freqset", # 2. linkes "e_freqset" to enlightenment/bin so that, - # 3. wrappers.setuid detects it and places wrappers in /run/wrappers/e_freqset, - # 4. and finally, links /run/wrappers/e_freqset to original destination where enlightenment wants it + # 3. wrappers.setuid detects it and places wrappers in /run/wrappers/bin/e_freqset, + # 4. and finally, links /run/wrappers/bin/e_freqset to original destination where enlightenment wants it postInstall = '' export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`; mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset - ln -sv /run/wrappers/e_freqset $CPUFREQ_DIRPATH/freqset + ln -sv /run/wrappers/bin/e_freqset $CPUFREQ_DIRPATH/freqset ''; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch index 61aa49f70e5..e3bfc2ebe6b 100644 --- a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch +++ b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch @@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c #include <unistd.h> -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit" -+#define EXECUTE "/run/wrappers/start_kdeinit" ++#define EXECUTE "/run/wrappers/bin/start_kdeinit" #if KDEINIT_OOM_PROTECT diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix index 6d57ca2397e..e96ef7329a2 100644 --- a/pkgs/development/libraries/libgksu/default.nix +++ b/pkgs/development/libraries/libgksu/default.nix @@ -57,8 +57,8 @@ stdenv.mkDerivation rec { # Fix some binary paths sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c - sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c - sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/su\1|g' libgksu/libgksu.c + sed -i -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|g' libgksu/libgksu.c + sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/bin/su\1|g' libgksu/libgksu.c touch NEWS README ''; diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix index b2e2ecf0493..27482743d2c 100644 --- a/pkgs/development/libraries/polkit/default.nix +++ b/pkgs/development/libraries/polkit/default.nix @@ -5,7 +5,7 @@ let system = "/var/run/current-system/sw"; - setuid = "/run/wrappers"; #TODO: from <nixos> config.security.wrapperDir; + setuid = "/run/wrappers/bin"; #TODO: from <nixos> config.security.wrapperDir; foolVars = { SYSCONF = "/etc"; diff --git a/pkgs/development/tools/unity3d/default.nix b/pkgs/development/tools/unity3d/default.nix index 2d4977a3195..73cb902ae69 100644 --- a/pkgs/development/tools/unity3d/default.nix +++ b/pkgs/development/tools/unity3d/default.nix @@ -94,7 +94,7 @@ in stdenv.mkDerivation rec { unitydir="$out/opt/Unity/Editor" mkdir -p $unitydir mv Editor/* $unitydir - ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox + ln -sf /run/wrappers/bin/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox mkdir -p $out/share/applications sed "/^Exec=/c\Exec=$out/bin/unity-editor" \ diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix index 29bcc58c7c0..db18b13bfb8 100644 --- a/pkgs/os-specific/linux/fuse/default.nix +++ b/pkgs/os-specific/linux/fuse/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { # Ensure that FUSE calls the setuid wrapper, not # $out/bin/fusermount. It falls back to calling fusermount in # $PATH, so it should also work on non-NixOS systems. - export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\"" + export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\"" sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh diff --git a/pkgs/os-specific/linux/mdadm/4.nix b/pkgs/os-specific/linux/mdadm/4.nix index af8e53ec3a2..05d98de0b23 100644 --- a/pkgs/os-specific/linux/mdadm/4.nix +++ b/pkgs/os-specific/linux/mdadm/4.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { preConfigure = '' sed -e 's@/lib/udev@''${out}/lib/udev@' \ -e 's@ -Werror @ @' \ - -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile + -e 's@/usr/sbin/sendmail@/run/wrappers/bin/sendmail@' -i Makefile ''; meta = { diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix index d9bdf21723b..e0109791ef2 100644 --- a/pkgs/os-specific/linux/mdadm/default.nix +++ b/pkgs/os-specific/linux/mdadm/default.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { preConfigure = '' sed -e 's@/lib/udev@''${out}/lib/udev@' \ -e 's@ -Werror @ @' \ - -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile + -e 's@/usr/sbin/sendmail@/run/wrappers/bin/sendmail@' -i Makefile ''; meta = { diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix index dc61b3f27f6..5189b84ff7e 100644 --- a/pkgs/os-specific/linux/pam/default.nix +++ b/pkgs/os-specific/linux/pam/default.nix @@ -34,7 +34,7 @@ stdenv.mkDerivation rec { postInstall = '' mv -v $out/sbin/unix_chkpwd{,.orig} - ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd + ln -sv /run/wrappers/bin/unix_chkpwd $out/sbin/unix_chkpwd ''; /* rm -rf $out/etc mkdir -p $modules/lib diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index 90fbf861448..6c3aacbef29 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation rec { --enable-last --enable-mesg --disable-use-tty-group - --enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin + --enable-fs-paths-default=/run/wrappers/bin:/var/run/current-system/sw/bin:/sbin ${if ncurses == null then "--without-ncurses" else ""} ${if systemd == null then "" else '' --with-systemd diff --git a/pkgs/servers/interlock/default.nix b/pkgs/servers/interlock/default.nix index b58c1b50e03..a0b59d332a3 100644 --- a/pkgs/servers/interlock/default.nix +++ b/pkgs/servers/interlock/default.nix @@ -30,7 +30,7 @@ buildGoPackage rec { -e 's|/bin/chown|${coreutils}/bin/chown|' \ -e 's|/bin/date|${coreutils}/bin/date|' \ -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \ - -e 's|/usr/bin/sudo|/run/wrappers/sudo|' \ + -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|' \ -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|' ''; } diff --git a/pkgs/servers/mail/petidomo/default.nix b/pkgs/servers/mail/petidomo/default.nix index 1770517047f..395f3ded7fd 100644 --- a/pkgs/servers/mail/petidomo/default.nix +++ b/pkgs/servers/mail/petidomo/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }: +{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/bin/sendmail" }: stdenv.mkDerivation rec { name = "petidomo-4.3"; diff --git a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix index 30bd7e8a7c3..1ea6f88084d 100644 --- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix +++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix @@ -16,8 +16,8 @@ stdenv.mkDerivation rec { # configured on the build machine). preConfigure= " configureFlagsArray=( - --with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s' - --with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s' + --with-ping-command='/run/wrappers/bin/ping -n -U -w %d -c %d %s' + --with-ping6-command='/run/wrappers/bin/ping6 -n -U -w %d -c %d %s' ) "; diff --git a/pkgs/tools/X11/x11vnc/default.nix b/pkgs/tools/X11/x11vnc/default.nix index b343a7da378..2d319cccf20 100644 --- a/pkgs/tools/X11/x11vnc/default.nix +++ b/pkgs/tools/X11/x11vnc/default.nix @@ -20,10 +20,10 @@ stdenv.mkDerivation rec { configureFlags="--mandir=$out/share/man" substituteInPlace x11vnc/unixpw.c \ - --replace '"/bin/su"' '"/run/wrappers/su"' \ + --replace '"/bin/su"' '"/run/wrappers/bin/su"' \ --replace '"/bin/true"' '"${coreutils}/bin/true"' - sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h + sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/bin/su|g' x11vnc/ssltools.h ''; meta = { diff --git a/pkgs/tools/admin/certbot/default.nix b/pkgs/tools/admin/certbot/default.nix index 366213d2e1e..3648cb2c136 100644 --- a/pkgs/tools/admin/certbot/default.nix +++ b/pkgs/tools/admin/certbot/default.nix @@ -31,7 +31,7 @@ python2Packages.buildPythonApplication rec { buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]); patchPhase = '' - substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail" + substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/bin/sendmail" substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers" ''; diff --git a/pkgs/tools/misc/debian-devscripts/default.nix b/pkgs/tools/misc/debian-devscripts/default.nix index be3b674de04..cbc7a2e7e46 100644 --- a/pkgs/tools/misc/debian-devscripts/default.nix +++ b/pkgs/tools/misc/debian-devscripts/default.nix @@ -2,7 +2,7 @@ , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper , python3Packages , perlPackages, curl, gnupg, diffutils -, sendmailPath ? "/run/wrappers/sendmail" +, sendmailPath ? "/run/wrappers/bin/sendmail" }: let diff --git a/pkgs/tools/security/ecryptfs/default.nix b/pkgs/tools/security/ecryptfs/default.nix index 98e06d1de3e..ab4867a4cc8 100644 --- a/pkgs/tools/security/ecryptfs/default.nix +++ b/pkgs/tools/security/ecryptfs/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { }; # TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir; - wrapperDir = "/run/wrappers"; + wrapperDir = "/run/wrappers/bin"; postPatch = '' FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)" diff --git a/pkgs/tools/security/ecryptfs/helper.nix b/pkgs/tools/security/ecryptfs/helper.nix index 3daaadcaad6..05327ad3a09 100644 --- a/pkgs/tools/security/ecryptfs/helper.nix +++ b/pkgs/tools/security/ecryptfs/helper.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; - # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers + # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers/bin installPhase = '' mkdir -p $out/bin $out/libexec cp $src $out/libexec/ecryptfs-helper.py diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix index 0d2953c6f45..9f56a9d7f26 100644 --- a/pkgs/tools/security/sudo/default.nix +++ b/pkgs/tools/security/sudo/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, coreutils, pam, groff -, sendmailPath ? "/run/wrappers/sendmail" +, sendmailPath ? "/run/wrappers/bin/sendmail" , withInsults ? false }: diff --git a/pkgs/tools/system/at/default.nix b/pkgs/tools/system/at/default.nix index 9f8bad00ca4..185645763fd 100644 --- a/pkgs/tools/system/at/default.nix +++ b/pkgs/tools/system/at/default.nix @@ -1,4 +1,4 @@ -{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }: +{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/bin/sendmail" }: stdenv.mkDerivation { name = "at-3.1.16"; diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 8a6a5dc15d3..dec1bacd741 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation { #define _PATH_SENDMAIL "${sendmailPath}" #undef _PATH_DEFPATH - #define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" + #define _PATH_DEFPATH "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" __EOT__ # Implicit saved uids do not work here due to way NixOS uses setuid wrappers diff --git a/pkgs/tools/system/ts/default.nix b/pkgs/tools/system/ts/default.nix index 1dfb856d4d6..97b35378673 100644 --- a/pkgs/tools/system/ts/default.nix +++ b/pkgs/tools/system/ts/default.nix @@ -1,5 +1,5 @@ {stdenv, fetchurl, -sendmailPath ? "/run/wrappers/sendmail" }: +sendmailPath ? "/run/wrappers/bin/sendmail" }: stdenv.mkDerivation rec { |