diff options
author | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-28 20:48:03 -0800 |
---|---|---|
committer | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-28 20:48:03 -0800 |
commit | e92b8402b05f34072a20075ed54660e7a7237cc3 (patch) | |
tree | 554ae0ff77ff4192a895bab155e5e7116c80f28d | |
parent | 9de070e620544f9637b20966eec62cbff42988d8 (diff) | |
download | nixpkgs-e92b8402b05f34072a20075ed54660e7a7237cc3.tar nixpkgs-e92b8402b05f34072a20075ed54660e7a7237cc3.tar.gz nixpkgs-e92b8402b05f34072a20075ed54660e7a7237cc3.tar.bz2 nixpkgs-e92b8402b05f34072a20075ed54660e7a7237cc3.tar.lz nixpkgs-e92b8402b05f34072a20075ed54660e7a7237cc3.tar.xz nixpkgs-e92b8402b05f34072a20075ed54660e7a7237cc3.tar.zst nixpkgs-e92b8402b05f34072a20075ed54660e7a7237cc3.zip |
Addressing PR feedback
70 files changed, 322 insertions, 512 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml index bf8be1b68f2..ade7d5581ce 100644 --- a/nixos/doc/manual/release-notes/rl-1609.xml +++ b/nixos/doc/manual/release-notes/rl-1609.xml @@ -202,7 +202,7 @@ following incompatible changes:</para> <listitem> <para>The directory container setuid wrapper programs, - <filename>/var/permissions-wrappers</filename>, <link + <filename>/var/setuid-wrappers</filename>, <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now updated atomically to prevent failures if the switch to a new configuration is interrupted.</link></para> diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index 177010e2a32..94aa674fed6 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -15,6 +15,14 @@ has the following highlights: </para> xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs manual</link> for more information.</para> </listitem> + + <listitem> + + <para>Setting capabilities on programs is now supported with a + <literal>setcap-wrapper</literal> functionality. This + functionality and the <literal>setuid-wrapper</literal> are merged + into a single "wrappers" module.</para> + </listitem> </itemizedlist> <para>The following new services were added since the last release:</para> diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index 7003c074522..8a7b3ea0bfd 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -168,8 +168,8 @@ in ${cfg.extraInit} - # The setuid wrappers override other bin directories. - export PATH="${config.security.permissionsWrapperDir}:$PATH" + # The setuid/setcap wrappers override other bin directories. + export PATH="${config.security.wrapperDir}:$PATH" # ~/bin if it exists overrides other bin directories. export PATH="$HOME/bin:$PATH" diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index bb379dafc64..657c28f095d 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -343,7 +343,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) { # Skip special filesystems. next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs"; - next if $mountPoint eq "/var/permissions-wrappers"; + next if $mountPoint eq "/run/wrappers"; # Skip the optional fields. my $n = 6; $n++ while $fields[$n] ne "-"; $n++; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 4e9f8ab60f2..36b1a47956d 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -92,14 +92,13 @@ fi mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home mkdir -m 01777 -p $mountPoint/tmp mkdir -m 0755 -p $mountPoint/tmp/root -mkdir -m 0755 -p $mountPoint/var/permissions-wrappers +mkdir -m 0755 -p $mountPoint/var mkdir -m 0700 -p $mountPoint/root mount --rbind /dev $mountPoint/dev mount --rbind /proc $mountPoint/proc mount --rbind /sys $mountPoint/sys mount --rbind / $mountPoint/tmp/root mount -t tmpfs -o "mode=0755" none $mountPoint/run -mount -t tmpfs -o "mode=0755" none $mountPoint/var/permissions-wrappers rm -rf $mountPoint/var/run ln -s /run $mountPoint/var/run for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done @@ -260,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate # Ask the user to set a root password. -if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/permissions-wrappers/passwd ] && [ -t 0 ]; then +if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then echo "setting root password..." - chroot $mountPoint /var/permissions-wrappers/passwd + chroot $mountPoint /run/wrappers/passwd fi diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f7206ea931b..bd351460a52 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -113,7 +113,7 @@ ./security/prey.nix ./security/rngd.nix ./security/rtkit.nix - ./security/permissions-wrappers + ./security/wrappers ./security/sudo.nix ./services/amqp/activemq/default.nix ./services/amqp/rabbitmq.nix diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix index 30767a03291..0172368e968 100644 --- a/nixos/modules/programs/kbdlight.nix +++ b/nixos/modules/programs/kbdlight.nix @@ -11,13 +11,6 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kbdlight ]; - - security.permissionsWrappers.setuid = - [ { program = "kbdlight"; - source = "${pkgs.kbdlight.out}/bin/kbdlight"; - owner = "root"; - group = "root"; - setuid = true; - }]; + security.setuidPrograms = [ "kbdlight" ]; }; } diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix index c89f8e93721..09cd1113d9c 100644 --- a/nixos/modules/programs/light.nix +++ b/nixos/modules/programs/light.nix @@ -21,13 +21,6 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.light ]; - - security.permissionsWrappers.setuid = - [ { program = "light"; - source = "${pkgs.light.out}/bin/light"; - owner = "root"; - group = "root"; - setuid = true; - }]; + security.setuidPrograms = [ "light" ]; }; } diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 08d96cbcf4b..c5a50318026 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -101,49 +101,9 @@ in chpasswd = { rootOK = true; }; }; - - security.permissionsWrappers.setuid = - [ - { program = "su"; - source = "${pkgs.shadow.su}/bin/su"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "chfn"; - source = "${pkgs.shadow.out}/bin/chfn"; - owner = "root"; - group = "root"; - setuid = true; - } - ] ++ - (lib.optionals config.users.mutableUsers - map (x: x // { owner = "root"; - group = "root"; - setuid = true; - }) - [ - { program = "passwd"; - source = "${pkgs.shadow.out}/bin/passwd"; - } - - { program = "sg"; - source = "${pkgs.shadow.out}/bin/sg"; - } - - { program = "newgrp"; - source = "${pkgs.shadow.out}/bin/newgrp"; - } - - { program = "newuidmap"; - source = "${pkgs.shadow.out}/bin/newuidmap"; - } - - { program = "newgidmap"; - source = "${pkgs.shadow.out}/bin/newgidmap"; - } - ] - ); + security.setuidPrograms = [ + "su" "chfn" "newuidmap" "newgidmap" + ] ++ lib.optionals config.users.mutableUsers + [ "passwd" "sg" "newgrp" ]; }; } diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index 799f27b6708..e7b870864ee 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -19,7 +19,7 @@ with lib; config = mkIf (cfg.confineSUIDApplications) { security.apparmor.profiles = [ (pkgs.writeText "ping" '' #include <tunables/global> - /var/permissions-wrappers/ping { + /run/wrappers/ping { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> @@ -33,7 +33,7 @@ with lib; ${pkgs.attr.out}/lib/libattr.so* mr, ${pkgs.iputils}/bin/ping mixr, - /var/permissions-wrappers/ping.real r, + /run/wrappers/ping.real r, #/etc/modules.conf r, diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix index 6fe25213639..0699fbb728a 100644 --- a/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixos/modules/security/chromium-suid-sandbox.nix @@ -27,10 +27,6 @@ in config = mkIf cfg.enable { environment.systemPackages = [ sandbox ]; - security.permissionsWrappers.setuid = [ - { program = sandbox.passthru.sandboxExecutableName; - source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; - } - ]; + security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ]; }; } diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index e5b35427015..ee62c34438e 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -188,16 +188,7 @@ in environment.systemPackages = [ pkgs.duo-unix ]; - security.permissionsWrappers.setuid = - [ - { program = "login_duo"; - source = "${pkgs.duo-unix.out}/bin/login_duo"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "login_duo" ]; environment.etc = loginCfgFile ++ pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index c5088b64bb3..3c944acf6cf 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -472,33 +472,14 @@ in ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; - security.permissionsWrappers.setuid = - [ - { program = "unix_chkpwd"; - source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; - owner = "root"; - group = "root"; - setuid = true; - } - - - - ] ++ (optional config.security.pam.enableEcryptfs - { program = "umount.ecryptfs_private"; - source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; - owner = "root"; - group = "root"; - setuid = true; - } - ) ++ (optional config.security.pam.enableEcryptfs - { program = "mount.ecryptfs_private"; - source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; - owner = "root"; - group = "root"; - setuid = true; - } - ); - + security.setuidPrograms = + optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ]; + + security.wrappers.unix_chkpwd = { + source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; + owner = "root"; + setuid = true; + }; environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 53a7921a244..032f8e38d11 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -33,22 +33,7 @@ in config = mkIf (cfg.enable || anyUsbAuth) { # Make sure pmount and pumount are setuid wrapped. - security.permissionsWrappers.setuid = - [ - { program = "pmount"; - source = "${pkgs.pmount.out}/bin/pmount"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "pumount"; - source = "${pkgs.pmount.out}/bin/pumount"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "pmount" "pumount" ]; environment.systemPackages = [ pkgs.pmount ]; diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix deleted file mode 100644 index 480bd371040..00000000000 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ /dev/null @@ -1,191 +0,0 @@ -{ config, lib, pkgs, ... }: -let - - inherit (config.security) run-permissionsWrapperDir permissionsWrapperDir; - - isNotNull = v: if v != null then true else false; - - cfg = config.security.permissionsWrappers; - - setcapWrappers = import ./setcap-wrapper-drv.nix { - inherit config lib pkgs; - }; - - setuidWrappers = import ./setuid-wrapper-drv.nix { - inherit config lib pkgs; - }; - - ###### Activation script for the setcap wrappers - configureSetcapWrapper = - { program - , capabilities - , source ? null - , owner ? "nobody" - , group ? "nogroup" - }: '' - cp ${setcapWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program} - - # Prevent races - chmod 0000 $permissionsWrapperDir/${program} - chown ${owner}.${group} $permissionsWrapperDir/${program} - - # Set desired capabilities on the file plus cap_setpcap so - # the wrapper program can elevate the capabilities set on - # its file into the Ambient set. - # - # Only set the capabilities though if we're being told to - # do so. - ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $permissionsWrapperDir/${program} - - # Set the executable bit - chmod u+rx,g+x,o+x $permissionsWrapperDir/${program} - ''; - - ###### Activation script for the setuid wrappers - configureSetuidWrapper = - { program - , source ? null - , owner ? "nobody" - , group ? "nogroup" - , setuid ? false - , setgid ? false - , permissions ? "u+rx,g+x,o+x" - }: '' - cp ${setuidWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program} - - # Prevent races - chmod 0000 $permissionsWrapperDir/${program} - chown ${owner}.${group} $permissionsWrapperDir/${program} - - chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $permissionsWrapperDir/${program} - ''; -in -{ - - ###### interface - - options = { - security.permissionsWrappers.setcap = lib.mkOption { - type = lib.types.listOf lib.types.attrs; - default = []; - example = - [ { program = "ping"; - source = "${pkgs.iputils.out}/bin/ping"; - owner = "nobody"; - group = "nogroup"; - capabilities = "cap_net_raw+ep"; - } - ]; - description = '' - This option sets capabilities on a wrapper program that - propagates those capabilities down to the wrapped, real - program. - - The `program` attribute is the name of the program to be - wrapped. If no `source` attribute is provided, specifying the - absolute path to the program, then the program will be - searched for in the path environment variable. - - NOTE: cap_setpcap, which is required for the wrapper program - to be able to raise caps into the Ambient set is NOT raised to - the Ambient set so that the real program cannot modify its own - capabilities!! This may be too restrictive for cases in which - the real program needs cap_setpcap but it at least leans on - the side security paranoid vs. too relaxed. - ''; - }; - - security.permissionsWrappers.setuid = lib.mkOption { - type = lib.types.listOf lib.types.attrs; - default = []; - example = - [ { program = "sendmail"; - source = "/nix/store/.../bin/sendmail"; - owner = "nobody"; - group = "postdrop"; - setuid = false; - setgid = true; - permissions = "u+rx,g+x,o+x"; - } - ]; - description = '' - This option allows the ownership and permissions on the setuid - wrappers for specific programs to be overridden from the - default (setuid root, but not setgid root). - ''; - }; - - security.permissionsWrapperDir = lib.mkOption { - type = lib.types.path; - default = "/var/permissions-wrappers"; - internal = true; - description = '' - This option defines the path to the permissions wrappers. It - should not be overriden. - ''; - }; - - security.run-permissionsWrapperDir = lib.mkOption { - type = lib.types.path; - default = "/run/permissions-wrapper-dirs"; - internal = true; - description = '' - This option defines the run path to the permissions - wrappers. It should not be overriden. - ''; - }; - - }; - - - ###### implementation - - config = { - - # Make sure our setcap-wrapper dir exports to the PATH env - # variable when initializing the shell - environment.extraInit = '' - # The permissions wrappers override other bin directories. - export PATH="${permissionsWrapperDir}:$PATH" - ''; - - system.activationScripts.wrapper-dir = '' - mkdir -p "${permissionsWrapperDir}" - ''; - - ###### setcap activation script - system.activationScripts.permissions-wrappers = - lib.stringAfter [ "users" ] - '' - # Look in the system path and in the default profile for - # programs to be wrapped. - PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin - - mkdir -p ${run-permissionsWrapperDir} - permissionsWrapperDir=$(mktemp --directory --tmpdir=${run-permissionsWrapperDir} permissions-wrappers.XXXXXXXXXX) - chmod a+rx $permissionsWrapperDir - - ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)} - ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)} - - if [ -L ${permissionsWrapperDir} ]; then - # Atomically replace the symlink - # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ - old=$(readlink ${permissionsWrapperDir}) - ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp - mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir} - rm --force --recursive $old - elif [ -d ${permissionsWrapperDir} ]; then - # Compatibility with old state, just remove the folder and symlink - rm -f ${permissionsWrapperDir}/* - # if it happens to be a tmpfs - ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true - rm -d ${permissionsWrapperDir} - ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir} - else - # For initial setup - ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir} - fi - ''; - }; -} diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 098319d5ded..547b40cedfd 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -83,22 +83,8 @@ in security.pam.services.polkit-1 = {}; - security.permissionsWrappers.setuid = - [ - { program = "pkexec"; - source = "${pkgs.polkit.out}/bin/pkexec"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "polkit-agent-helper-1"; - owner = "root"; - group = "root"; - setuid = true; - source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; - } - ]; + security.setuidPrograms = [ "pkexec" ]; + security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; system.activationScripts.polkit = '' diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 652f23c2938..f5612e1b0c5 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -81,22 +81,7 @@ in ${cfg.extraConfig} ''; - security.permissionsWrappers.setuid = - [ - { program = "sudo"; - source = "${pkgs.sudo.out}/bin/sudo"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "sudoedit"; - source = "${pkgs.sudo.out}/bin/sudoedit"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "sudo" "sudoedit" ]; environment.systemPackages = [ sudo ]; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix new file mode 100644 index 00000000000..d12209b375b --- /dev/null +++ b/nixos/modules/security/wrappers/default.nix @@ -0,0 +1,191 @@ +{ config, lib, pkgs, ... }: +let + + inherit (config.security) wrapperDir; + + isNotNull = v: if v != null || v != "" then true else false; + + cfg = config.security.wrappers; + + setcapWrappers = import ./setcap-wrapper-drv.nix { + inherit config lib pkgs; + }; + + setuidWrappers = import ./setuid-wrapper-drv.nix { + inherit config lib pkgs; + }; + + ###### Activation script for the setcap wrappers + mkSetcapProgram = + { program + , capabilities + , source ? null + , owner ? "nobody" + , group ? "nogroup" + ... + }: '' + cp ${setcapWrappers}/bin/${program}.wrapper $wrapperDir/${program} + + # Prevent races + chmod 0000 $wrapperDir/${program} + chown ${owner}.${group} $wrapperDir/${program} + + # Set desired capabilities on the file plus cap_setpcap so + # the wrapper program can elevate the capabilities set on + # its file into the Ambient set. + # + # Only set the capabilities though if we're being told to + # do so. + ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program} + + # Set the executable bit + chmod u+rx,g+x,o+x $wrapperDir/${program} + ''; + + ###### Activation script for the setuid wrappers + mkSetuidProgram = + { program + , source ? null + , owner ? "nobody" + , group ? "nogroup" + , setuid ? false + , setgid ? false + , permissions ? "u+rx,g+x,o+x" + ... + }: '' + cp ${setuidWrappers}/bin/${program}.wrapper $wrapperDir/${program} + + # Prevent races + chmod 0000 $wrapperDir/${program} + chown ${owner}.${group} $wrapperDir/${program} + + chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program} + ''; +in +{ + + ###### interface + + options = { + security.wrappers.setcap = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + default = []; + example = + [ { program = "ping"; + source = "${pkgs.iputils.out}/bin/ping"; + owner = "nobody"; + group = "nogroup"; + capabilities = "cap_net_raw+ep"; + } + ]; + description = '' + This option sets capabilities on a wrapper program that + propagates those capabilities down to the wrapped, real + program. + + The <literal>program</literal> attribute is the name of the + program to be wrapped. If no <literal>source</literal> + attribute is provided, specifying the absolute path to the + program, then the program will be searched for in the path + environment variable. + + NOTE: cap_setpcap, which is required for the wrapper program + to be able to raise caps into the Ambient set is NOT raised to + the Ambient set so that the real program cannot modify its own + capabilities!! This may be too restrictive for cases in which + the real program needs cap_setpcap but it at least leans on + the side security paranoid vs. too relaxed. + ''; + }; + + security.setuidPrograms = mkOption { + type = types.listOf types.str; + default = []; + example = ["passwd"]; + description = '' + The Nix store cannot contain setuid/setgid programs directly. + For this reason, NixOS can automatically generate wrapper + programs that have the necessary privileges. This option + lists the names of programs in the system environment for + which setuid root wrappers should be created. + ''; + }; + + security.wrappers = lib.mkOption { + type = lib.types.attrs; + default = {}; + example = { + sendmail.source = "/nix/store/.../bin/sendmail"; + }; + description = '' + This option allows the ownership and permissions on the setuid + wrappers for specific programs to be overridden from the + default (setuid root, but not setgid root). + ''; + }; + + security.old-wrapperDir = lib.mkOption { + type = lib.types.path; + default = "/var/setuid-wrappers"; + internal = true; + description = '' + This option defines the path to the wrapper programs. It + should not be overriden. + ''; + }; + + security.wrapperDir = lib.mkOption { + type = lib.types.path; + default = "/run/wrappers"; + internal = true; + description = '' + This option defines the path to the wrapper programs. It + should not be overriden. + ''; + }; + }; + + ###### implementation + config = { + # Make sure our setcap-wrapper dir exports to the PATH env + # variable when initializing the shell + environment.extraInit = '' + # The permissions wrappers override other bin directories. + export PATH="${wrapperDir}:$PATH" + ''; + + ###### setcap activation script + system.activationScripts.wrappers = + let + programs = + (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) + config.security.setuidPrograms) + ++ lib.mapAttrsToList + (n: v: (if v ? "program" then v else v // {program=n;})) + cfg.wrappers; + + wrapperPrograms = + builtins.map + (s: if (s ? "setuid" && s.setuid == true) || + (s ? "setguid" && s.setguid == true) || + (s ? "permissions") + then mkSetuidProgram s + else if (s ? "capabilities") + then mkSetcapProgram s + else "" + ) programs; + + in lib.stringAfter [ "users" ] + '' + # Look in the system path and in the default profile for + # programs to be wrapped. + WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin + + mkdir -p ${wrapperDir} + wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX) + chmod a+rx $wrapperDir + + ${lib.concatStringsSep "\n" (builtins.filter isNotNull cfg.wrappers)} + ''; + }; +} diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/wrappers/permissions-wrapper.c index cb9d8d6b37b..cb9d8d6b37b 100644 --- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c +++ b/nixos/modules/security/wrappers/permissions-wrapper.c diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/wrappers/setcap-wrapper-drv.nix index 2ae3067b1b1..03dca5c9f42 100644 --- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix +++ b/nixos/modules/security/wrappers/setcap-wrapper-drv.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: let - cfg = config.security.permissionsWrappers; + cfg = config.security.wrappers; # Produce a shell-code splice intended to be stitched into one of # the build or install phases within the derivation. @@ -12,7 +12,7 @@ let source=/nix/var/nix/profiles/default/bin/${program} fi - gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \ + gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \ -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include ''; diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/wrappers/setuid-wrapper-drv.nix index 53cce2ff48e..e08ae799bf4 100644 --- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix +++ b/nixos/modules/security/wrappers/setuid-wrapper-drv.nix @@ -1,18 +1,18 @@ { config, lib, pkgs, ... }: let - cfg = config.security.permissionsWrappers; + cfg = config.security.wrappers; # Produce a shell-code splice intended to be stitched into one of # the build or install phases within the derivation. mkSetuidWrapper = { program, source ? null, ...}: '' - if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then - # If we can't find the program, fall back to the - # system profile. - source=/nix/var/nix/profiles/default/bin/${program} + if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then + # If we can't find the program, fall back to the + # system profile. + source=/nix/var/nix/profiles/default/bin/${program} fi - gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \ + gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \ -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include ''; diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index 86451ec318c..c933c496479 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -29,8 +29,8 @@ let }; cronJob = '' - @reboot logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} - 2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} + @reboot logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} + 2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} ''; writeIgnoreRule = name: {level, regex, ...}: diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 6b37a8a4ea2..7cea2f75439 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -13,7 +13,7 @@ let '' base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} - sendmail_path = /var/permissions-wrappers/sendmail + sendmail_path = /run/wrappers/sendmail '' (if isNull cfg.sslServerCert then '' diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index 6dfb8fdef11..71414bddd5d 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -70,7 +70,7 @@ in etc."exim.conf".text = '' exim_user = ${cfg.user} exim_group = ${cfg.group} - exim_path = /var/permissions-wrappers/exim + exim_path = /run/wrappers/exim spool_directory = ${cfg.spoolDir} ${cfg.config} ''; @@ -89,15 +89,7 @@ in gid = config.ids.gids.exim; }; - security.permissionsWrappers.setuid = - [ - { program = "exim"; - source = "${pkgs.exim.out}/bin/exim"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "exim" ]; systemd.services.exim = { description = "Exim Mail Daemon"; diff --git a/nixos/modules/services/mail/mail.nix b/nixos/modules/services/mail/mail.nix index e8b16349f1a..aef02eddbe1 100644 --- a/nixos/modules/services/mail/mail.nix +++ b/nixos/modules/services/mail/mail.nix @@ -26,7 +26,7 @@ with lib; config = mkIf (config.services.mail.sendmailSetuidWrapper != null) { - security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ]; + security.wrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ]; }; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index a80565fa280..cd4a5125029 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -34,7 +34,7 @@ let cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file) wrapProgram $file \ - --set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ + --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ --set MUNIN_LIBDIR "${pkgs.munin}/lib" \ --set MUNIN_PLUGSTATE "/var/run/munin" @@ -183,7 +183,7 @@ in mkdir -p /etc/munin/plugins rm -rf /etc/munin/plugins/* - PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash + PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash ''; serviceConfig = { ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/"; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index 99fd5c4d367..af02d73597f 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -124,7 +124,7 @@ in }; mailer = mkOption { - default = "/var/permissions-wrappers/sendmail"; + default = "/run/wrappers/sendmail"; type = types.path; description = '' Sendmail-compatible binary to be used to send the messages. diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 884966363b8..8cc8f21851c 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -30,7 +30,7 @@ let '' [ global ] security = ${cfg.securityType} - passwd program = /var/permissions-wrappers/passwd %u + passwd program = /run/wrappers/passwd %u pam password change = ${smbToString cfg.syncPasswordsByPam} invalid users = ${smbToString cfg.invalidUsers} diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix index bc9b884f11b..f4c75c17290 100644 --- a/nixos/modules/services/networking/gale.nix +++ b/nixos/modules/services/networking/gale.nix @@ -141,7 +141,7 @@ in setgid = false; }; - security.permissionsWrappers.setuid = [ cfg.setuidWrapper ]; + security.wrappers.setuid = [ cfg.setuidWrapper ]; systemd.services.gale-galed = { description = "Gale messaging daemon"; diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index 67d8cece611..58e6ad8a683 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -18,7 +18,7 @@ let var_prefix = "${stateDir}" prayer_user = "${prayerUser}" prayer_group = "${prayerGroup}" - sendmail_path = "/var/permissions-wrappers/sendmail" + sendmail_path = "/run/wrappers/sendmail" use_http_port ${cfg.port} diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index 67aa313c860..b7bb55f5508 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -219,14 +219,14 @@ in type = types.string; default = '' + FPing - binary = ${config.security.permissionsWrapperDir}/fping + binary = ${config.security.wrapperDir}/fping ''; description = "Probe configuration"; }; sendmail = mkOption { type = types.nullOr types.path; default = null; - example = "/var/permissions-wrappers/sendmail"; + example = "/run/wrappers/sendmail"; description = "Use this sendmail compatible script to deliver alerts"; }; smokeMailTemplate = mkOption { @@ -273,21 +273,7 @@ in message = "services.smokeping: sendmail and Mailhost cannot both be enabled."; } ]; - security.permissionsWrappers.setuid = [ - { program = "fping"; - source = "${pkgs.fping}/bin/fping"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "fping"; - source = "${pkgs.fping}/bin/fping6"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "fping" "fping6" ]; environment.systemPackages = [ pkgs.fping ]; users.extraUsers = singleton { name = cfg.user; diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 9c4f8d59faa..316ab847b34 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -42,7 +42,7 @@ in config = mkIf cfg.enable { - security.permissionsWrappers.setuid = map (program: { + security.wrappers.setuid = map (program: { inherit program; source = "${pkgs.atd}/bin/${program}"; diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index e33961658f0..26ce3c98d67 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -20,7 +20,7 @@ let cronNixosPkg = pkgs.cron.override { # The mail.nix nixos module, if there is any local mail system enabled, # should have sendmail in this path. - sendmailPath = "/var/permissions-wrappers/sendmail"; + sendmailPath = "/run/wrappers/sendmail"; }; allFiles = @@ -61,7 +61,7 @@ in A list of Cron jobs to be appended to the system-wide crontab. See the manual page for crontab for the expected format. If you want to get the results mailed you must setuid - sendmail. See <option>security.permissionsWrappers.setuid</option> + sendmail. See <option>security.wrappers.setuid</option> If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root will is allowed to have its own crontab file. The /var/cron/cron.deny file @@ -92,21 +92,9 @@ in config = mkMerge [ { services.cron.enable = mkDefault (allFiles != []); } - (mkIf (config.services.cron.enable) { - - security.permissionsWrappers.setuid = - [ - { program = "crontab"; - source = "${pkgs.cronNixosPkg.out}/bin/crontab"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "crontab" ]; environment.systemPackages = [ cronNixosPkg ]; - environment.etc.crontab = { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; } '' diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index 5804f0ee72f..f0de996224f 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -96,7 +96,7 @@ in fcronallow = /etc/fcron.allow fcrondeny = /etc/fcron.deny shell = /bin/sh - sendmail = /var/permissions-wrappers/sendmail + sendmail = /run/wrappers/sendmail editor = /run/current-system/sw/bin/vi ''; target = "fcron.conf"; @@ -106,16 +106,7 @@ in environment.systemPackages = [ pkgs.fcron ]; - security.permissionsWrappers.setuid = - [ - { program = "fcrontab"; - source = "${pkgs.fcron.out}/bin/fcrontab"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "fcrontab" ]; systemd.services.fcron = { description = "fcron daemon"; after = [ "local-fs.target" ]; diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index d15d5551e34..47fc4426af0 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -38,7 +38,7 @@ let sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf sed '${./dbus-system-local.conf.in}' \ - -e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \ + -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \ -e 's,@extra@,${systemExtraxml},' \ > "$out/system-local.conf" @@ -114,7 +114,7 @@ in systemd.packages = [ pkgs.dbus.daemon ]; - security.permissionsWrappers.setuid = singleton + security.wrappers.setuid = singleton { program = "dbus-daemon-launch-helper"; source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper"; owner = "root"; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 9d0ff77c2ae..feee6ba87ec 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -62,16 +62,7 @@ in ''; }]; - security.permissionsWrappers.setuid = - [ - { program = "e_freqset"; - source = "${e.enlightenment.out}/bin/e_freqset"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "e_freqset" ]; environment.etc = singleton { source = "${pkgs.xkeyboard_config}/etc/X11/xkb"; target = "X11/xkb"; diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix index 31d2ebcdf1a..d21a1f28dca 100644 --- a/nixos/modules/services/x11/desktop-managers/kde4.nix +++ b/nixos/modules/services/x11/desktop-managers/kde4.nix @@ -131,7 +131,7 @@ in ''; }; - security.permissionsWrappers.setuid = singleton + security.wrappers.setuid = singleton { program = "kcheckpass"; source = "${kde_workspace}/lib/kde4/libexec/kcheckpass"; owner = "root"; diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix index f886c60793d..a4124aaefa9 100644 --- a/nixos/modules/services/x11/desktop-managers/kde5.nix +++ b/nixos/modules/services/x11/desktop-managers/kde5.nix @@ -68,7 +68,7 @@ in ''; }; - security.permissionsWrappers.setuid = [ + security.wrappers.setuid = [ { program = "kcheckpass"; source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass"; diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 86f552cd3ca..ffc0700806c 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -131,10 +131,10 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then cat /etc/resolv.conf | resolvconf -m 1000 -a host fi -# Create /var/permissions-wrappers as a tmpfs. -rm -rf /var/permissions-wrappers -mkdir -m 0755 -p /var/permissions-wrappers -mount -t tmpfs -o "mode=0755" tmpfs /var/permissions-wrappers +# Create /run/wrappers as a tmpfs. +rm -rf /run/wrappers +mkdir -m 0755 -p /run/wrappers +mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers # Log the script output to /dev/kmsg or /run/log/stage-2-init.log. # Only at this point are all the necessary prerequisites ready for these commands. diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 61519c6a3ce..1afcddd915f 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -898,38 +898,23 @@ in # Capabilities won't work unless we have at-least a 4.3 Linux # kernel because we need the ambient capability - security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") ( - [ - { program = "ping"; - source = "${pkgs.iputils.out}/bin/ping"; - capabilities = "cap_net_raw+p"; - } + security.wrappers = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") { + ping = { + source = "${pkgs.iputils.out}/bin/ping"; + capabilities = "cap_net_raw+p"; + }; - { program = "ping6"; - source = "${pkgs.iputils.out}/bin/ping6"; - capabilities = "cap_net_raw+p"; - } - ] - ); - - # If our linux kernel IS older than 4.3, let's setuid ping and ping6 - security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") ( - [ - { program = "ping"; - source = "${pkgs.iputils.out}/bin/ping"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "ping6"; - source = "${pkgs.iputils.out}/bin/ping6"; - owner = "root"; - group = "root"; - setuid = true; - } - ] - ); + ping6 = { + source = "${pkgs.iputils.out}/bin/ping6"; + capabilities = "cap_net_raw+p"; + }; + }; + + # If the linux kernel IS older than 4.3, create setuid wrappers + # for ping and ping6 + security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [ + "ping" "ping6" + ]; # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index b3647482f2c..405a630dfa7 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -68,7 +68,7 @@ in boot.extraModulePackages = [ kernelModules ]; environment.systemPackages = [ virtualbox ]; - security.permissionsWrappers.setuid = let + security.wrappers.setuid = let mkSuid = program: { inherit program; source = "${virtualbox}/libexec/virtualbox/${program}"; @@ -99,7 +99,7 @@ in SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" ''; - # Since we lack the right setuid binaries, set up a host-only network by default. + # Since we lack the right setuid/setcap binaries, set up a host-only network by default. } (mkIf cfg.addNetworkInterface { systemd.services."vboxnet0" = { description = "VirtualBox vboxnet0 Interface"; diff --git a/nixos/tests/smokeping.nix b/nixos/tests/smokeping.nix index 7e2d84f4422..5e2d013abc5 100644 --- a/nixos/tests/smokeping.nix +++ b/nixos/tests/smokeping.nix @@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : { mailHost = "127.0.0.2"; probeConfig = '' + FPing - binary = /var/permissions-wrappers/fping + binary = /run/wrappers/fping offset = 0% ''; }; diff --git a/pkgs/applications/editors/sublime3/default.nix b/pkgs/applications/editors/sublime3/default.nix index 0f7d50088a9..1c24ff4737b 100644 --- a/pkgs/applications/editors/sublime3/default.nix +++ b/pkgs/applications/editors/sublime3/default.nix @@ -1,5 +1,5 @@ { fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2, - pkexecPath ? "/var/permissions-wrappers/pkexec", libredirect, + pkexecPath ? "/run/wrappers/pkexec", libredirect, gksuSupport ? false, gksu}: assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux"; diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index dd8fd32adfd..7009cf17fab 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -83,9 +83,9 @@ in stdenv.mkDerivation { ed -v -s "$out/bin/chromium" << EOF 2i - if [ -x "/var/permissions-wrappers/${sandboxExecutableName}" ] + if [ -x "/run/wrappers/${sandboxExecutableName}" ] then - export CHROME_DEVEL_SANDBOX="/var/permissions-wrappers/${sandboxExecutableName}" + export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}" else export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}" fi diff --git a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch index 9a83fc09e4e..4b59f1a376d 100644 --- a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch +++ b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch @@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644 + is_nixos=no +fi + -+if [ -u /var/permissions-wrappers/gksign ]; then ++if [ -u /run/wrappers/gksign ]; then + cat <<EOM + +Gale appears to have already been set up via the NixOS module system (check diff --git a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch index 5377ddb9a62..6603e8d4b60 100644 --- a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch +++ b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch @@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644 - # # arguments: '-i -t' - # # } + config.action_mailer.sendmail_settings = { -+ location: '/var/permissions-wrappers/sendmail', ++ location: '/run/wrappers/sendmail', + arguments: '-i -t' + } config.action_mailer.perform_deliveries = true diff --git a/pkgs/applications/virtualization/virtualbox/hardened.patch b/pkgs/applications/virtualization/virtualbox/hardened.patch index cae4abe8612..a788a1df3ca 100644 --- a/pkgs/applications/virtualization/virtualbox/hardened.patch +++ b/pkgs/applications/virtualization/virtualbox/hardened.patch @@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644 /* get the path to the executable */ char szPath[RTPATH_MAX]; - RTPathAppPrivateArch(szPath, sizeof(szPath) - 1); -+ RTStrCopy(szPath, sizeof(szPath) - 1, "/var/permissions-wrappers"); ++ RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers"); size_t cchBufLeft = strlen(szPath); szPath[cchBufLeft++] = RTPATH_DELIMITER; szPath[cchBufLeft] = 0; @@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644 +RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath) +{ -+ return RTStrCopy(pszPath, cchPath, "/var/permissions-wrappers"); ++ return RTStrCopy(pszPath, cchPath, "/run/wrappers"); +} + + @@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644 + * will cut off everything after the rightmost / as this function is analogous + * to RTProcGetExecutablePath(). + */ -+#define SUIDDIR "/var/permissions-wrappers/" ++#define SUIDDIR "/run/wrappers/" + +RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath) +{ diff --git a/pkgs/build-support/build-fhs-userenv/env.nix b/pkgs/build-support/build-fhs-userenv/env.nix index b30e1362aba..98381d9023f 100644 --- a/pkgs/build-support/build-fhs-userenv/env.nix +++ b/pkgs/build-support/build-fhs-userenv/env.nix @@ -51,7 +51,7 @@ let export PS1='${name}-chrootenv:\u@\h:\w\$ ' export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32' - export PATH='/var/permissions-wrappers:/usr/bin:/usr/sbin' + export PATH='/run/wrappers:/usr/bin:/usr/sbin' export PKG_CONFIG_PATH=/usr/lib/pkgconfig # Force compilers to look in default search paths diff --git a/pkgs/desktops/enlightenment/enlightenment.nix b/pkgs/desktops/enlightenment/enlightenment.nix index 753b939bd48..65e3bf2d642 100644 --- a/pkgs/desktops/enlightenment/enlightenment.nix +++ b/pkgs/desktops/enlightenment/enlightenment.nix @@ -42,13 +42,13 @@ stdenv.mkDerivation rec { # this is a hack and without this cpufreq module is not working. does the following: # 1. moves the "freqset" binary to "e_freqset", # 2. linkes "e_freqset" to enlightenment/bin so that, - # 3. permissionsWrappers.setuid detects it and places wrappers in /var/permissions-wrappers/e_freqset, - # 4. and finally, links /var/permissions-wrappers/e_freqset to original destination where enlightenment wants it + # 3. wrappers.setuid detects it and places wrappers in /run/wrappers/e_freqset, + # 4. and finally, links /run/wrappers/e_freqset to original destination where enlightenment wants it postInstall = '' export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`; mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset - ln -sv /var/permissions-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset + ln -sv /run/wrappers/e_freqset $CPUFREQ_DIRPATH/freqset ''; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch index a16d3575725..61aa49f70e5 100644 --- a/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch +++ b/pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch @@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c #include <unistd.h> -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit" -+#define EXECUTE "/var/permissions-wrappers/start_kdeinit" ++#define EXECUTE "/run/wrappers/start_kdeinit" #if KDEINIT_OOM_PROTECT diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix index 7da4a900b7e..6d57ca2397e 100644 --- a/pkgs/development/libraries/libgksu/default.nix +++ b/pkgs/development/libraries/libgksu/default.nix @@ -57,8 +57,8 @@ stdenv.mkDerivation rec { # Fix some binary paths sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c - sed -i -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|g' libgksu/libgksu.c - sed -i -e 's|/bin/su\([^d]\)|/var/permissions-wrappers/su\1|g' libgksu/libgksu.c + sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c + sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/su\1|g' libgksu/libgksu.c touch NEWS README ''; diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix index 0f7106181b8..b2e2ecf0493 100644 --- a/pkgs/development/libraries/polkit/default.nix +++ b/pkgs/development/libraries/polkit/default.nix @@ -5,7 +5,7 @@ let system = "/var/run/current-system/sw"; - setuid = "/var/permissions-wrappers"; #TODO: from <nixos> config.security.wrapperDir; + setuid = "/run/wrappers"; #TODO: from <nixos> config.security.wrapperDir; foolVars = { SYSCONF = "/etc"; diff --git a/pkgs/development/tools/unity3d/default.nix b/pkgs/development/tools/unity3d/default.nix index 1fc56b98656..2d4977a3195 100644 --- a/pkgs/development/tools/unity3d/default.nix +++ b/pkgs/development/tools/unity3d/default.nix @@ -94,7 +94,7 @@ in stdenv.mkDerivation rec { unitydir="$out/opt/Unity/Editor" mkdir -p $unitydir mv Editor/* $unitydir - ln -sf /var/permissions-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox + ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox mkdir -p $out/share/applications sed "/^Exec=/c\Exec=$out/bin/unity-editor" \ diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix index a36934004d2..29bcc58c7c0 100644 --- a/pkgs/os-specific/linux/fuse/default.nix +++ b/pkgs/os-specific/linux/fuse/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { # Ensure that FUSE calls the setuid wrapper, not # $out/bin/fusermount. It falls back to calling fusermount in # $PATH, so it should also work on non-NixOS systems. - export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/permissions-wrappers\"" + export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\"" sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh diff --git a/pkgs/os-specific/linux/mdadm/4.nix b/pkgs/os-specific/linux/mdadm/4.nix index abe8632773f..af8e53ec3a2 100644 --- a/pkgs/os-specific/linux/mdadm/4.nix +++ b/pkgs/os-specific/linux/mdadm/4.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { preConfigure = '' sed -e 's@/lib/udev@''${out}/lib/udev@' \ -e 's@ -Werror @ @' \ - -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile + -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile ''; meta = { diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix index 531d55a7f12..d9bdf21723b 100644 --- a/pkgs/os-specific/linux/mdadm/default.nix +++ b/pkgs/os-specific/linux/mdadm/default.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { preConfigure = '' sed -e 's@/lib/udev@''${out}/lib/udev@' \ -e 's@ -Werror @ @' \ - -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile + -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile ''; meta = { diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix index 196af58183f..dc61b3f27f6 100644 --- a/pkgs/os-specific/linux/pam/default.nix +++ b/pkgs/os-specific/linux/pam/default.nix @@ -34,7 +34,7 @@ stdenv.mkDerivation rec { postInstall = '' mv -v $out/sbin/unix_chkpwd{,.orig} - ln -sv /var/permissions-wrappers/unix_chkpwd $out/sbin/unix_chkpwd + ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd ''; /* rm -rf $out/etc mkdir -p $modules/lib diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index 1c4a7b798ce..90fbf861448 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation rec { --enable-last --enable-mesg --disable-use-tty-group - --enable-fs-paths-default=/var/permissions-wrappers:/var/run/current-system/sw/bin:/sbin + --enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin ${if ncurses == null then "--without-ncurses" else ""} ${if systemd == null then "" else '' --with-systemd diff --git a/pkgs/servers/interlock/default.nix b/pkgs/servers/interlock/default.nix index af733540ff3..b58c1b50e03 100644 --- a/pkgs/servers/interlock/default.nix +++ b/pkgs/servers/interlock/default.nix @@ -30,7 +30,7 @@ buildGoPackage rec { -e 's|/bin/chown|${coreutils}/bin/chown|' \ -e 's|/bin/date|${coreutils}/bin/date|' \ -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \ - -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|' \ + -e 's|/usr/bin/sudo|/run/wrappers/sudo|' \ -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|' ''; } diff --git a/pkgs/servers/mail/petidomo/default.nix b/pkgs/servers/mail/petidomo/default.nix index c112af567fd..1770517047f 100644 --- a/pkgs/servers/mail/petidomo/default.nix +++ b/pkgs/servers/mail/petidomo/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/permissions-wrappers/sendmail" }: +{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }: stdenv.mkDerivation rec { name = "petidomo-4.3"; diff --git a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix index ac1cb1a5398..30bd7e8a7c3 100644 --- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix +++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix @@ -16,8 +16,8 @@ stdenv.mkDerivation rec { # configured on the build machine). preConfigure= " configureFlagsArray=( - --with-ping-command='/var/permissions-wrappers/ping -n -U -w %d -c %d %s' - --with-ping6-command='/var/permissions-wrappers/ping6 -n -U -w %d -c %d %s' + --with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s' + --with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s' ) "; diff --git a/pkgs/tools/X11/x11vnc/default.nix b/pkgs/tools/X11/x11vnc/default.nix index 5f96a35af6f..b343a7da378 100644 --- a/pkgs/tools/X11/x11vnc/default.nix +++ b/pkgs/tools/X11/x11vnc/default.nix @@ -20,10 +20,10 @@ stdenv.mkDerivation rec { configureFlags="--mandir=$out/share/man" substituteInPlace x11vnc/unixpw.c \ - --replace '"/bin/su"' '"/var/permissions-wrappers/su"' \ + --replace '"/bin/su"' '"/run/wrappers/su"' \ --replace '"/bin/true"' '"${coreutils}/bin/true"' - sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/permissions-wrappers/su|g' x11vnc/ssltools.h + sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h ''; meta = { diff --git a/pkgs/tools/admin/certbot/default.nix b/pkgs/tools/admin/certbot/default.nix index 23eb02e294a..366213d2e1e 100644 --- a/pkgs/tools/admin/certbot/default.nix +++ b/pkgs/tools/admin/certbot/default.nix @@ -31,7 +31,7 @@ python2Packages.buildPythonApplication rec { buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]); patchPhase = '' - substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/permissions-wrappers/sendmail" + substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail" substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers" ''; diff --git a/pkgs/tools/misc/debian-devscripts/default.nix b/pkgs/tools/misc/debian-devscripts/default.nix index 2261bfc6637..be3b674de04 100644 --- a/pkgs/tools/misc/debian-devscripts/default.nix +++ b/pkgs/tools/misc/debian-devscripts/default.nix @@ -2,7 +2,7 @@ , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper , python3Packages , perlPackages, curl, gnupg, diffutils -, sendmailPath ? "/var/permissions-wrappers/sendmail" +, sendmailPath ? "/run/wrappers/sendmail" }: let diff --git a/pkgs/tools/security/ecryptfs/default.nix b/pkgs/tools/security/ecryptfs/default.nix index 7e941e5378a..98e06d1de3e 100644 --- a/pkgs/tools/security/ecryptfs/default.nix +++ b/pkgs/tools/security/ecryptfs/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { }; # TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir; - wrapperDir = "/var/permissions-wrappers"; + wrapperDir = "/run/wrappers"; postPatch = '' FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)" diff --git a/pkgs/tools/security/ecryptfs/helper.nix b/pkgs/tools/security/ecryptfs/helper.nix index 6e3e6766a28..3daaadcaad6 100644 --- a/pkgs/tools/security/ecryptfs/helper.nix +++ b/pkgs/tools/security/ecryptfs/helper.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; - # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/permissions-wrappers + # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers installPhase = '' mkdir -p $out/bin $out/libexec cp $src $out/libexec/ecryptfs-helper.py diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix index a3a13f19803..0d2953c6f45 100644 --- a/pkgs/tools/security/sudo/default.nix +++ b/pkgs/tools/security/sudo/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, coreutils, pam, groff -, sendmailPath ? "/var/permissions-wrappers/sendmail" +, sendmailPath ? "/run/wrappers/sendmail" , withInsults ? false }: diff --git a/pkgs/tools/system/at/default.nix b/pkgs/tools/system/at/default.nix index 2fb5b9670c8..9f8bad00ca4 100644 --- a/pkgs/tools/system/at/default.nix +++ b/pkgs/tools/system/at/default.nix @@ -1,4 +1,4 @@ -{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/permissions-wrappers/sendmail" }: +{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }: stdenv.mkDerivation { name = "at-3.1.16"; diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index f7f2a6158a2..8a6a5dc15d3 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation { #define _PATH_SENDMAIL "${sendmailPath}" #undef _PATH_DEFPATH - #define _PATH_DEFPATH "/var/permissions-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" + #define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" __EOT__ # Implicit saved uids do not work here due to way NixOS uses setuid wrappers diff --git a/pkgs/tools/system/ts/default.nix b/pkgs/tools/system/ts/default.nix index 1384ea04fb6..1dfb856d4d6 100644 --- a/pkgs/tools/system/ts/default.nix +++ b/pkgs/tools/system/ts/default.nix @@ -1,5 +1,5 @@ {stdenv, fetchurl, -sendmailPath ? "/var/permissions-wrappers/sendmail" }: +sendmailPath ? "/run/wrappers/sendmail" }: stdenv.mkDerivation rec { |