diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2011-08-21 20:38:45 +0000 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2011-08-21 20:38:45 +0000 |
commit | 7980c71d9c56cc0b922f8bf27c24141657c4b9ca (patch) | |
tree | a74880d31957b65396a864db47eb00cfaca19dcf /modules/security | |
parent | a84ada1d922f15826e5b2056a4c5cf8c02854926 (diff) | |
download | nixpkgs-7980c71d9c56cc0b922f8bf27c24141657c4b9ca.tar nixpkgs-7980c71d9c56cc0b922f8bf27c24141657c4b9ca.tar.gz nixpkgs-7980c71d9c56cc0b922f8bf27c24141657c4b9ca.tar.bz2 nixpkgs-7980c71d9c56cc0b922f8bf27c24141657c4b9ca.tar.lz nixpkgs-7980c71d9c56cc0b922f8bf27c24141657c4b9ca.tar.xz nixpkgs-7980c71d9c56cc0b922f8bf27c24141657c4b9ca.tar.zst nixpkgs-7980c71d9c56cc0b922f8bf27c24141657c4b9ca.zip |
* Add some options to allow setting PolKit permissions.
svn path=/nixos/trunk/; revision=28729
Diffstat (limited to 'modules/security')
-rw-r--r-- | modules/security/polkit.nix | 117 |
1 files changed, 97 insertions, 20 deletions
diff --git a/modules/security/polkit.nix b/modules/security/polkit.nix index 44acb1766f5..a9d52bb5bd8 100644 --- a/modules/security/polkit.nix +++ b/modules/security/polkit.nix @@ -3,6 +3,9 @@ with pkgs.lib; let + + cfg = config.security.polkit; + pkWrapper = pkgs.stdenv.mkDerivation { name = "polkit-wrapper"; helper = "libexec/polkit-1/polkit-agent-helper-1"; @@ -14,40 +17,114 @@ let mkdir -pv $out lndir ${pkgs.polkit} $out + # !!! I'm pretty sure the wrapper doesn't work because + # libpolkit-agent-1.so has a hard-coded reference to + # polkit-agent-helper-1. rm $out/$helper ln -sv ${config.security.wrapperDir}/polkit-agent-helper-1 $out/$helper ''; }; + in { - config = { + options = { - environment = { - systemPackages = [ pkWrapper ]; - pathsToLink = [ "/share/polkit-1" "/etc/polkit-1" ]; - etc = singleton - { source = "${config.system.path}/etc/polkit-1"; - target = "polkit-1"; - }; + security.polkit.enable = mkOption { + default = true; + description = "Whether to enable PolKit."; }; - services.dbus.packages = [ pkWrapper ]; + security.polkit.permissions = mkOption { + default = ""; + example = + '' + [Disallow Users To Suspend] + Identity=unix-group:users + Action=org.freedesktop.upower.* + ResultAny=no + ResultInactive=no + ResultActive=no - security = { - pam.services = [ { name = "polkit-1"; } ]; - setuidPrograms = [ "pkexec" ]; - - setuidOwners = singleton - { program = "polkit-agent-helper-1"; - owner = "root"; - group = "root"; - setuid = true; - source = pkgs.polkit + "/" + pkWrapper.helper; - }; + [Allow Anybody To Eject Disks] + Identity=unix-user:* + Action=org.freedesktop.udisks.drive-eject + ResultAny=yes + ResultInactive=yes + ResultActive=yes + + [Allow Alice To Mount Filesystems After Admin Authentication] + Identity=unix-user:alice + Action=org.freedesktop.udisks.filesystem-mount + ResultAny=auth_admin + ResultInactive=auth_admin + ResultActive=auth_admin + ''; + description = + '' + Allows the default permissions of privileged actions to be overriden. + ''; }; + security.polkit.adminIdentities = mkOption { + default = "unix-user:0;unix-group:wheel"; + example = ""; + description = + '' + Specifies which users are considered “administrators”, for those + actions that require the user to authenticate as an + administrator (i.e. have a <literal>auth_admin</literal> + value). By default, this is the <literal>root</literal> + user and all users in the <literal>wheel</literal> group. + ''; + }; + + }; + + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkWrapper ]; + + # The polkit daemon reads action files + environment.pathsToLink = [ "/share/polkit-1/actions" ]; + + environment.etc = + [ # No idea what the "null backend" is, but it seems to need this. + { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d"; + target = "polkit-1/nullbackend.conf.d"; + } + + # This file determines what users are considered + # "administrators". + { source = pkgs.writeText "10-nixos.conf" + '' + [Configuration] + AdminIdentities=${cfg.adminIdentities} + ''; + target = "polkit-1/localauthority.conf.d/10-nixos.conf"; + } + + { source = pkgs.writeText "org.nixos.pkla" cfg.permissions; + target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla"; + } + ]; + + services.dbus.packages = [ pkWrapper ]; + + security.pam.services = [ { name = "polkit-1"; } ]; + + security.setuidPrograms = [ "pkexec" ]; + + security.setuidOwners = singleton + { program = "polkit-agent-helper-1"; + owner = "root"; + group = "root"; + setuid = true; + source = pkgs.polkit + "/" + pkWrapper.helper; + }; + system.activationScripts.polkit = '' mkdir -p /var/lib/polkit-1/localauthority |