diff options
| author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-12 18:53:48 +0200 |
|---|---|---|
| committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 13:48:13 +0200 |
| commit | fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch) | |
| tree | 14b7af8318d75536656849335e20c51cdfdf3447 /nixos/modules/programs | |
| parent | 8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff) | |
| download | nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.gz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.bz2 nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.lz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.xz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.zst nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.zip | |
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you to think about what the wrapper ownership and permissions will be.
Diffstat (limited to 'nixos/modules/programs')
| -rw-r--r-- | nixos/modules/programs/bandwhich.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/captive-browser.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/firejail.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/programs/gamemode.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/programs/iftop.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/iotop.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/kbdlight.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/programs/liboping.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/mtr.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/noisetorch.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/shadow.nix | 21 | ||||
| -rw-r--r-- | nixos/modules/programs/singularity.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/programs/slock.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/programs/traceroute.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/udevil.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/programs/wavemon.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/programs/wshowkeys.nix | 7 |
17 files changed, 80 insertions, 21 deletions
diff --git a/nixos/modules/programs/bandwhich.nix b/nixos/modules/programs/bandwhich.nix index 1cffb5fa276..610d602ad2c 100644 --- a/nixos/modules/programs/bandwhich.nix +++ b/nixos/modules/programs/bandwhich.nix @@ -22,8 +22,10 @@ in { config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ bandwhich ]; security.wrappers.bandwhich = { - source = "${pkgs.bandwhich}/bin/bandwhich"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw,cap_net_admin+ep"; + source = "${pkgs.bandwhich}/bin/bandwhich"; }; }; } diff --git a/nixos/modules/programs/captive-browser.nix b/nixos/modules/programs/captive-browser.nix index d7684d08c6c..4e8abdeecf0 100644 --- a/nixos/modules/programs/captive-browser.nix +++ b/nixos/modules/programs/captive-browser.nix @@ -105,11 +105,15 @@ in ); security.wrappers.udhcpc = { + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; source = "${pkgs.busybox}/bin/udhcpc"; }; security.wrappers.captive-browser = { + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; source = pkgs.writeShellScript "captive-browser" '' export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index ad4ef1a3945..9384b01b367 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -81,7 +81,12 @@ in { }; config = mkIf cfg.enable { - security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail"; + security.wrappers.firejail = + { setuid = true; + owner = "root"; + group = "root"; + source = "${lib.getBin pkgs.firejail}/bin/firejail"; + }; environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ]; }; diff --git a/nixos/modules/programs/gamemode.nix b/nixos/modules/programs/gamemode.nix index 03949bf98df..102788f5b01 100644 --- a/nixos/modules/programs/gamemode.nix +++ b/nixos/modules/programs/gamemode.nix @@ -56,6 +56,8 @@ in polkit.enable = true; wrappers = mkIf cfg.enableRenice { gamemoded = { + owner = "root"; + group = "root"; source = "${pkgs.gamemode}/bin/gamemoded"; capabilities = "cap_sys_nice+ep"; }; diff --git a/nixos/modules/programs/iftop.nix b/nixos/modules/programs/iftop.nix index a98a9a8187d..c74714a9a6d 100644 --- a/nixos/modules/programs/iftop.nix +++ b/nixos/modules/programs/iftop.nix @@ -11,8 +11,10 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ pkgs.iftop ]; security.wrappers.iftop = { - source = "${pkgs.iftop}/bin/iftop"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${pkgs.iftop}/bin/iftop"; }; }; } diff --git a/nixos/modules/programs/iotop.nix b/nixos/modules/programs/iotop.nix index 5512dbc62f7..b7c1c69f9dd 100644 --- a/nixos/modules/programs/iotop.nix +++ b/nixos/modules/programs/iotop.nix @@ -10,8 +10,10 @@ in { }; config = mkIf cfg.enable { security.wrappers.iotop = { - source = "${pkgs.iotop}/bin/iotop"; + owner = "root"; + group = "root"; capabilities = "cap_net_admin+p"; + source = "${pkgs.iotop}/bin/iotop"; }; }; } diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix index 58e45872fac..8a2a0057cf2 100644 --- a/nixos/modules/programs/kbdlight.nix +++ b/nixos/modules/programs/kbdlight.nix @@ -11,6 +11,11 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kbdlight ]; - security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight"; + security.wrappers.kbdlight = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.kbdlight.out}/bin/kbdlight"; + }; }; } diff --git a/nixos/modules/programs/liboping.nix b/nixos/modules/programs/liboping.nix index 4e4c235ccde..4433f9767d6 100644 --- a/nixos/modules/programs/liboping.nix +++ b/nixos/modules/programs/liboping.nix @@ -13,8 +13,10 @@ in { security.wrappers = mkMerge (map ( exec: { "${exec}" = { - source = "${pkgs.liboping}/bin/${exec}"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${pkgs.liboping}/bin/${exec}"; }; } ) [ "oping" "noping" ]); diff --git a/nixos/modules/programs/mtr.nix b/nixos/modules/programs/mtr.nix index 75b710c1584..63516c58440 100644 --- a/nixos/modules/programs/mtr.nix +++ b/nixos/modules/programs/mtr.nix @@ -31,8 +31,10 @@ in { environment.systemPackages = with pkgs; [ cfg.package ]; security.wrappers.mtr-packet = { - source = "${cfg.package}/bin/mtr-packet"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${cfg.package}/bin/mtr-packet"; }; }; } diff --git a/nixos/modules/programs/noisetorch.nix b/nixos/modules/programs/noisetorch.nix index 5f3b0c8f5d1..bca68b0064c 100644 --- a/nixos/modules/programs/noisetorch.nix +++ b/nixos/modules/programs/noisetorch.nix @@ -18,8 +18,10 @@ in { config = mkIf cfg.enable { security.wrappers.noisetorch = { - source = "${cfg.package}/bin/noisetorch"; + owner = "root"; + group = "root"; capabilities = "cap_sys_resource=+ep"; + source = "${cfg.package}/bin/noisetorch"; }; }; } diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 386ded9d98b..e021f184179 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -43,6 +43,13 @@ let ''; + mkSetuidRoot = source: + { setuid = true; + owner = "root"; + group = "root"; + inherit source; + }; + in { @@ -109,14 +116,14 @@ in }; security.wrappers = { - su.source = "${pkgs.shadow.su}/bin/su"; - sg.source = "${pkgs.shadow.out}/bin/sg"; - newgrp.source = "${pkgs.shadow.out}/bin/newgrp"; - newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap"; - newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap"; + su = mkSetuidRoot "${pkgs.shadow.su}/bin/su"; + sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg"; + newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp"; + newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap"; + newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap"; } // lib.optionalAttrs config.users.mutableUsers { - chsh.source = "${pkgs.shadow.out}/bin/chsh"; - passwd.source = "${pkgs.shadow.out}/bin/passwd"; + chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh"; + passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd"; }; }; } diff --git a/nixos/modules/programs/singularity.nix b/nixos/modules/programs/singularity.nix index 6ac64a81fc2..db935abe4bb 100644 --- a/nixos/modules/programs/singularity.nix +++ b/nixos/modules/programs/singularity.nix @@ -16,7 +16,12 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ singularity ]; - security.wrappers.singularity-suid.source = "${singularity}/libexec/singularity/bin/starter-suid.orig"; + security.wrappers.singularity-suid = + { setuid = true; + owner = "root"; + group = "root"; + source = "${singularity}/libexec/singularity/bin/starter-suid.orig"; + }; systemd.tmpfiles.rules = [ "d /var/singularity/mnt/session 0770 root root -" "d /var/singularity/mnt/final 0770 root root -" diff --git a/nixos/modules/programs/slock.nix b/nixos/modules/programs/slock.nix index 0e1281e62cd..ce80fcc5d4a 100644 --- a/nixos/modules/programs/slock.nix +++ b/nixos/modules/programs/slock.nix @@ -21,6 +21,11 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.slock ]; - security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock"; + security.wrappers.slock = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.slock.out}/bin/slock"; + }; }; } diff --git a/nixos/modules/programs/traceroute.nix b/nixos/modules/programs/traceroute.nix index 4eb0be3f0e0..6e04057ac50 100644 --- a/nixos/modules/programs/traceroute.nix +++ b/nixos/modules/programs/traceroute.nix @@ -19,8 +19,10 @@ in { config = mkIf cfg.enable { security.wrappers.traceroute = { - source = "${pkgs.traceroute}/bin/traceroute"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${pkgs.traceroute}/bin/traceroute"; }; }; } diff --git a/nixos/modules/programs/udevil.nix b/nixos/modules/programs/udevil.nix index ba5670f9dfe..0dc08c435df 100644 --- a/nixos/modules/programs/udevil.nix +++ b/nixos/modules/programs/udevil.nix @@ -9,6 +9,11 @@ in { options.programs.udevil.enable = mkEnableOption "udevil"; config = mkIf cfg.enable { - security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil"; + security.wrappers.udevil = + { setuid = true; + owner = "root"; + group = "root"; + source = "${lib.getBin pkgs.udevil}/bin/udevil"; + }; }; } diff --git a/nixos/modules/programs/wavemon.nix b/nixos/modules/programs/wavemon.nix index ac665fe4a02..e5ccacba75d 100644 --- a/nixos/modules/programs/wavemon.nix +++ b/nixos/modules/programs/wavemon.nix @@ -21,8 +21,10 @@ in { config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ wavemon ]; security.wrappers.wavemon = { - source = "${pkgs.wavemon}/bin/wavemon"; + owner = "root"; + group = "root"; capabilities = "cap_net_admin+ep"; + source = "${pkgs.wavemon}/bin/wavemon"; }; }; } diff --git a/nixos/modules/programs/wshowkeys.nix b/nixos/modules/programs/wshowkeys.nix index 09b008af1d5..f7b71d2bb0c 100644 --- a/nixos/modules/programs/wshowkeys.nix +++ b/nixos/modules/programs/wshowkeys.nix @@ -17,6 +17,11 @@ in { }; config = mkIf cfg.enable { - security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys"; + security.wrappers.wshowkeys = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.wshowkeys}/bin/wshowkeys"; + }; }; } |