diff options
author | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-02-14 21:30:04 -0600 |
---|---|---|
committer | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-02-14 21:30:04 -0600 |
commit | 1f83f1c8789e4ad30f0242d4a8896324b8f9e89a (patch) | |
tree | 4c8ae6c8d535b33848e43a35d7bf83bb2b77ba58 /nixos/modules/security/wrappers | |
parent | c34a52bf5da351a13211a87ebc1a7a32ef2af6ba (diff) | |
download | nixpkgs-1f83f1c8789e4ad30f0242d4a8896324b8f9e89a.tar nixpkgs-1f83f1c8789e4ad30f0242d4a8896324b8f9e89a.tar.gz nixpkgs-1f83f1c8789e4ad30f0242d4a8896324b8f9e89a.tar.bz2 nixpkgs-1f83f1c8789e4ad30f0242d4a8896324b8f9e89a.tar.lz nixpkgs-1f83f1c8789e4ad30f0242d4a8896324b8f9e89a.tar.xz nixpkgs-1f83f1c8789e4ad30f0242d4a8896324b8f9e89a.tar.zst nixpkgs-1f83f1c8789e4ad30f0242d4a8896324b8f9e89a.zip |
security-wrapper: Wrap <para> tags in a <note> tag
Diffstat (limited to 'nixos/modules/security/wrappers')
-rw-r--r-- | nixos/modules/security/wrappers/default.nix | 44 |
1 files changed, 23 insertions, 21 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index c5b99c0c801..9e4f3fdaa01 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -109,27 +109,29 @@ in }; }; description = '' - <para>This option allows the ownership and permissions on the - setuid wrappers for specific programs to be overridden from - the default (setuid root, but not setgid root).</para> - - <para>Additionally, this option can set capabilities on a - wrapper program that propagates those capabilities down to the - wrapped, real program.</para> - - <para>The <literal>program</literal> attribute is the name of - the program to be wrapped. If no <literal>source</literal> - attribute is provided, specifying the absolute path to the - program, then the program will be searched for in the path - environment variable.</para> - - <para>NOTE: cap_setpcap, which is required for the wrapper - program to be able to raise caps into the Ambient set is NOT - raised to the Ambient set so that the real program cannot - modify its own capabilities!! This may be too restrictive for - cases in which the real program needs cap_setpcap but it at - least leans on the side security paranoid vs. too - relaxed.</para> + This option allows the ownership and permissions on the setuid + wrappers for specific programs to be overridden from the + default (setuid root, but not setgid root). + + <note> + <para>Additionally, this option can set capabilities on a + wrapper program that propagates those capabilities down to the + wrapped, real program.</para> + + <para>The <literal>program</literal> attribute is the name of + the program to be wrapped. If no <literal>source</literal> + attribute is provided, specifying the absolute path to the + program, then the program will be searched for in the path + environment variable.</para> + + <para>NOTE: cap_setpcap, which is required for the wrapper + program to be able to raise caps into the Ambient set is NOT + raised to the Ambient set so that the real program cannot + modify its own capabilities!! This may be too restrictive for + cases in which the real program needs cap_setpcap but it at + least leans on the side security paranoid vs. too + relaxed.</para> + </note> ''; }; |