diff options
| author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-12 16:14:40 +0200 |
|---|---|---|
| committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 13:48:12 +0200 |
| commit | 936e8eaf411248e34ceef219fb94acfbb66060a0 (patch) | |
| tree | 62931955db1dc36253073bce8d99a21de3bfc852 /nixos/modules/security/wrappers | |
| parent | 7d8b303e3fd76ccf58cfe26348e889def3663546 (diff) | |
| download | nixpkgs-936e8eaf411248e34ceef219fb94acfbb66060a0.tar nixpkgs-936e8eaf411248e34ceef219fb94acfbb66060a0.tar.gz nixpkgs-936e8eaf411248e34ceef219fb94acfbb66060a0.tar.bz2 nixpkgs-936e8eaf411248e34ceef219fb94acfbb66060a0.tar.lz nixpkgs-936e8eaf411248e34ceef219fb94acfbb66060a0.tar.xz nixpkgs-936e8eaf411248e34ceef219fb94acfbb66060a0.tar.zst nixpkgs-936e8eaf411248e34ceef219fb94acfbb66060a0.zip | |
nixos/security/wrappers: fix shell quoting
Diffstat (limited to 'nixos/modules/security/wrappers')
| -rw-r--r-- | nixos/modules/security/wrappers/default.nix | 36 |
1 files changed, 18 insertions, 18 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 2ce26854be4..2f2c170e460 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -96,20 +96,20 @@ let }: assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"); '' - cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program} - echo -n "${source}" > $wrapperDir/${program}.real + cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}" + echo -n "${source}" > "$wrapperDir/${program}.real" # Prevent races - chmod 0000 $wrapperDir/${program} - chown ${owner}.${group} $wrapperDir/${program} + chmod 0000 "$wrapperDir/${program}" + chown ${owner}.${group} "$wrapperDir/${program}" # Set desired capabilities on the file plus cap_setpcap so # the wrapper program can elevate the capabilities set on # its file into the Ambient set. - ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program} + ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" "$wrapperDir/${program}" # Set the executable bit - chmod ${permissions} $wrapperDir/${program} + chmod ${permissions} "$wrapperDir/${program}" ''; ###### Activation script for the setuid wrappers @@ -124,14 +124,14 @@ let , ... }: '' - cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program} - echo -n "${source}" > $wrapperDir/${program}.real + cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}" + echo -n "${source}" > "$wrapperDir/${program}.real" # Prevent races - chmod 0000 $wrapperDir/${program} - chown ${owner}.${group} $wrapperDir/${program} + chmod 0000 "$wrapperDir/${program}" + chown ${owner}.${group} "$wrapperDir/${program}" - chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program} + chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" "$wrapperDir/${program}" ''; mkWrappedPrograms = @@ -238,7 +238,7 @@ in # We want to place the tmpdirs for the wrappers to the parent dir. wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) - chmod a+rx $wrapperDir + chmod a+rx "$wrapperDir" ${lib.concatStringsSep "\n" mkWrappedPrograms} @@ -246,15 +246,15 @@ in # Atomically replace the symlink # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ old=$(readlink -f ${wrapperDir}) - if [ -e ${wrapperDir}-tmp ]; then - rm --force --recursive ${wrapperDir}-tmp + if [ -e "${wrapperDir}-tmp" ]; then + rm --force --recursive "${wrapperDir}-tmp" fi - ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp - mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} - rm --force --recursive $old + ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" + mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" + rm --force --recursive "$old" else # For initial setup - ln --symbolic $wrapperDir ${wrapperDir} + ln --symbolic "$wrapperDir" "${wrapperDir}" fi ''; |