diff options
| author | Parnell Springmeyer <parnell@awakenetworks.com> | 2016-07-15 19:10:48 -0500 |
|---|---|---|
| committer | Parnell Springmeyer <parnell@awakenetworks.com> | 2016-09-01 19:17:43 -0500 |
| commit | 390ab0b3eff809052d5b9d9b5335413b36898481 (patch) | |
| tree | 15700959b5c568cff51e2e8abafed931bff7e6dd /nixos/modules/security | |
| parent | 81b33eb46645b1bd3ab5029c0ca2012a24902bb0 (diff) | |
| download | nixpkgs-390ab0b3eff809052d5b9d9b5335413b36898481.tar nixpkgs-390ab0b3eff809052d5b9d9b5335413b36898481.tar.gz nixpkgs-390ab0b3eff809052d5b9d9b5335413b36898481.tar.bz2 nixpkgs-390ab0b3eff809052d5b9d9b5335413b36898481.tar.lz nixpkgs-390ab0b3eff809052d5b9d9b5335413b36898481.tar.xz nixpkgs-390ab0b3eff809052d5b9d9b5335413b36898481.tar.zst nixpkgs-390ab0b3eff809052d5b9d9b5335413b36898481.zip | |
everything?: Updating every package that depended on the old setuidPrograms configuration.
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/duosec.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 21 | ||||
| -rw-r--r-- | nixos/modules/security/pam_usb.nix | 23 | ||||
| -rw-r--r-- | nixos/modules/security/permissions-wrappers/default.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/security/polkit.nix | 10 | ||||
| -rw-r--r-- | nixos/modules/security/sudo.nix | 17 |
6 files changed, 74 insertions, 14 deletions
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 0e3a54325ca..202218c915c 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -193,7 +193,17 @@ in ]; environment.systemPackages = [ pkgs.duo-unix ]; - security.setuidPrograms = [ "login_duo" ]; + + security.permissionsWrappers.setuid = + [ + { program = "login_duo"; + source = "${pkgs.duo-unix.out}/bin/login_duo"; + user = "root"; + group = "root"; + setuid = true; + } + ]; + environment.etc = loginCfgFile ++ pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 77815cd6dcc..4c6b54f0274 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -442,8 +442,25 @@ in ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; - security.setuidPrograms = - optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ]; + security.permissionsWrappers.setuid = + [ + (optionals config.security.pam.enableEcryptfs + { program = "mount.ecryptfs_private" + source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + user = "root"; + group = "root"; + setuid = true; + }) + + (optionals config.security.pam.enableEcryptfs + { program = "umount.ecryptfs_private"; + source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + user = "root"; + group = "root"; + setuid = true; + }) + ] + environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 11708a1f016..699cf6306e1 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -32,10 +32,25 @@ in config = mkIf (cfg.enable || anyUsbAuth) { - # pmount need to have a set-uid bit to make pam_usb works in user - # environment. (like su, sudo) - - security.setuidPrograms = [ "pmount" "pumount" ]; + # Make sure pmount and pumount are setuid wrapped. + security.permissionsWrappers.setuid = + [ + { program = "pmount"; + source = "${pkgs.pmount.out}/bin/pmount"; + user = "root"; + group = "root"; + setuid = true; + } + + { program = "pumount"; + source = "${pkgs.pmount.out}/bin/pumount"; + user = "root"; + group = "root"; + setuid = true; + } + ]; + +setuidPrograms = [ "pmount" "pumount" ]; environment.systemPackages = [ pkgs.pmount ]; }; diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix index a4491946df5..5d4634daf78 100644 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ b/nixos/modules/security/permissions-wrappers/default.nix @@ -43,11 +43,6 @@ let ''; ###### Activation script for the setuid wrappers - setuidPrograms = - (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) - config.security.setuidPrograms) - ++ config.security.setuidOwners; - makeSetuidWrapper = { program , source ? null diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 507f81bbf07..db078667acf 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -83,7 +83,15 @@ in security.pam.services.polkit-1 = {}; - security.setuidPrograms = [ "pkexec" ]; + security.permissionsWrappers.setuid = + [ + { program = "pkexec"; + source = "${pkgs.polkit.out}/bin/pkexec"; + user = "root"; + group = "root"; + setuid = true; + } + ]; security.setuidOwners = [ { program = "polkit-agent-helper-1"; diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index bced2a6ed75..06dde14cd1c 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -81,7 +81,22 @@ in ${cfg.extraConfig} ''; - security.setuidPrograms = [ "sudo" "sudoedit" ]; + security.permissionsWrappers.setuid = + [ + { program = "sudo"; + source = "${pkgs.sudo.out}/bin/sudo"; + user = "root"; + group = "root"; + setuid = true; + } + + { program = "sudoedit" + source = "${pkgs.sudo.out}/bin/sudo"; + user = "root"; + group = "root"; + setuid = true; + } + ]; environment.systemPackages = [ sudo ]; |