diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-12 18:53:48 +0200 |
---|---|---|
committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 13:48:13 +0200 |
commit | fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch) | |
tree | 14b7af8318d75536656849335e20c51cdfdf3447 /nixos/modules/services/x11 | |
parent | 8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff) | |
download | nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.gz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.bz2 nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.lz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.xz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.zst nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.zip |
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you to think about what the wrapper ownership and permissions will be.
Diffstat (limited to 'nixos/modules/services/x11')
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/enlightenment.nix | 21 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/plasma5.nix | 24 |
2 files changed, 36 insertions, 9 deletions
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 3a7ab64510b..e3d876e82fd 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -65,9 +65,24 @@ in # Wrappers for programs installed by enlightenment that should be setuid security.wrappers = { - enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd"; - enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys"; - enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system"; + enlightenment_ckpasswd = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd"; + }; + enlightenment_sys = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys"; + }; + enlightenment_system = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system"; + }; }; environment.etc."X11/xkb".source = xcfg.xkbDir; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index aac905fea43..d8dc2675f06 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -197,12 +197,24 @@ in }; security.wrappers = { - kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass"; - start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit"; - kwin_wayland = { - source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland"; - capabilities = "cap_sys_nice+ep"; - }; + kcheckpass = + { setuid = true; + owner = "root"; + group = "root"; + source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass"; + }; + start_kdeinit = + { setuid = true; + owner = "root"; + group = "root"; + source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit"; + }; + kwin_wayland = + { owner = "root"; + group = "root"; + capabilities = "cap_sys_nice+ep"; + source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland"; + }; }; # DDC support |