diff options
| author | Domen Kožar <domen@dev.si> | 2016-09-06 17:14:50 +0200 |
|---|---|---|
| committer | Domen Kožar <domen@dev.si> | 2016-09-06 20:13:33 +0200 |
| commit | 3877ec5b2ff7436f4962ac0fe3200833cf78cb8b (patch) | |
| tree | 8ea7276ba5e1a4e4c27da160aa8717ea1c80d3cd /nixos/modules/system/activation/activation-script.nix | |
| parent | 9ab141ce273940e65f5243022d34740e4aa005d0 (diff) | |
| download | nixpkgs-3877ec5b2ff7436f4962ac0fe3200833cf78cb8b.tar nixpkgs-3877ec5b2ff7436f4962ac0fe3200833cf78cb8b.tar.gz nixpkgs-3877ec5b2ff7436f4962ac0fe3200833cf78cb8b.tar.bz2 nixpkgs-3877ec5b2ff7436f4962ac0fe3200833cf78cb8b.tar.lz nixpkgs-3877ec5b2ff7436f4962ac0fe3200833cf78cb8b.tar.xz nixpkgs-3877ec5b2ff7436f4962ac0fe3200833cf78cb8b.tar.zst nixpkgs-3877ec5b2ff7436f4962ac0fe3200833cf78cb8b.zip | |
Make /var/empty immutable
Fixes #14910 and #18358 Deployed to an existing server, restarted sshd and polkit to verify they don't fail.
Diffstat (limited to 'nixos/modules/system/activation/activation-script.nix')
| -rw-r--r-- | nixos/modules/system/activation/activation-script.nix | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index 1c587413121..47550ae76a6 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -12,11 +12,14 @@ let ''; }); - path = map getBin - [ pkgs.coreutils pkgs.gnugrep pkgs.findutils - pkgs.glibc # needed for getent - pkgs.shadow - pkgs.nettools # needed for hostname + path = with pkgs; map getBin + [ coreutils + gnugrep + findutils + glibc # needed for getent + shadow + nettools # needed for hostname + e2fsprogs # needed for chattr ]; in @@ -137,8 +140,13 @@ in mkdir -m 1777 -p /var/tmp + # Make sure it's really empty + chattr -i /var/empty + rm -rf /var/empty + # Empty, read-only home directory of many system accounts. mkdir -m 0555 -p /var/empty + chattr +i /var/empty ''; system.activationScripts.usrbinenv = if config.environment.usrbinenv != null |