diff options
| author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2017-10-15 11:20:11 +0200 |
|---|---|---|
| committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2017-10-16 19:08:19 +0200 |
| commit | 497108b4568d01cefee6acdf92b738ee80e22023 (patch) | |
| tree | 2d2820adb5ca17432649ed00ae1cf4bf32cbcc4b /nixos | |
| parent | 943730ff9b6b05c61ef75d7e2f3fae17d4cbdf4f (diff) | |
| download | nixpkgs-497108b4568d01cefee6acdf92b738ee80e22023.tar nixpkgs-497108b4568d01cefee6acdf92b738ee80e22023.tar.gz nixpkgs-497108b4568d01cefee6acdf92b738ee80e22023.tar.bz2 nixpkgs-497108b4568d01cefee6acdf92b738ee80e22023.tar.lz nixpkgs-497108b4568d01cefee6acdf92b738ee80e22023.tar.xz nixpkgs-497108b4568d01cefee6acdf92b738ee80e22023.tar.zst nixpkgs-497108b4568d01cefee6acdf92b738ee80e22023.zip | |
nixos/atd: remove "batch" from setuid wrappers
"batch" is a shell script so invoking it via setuid wrapper never worked anyway. (The kernel drops perms on executables with shebang.) A previous nixpkgs commit made "batch" invoke the NixOS setuid "at" wrapper to gain needed privileges. Thanks to @yesbox for noticing.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/scheduling/atd.nix | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 0216c9771c9..77a3f6b51e8 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -42,6 +42,8 @@ in config = mkIf cfg.enable { + # Not wrapping "batch" because it's a shell script (kernel drops perms + # anyway) and it's patched to invoke the "at" setuid wrapper. security.wrappers = builtins.listToAttrs ( map (program: { name = "${program}"; value = { source = "${at}/bin/${program}"; @@ -49,7 +51,7 @@ in group = "atd"; setuid = true; setgid = true; - };}) [ "at" "atq" "atrm" "batch" ]); + };}) [ "at" "atq" "atrm" ]); environment.systemPackages = [ at ]; |