diff options
Diffstat (limited to 'nixos/modules/security/pam_usb.nix')
-rw-r--r-- | nixos/modules/security/pam_usb.nix | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 11708a1f016..699cf6306e1 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -32,10 +32,25 @@ in config = mkIf (cfg.enable || anyUsbAuth) { - # pmount need to have a set-uid bit to make pam_usb works in user - # environment. (like su, sudo) - - security.setuidPrograms = [ "pmount" "pumount" ]; + # Make sure pmount and pumount are setuid wrapped. + security.permissionsWrappers.setuid = + [ + { program = "pmount"; + source = "${pkgs.pmount.out}/bin/pmount"; + user = "root"; + group = "root"; + setuid = true; + } + + { program = "pumount"; + source = "${pkgs.pmount.out}/bin/pumount"; + user = "root"; + group = "root"; + setuid = true; + } + ]; + +setuidPrograms = [ "pmount" "pumount" ]; environment.systemPackages = [ pkgs.pmount ]; }; |