summary refs log tree commit diff
path: root/nixos/modules/security/pam_usb.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/security/pam_usb.nix')
-rw-r--r--nixos/modules/security/pam_usb.nix23
1 files changed, 19 insertions, 4 deletions
diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix
index 11708a1f016..699cf6306e1 100644
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@@ -32,10 +32,25 @@ in
 
   config = mkIf (cfg.enable || anyUsbAuth) {
 
-    # pmount need to have a set-uid bit to make pam_usb works in user
-    # environment. (like su, sudo)
-
-    security.setuidPrograms = [ "pmount" "pumount" ];
+    # Make sure pmount and pumount are setuid wrapped.
+    security.permissionsWrappers.setuid =
+      [
+        { program = "pmount";
+          source  = "${pkgs.pmount.out}/bin/pmount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+
+        { program = "pumount";
+          source  = "${pkgs.pmount.out}/bin/pumount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ];
+
+setuidPrograms = [ "pmount" "pumount" ];
     environment.systemPackages = [ pkgs.pmount ];
 
   };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-27 00:59:15 +0000