From 390ab0b3eff809052d5b9d9b5335413b36898481 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Fri, 15 Jul 2016 19:10:48 -0500
Subject: everything?: Updating every package that depended on the old
 setuidPrograms configuration.

---
 nixos/modules/security/duosec.nix                  | 12 ++++++++++-
 nixos/modules/security/pam.nix                     | 21 ++++++++++++++++++--
 nixos/modules/security/pam_usb.nix                 | 23 ++++++++++++++++++----
 .../security/permissions-wrappers/default.nix      |  5 -----
 nixos/modules/security/polkit.nix                  | 10 +++++++++-
 nixos/modules/security/sudo.nix                    | 17 +++++++++++++++-
 6 files changed, 74 insertions(+), 14 deletions(-)

(limited to 'nixos/modules/security')

diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix
index 0e3a54325ca..202218c915c 100644
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@@ -193,7 +193,17 @@ in
       ];
 
      environment.systemPackages = [ pkgs.duo-unix ];
-     security.setuidPrograms    = [ "login_duo" ];
+
+     security.permissionsWrappers.setuid =
+     [
+       { program = "login_duo";
+         source  = "${pkgs.duo-unix.out}/bin/login_duo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+     ];
+
      environment.etc = loginCfgFile ++ pamCfgFile;
 
      /* If PAM *and* SSH are enabled, then don't do anything special.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 77815cd6dcc..4c6b54f0274 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -442,8 +442,25 @@ in
       ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
       ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
 
-    security.setuidPrograms =
-        optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
+    security.permissionsWrappers.setuid =
+      [
+        (optionals config.security.pam.enableEcryptfs
+          { program = "mount.ecryptfs_private"
+            source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
+            user    = "root";
+            group   = "root";
+            setuid  = true;
+          })
+          
+        (optionals config.security.pam.enableEcryptfs
+          { program = "umount.ecryptfs_private";
+            source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
+            user    = "root";
+            group   = "root";
+            setuid  = true;
+          })
+      ]
+        
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix
index 11708a1f016..699cf6306e1 100644
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@@ -32,10 +32,25 @@ in
 
   config = mkIf (cfg.enable || anyUsbAuth) {
 
-    # pmount need to have a set-uid bit to make pam_usb works in user
-    # environment. (like su, sudo)
-
-    security.setuidPrograms = [ "pmount" "pumount" ];
+    # Make sure pmount and pumount are setuid wrapped.
+    security.permissionsWrappers.setuid =
+      [
+        { program = "pmount";
+          source  = "${pkgs.pmount.out}/bin/pmount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+
+        { program = "pumount";
+          source  = "${pkgs.pmount.out}/bin/pumount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ];
+
+setuidPrograms = [ "pmount" "pumount" ];
     environment.systemPackages = [ pkgs.pmount ];
 
   };
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index a4491946df5..5d4634daf78 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -43,11 +43,6 @@ let
     '';
 
   ###### Activation script for the setuid wrappers
-  setuidPrograms =
-    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
-      config.security.setuidPrograms)
-    ++ config.security.setuidOwners;
-
   makeSetuidWrapper =
     { program
     , source ? null
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index 507f81bbf07..db078667acf 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -83,7 +83,15 @@ in
 
     security.pam.services.polkit-1 = {};
 
-    security.setuidPrograms = [ "pkexec" ];
+    security.permissionsWrappers.setuid = 
+      [
+        { program = "pkexec";
+          source  = "${pkgs.polkit.out}/bin/pkexec";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ];
 
     security.setuidOwners = [
       { program = "polkit-agent-helper-1";
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index bced2a6ed75..06dde14cd1c 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -81,7 +81,22 @@ in
         ${cfg.extraConfig}
       '';
 
-    security.setuidPrograms = [ "sudo" "sudoedit" ];
+    security.permissionsWrappers.setuid =
+     [
+       { program = "sudo";
+         source  = "${pkgs.sudo.out}/bin/sudo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+
+       { program = "sudoedit"
+         source  = "${pkgs.sudo.out}/bin/sudo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+    ];
 
     environment.systemPackages = [ sudo ];
 
-- 
cgit 1.4.1