From fedd7cd6901646cb7e2a94a148d300f7b632d7e0 Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Sun, 12 Sep 2021 18:53:48 +0200
Subject: nixos: explicitely set security.wrappers ownership

This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
---
 nixos/modules/virtualisation/spice-usb-redirection.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'nixos/modules/virtualisation/spice-usb-redirection.nix')

diff --git a/nixos/modules/virtualisation/spice-usb-redirection.nix b/nixos/modules/virtualisation/spice-usb-redirection.nix
index 4168cebe79b..255327f2622 100644
--- a/nixos/modules/virtualisation/spice-usb-redirection.nix
+++ b/nixos/modules/virtualisation/spice-usb-redirection.nix
@@ -14,9 +14,11 @@
 
   config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {
     environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions
-    security.wrappers.spice-client-glib-usb-acl-helper ={
-      source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
+    security.wrappers.spice-client-glib-usb-acl-helper = {
+      owner = "root";
+      group = "root";
       capabilities = "cap_fowner+ep";
+      source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
     };
   };
 
-- 
cgit 1.4.1