From 025555d7f1a0fc39ea152b03e942002e1bff1721 Mon Sep 17 00:00:00 2001 From: Parnell Springmeyer Date: Thu, 26 Jan 2017 00:05:40 -0800 Subject: More fixes and improvements --- nixos/tests/smokeping.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/tests') diff --git a/nixos/tests/smokeping.nix b/nixos/tests/smokeping.nix index 9de3030417f..7e2d84f4422 100644 --- a/nixos/tests/smokeping.nix +++ b/nixos/tests/smokeping.nix @@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : { mailHost = "127.0.0.2"; probeConfig = '' + FPing - binary = /var/setuid-wrappers/fping + binary = /var/permissions-wrappers/fping offset = 0% ''; }; -- cgit 1.4.1 From e92b8402b05f34072a20075ed54660e7a7237cc3 Mon Sep 17 00:00:00 2001 From: Parnell Springmeyer Date: Sat, 28 Jan 2017 20:48:03 -0800 Subject: Addressing PR feedback --- nixos/doc/manual/release-notes/rl-1609.xml | 2 +- nixos/doc/manual/release-notes/rl-1703.xml | 8 + nixos/modules/config/shells-environment.nix | 4 +- .../installer/tools/nixos-generate-config.pl | 2 +- nixos/modules/installer/tools/nixos-install.sh | 7 +- nixos/modules/module-list.nix | 2 +- nixos/modules/programs/kbdlight.nix | 9 +- nixos/modules/programs/light.nix | 9 +- nixos/modules/programs/shadow.nix | 48 +---- nixos/modules/security/apparmor-suid.nix | 4 +- nixos/modules/security/chromium-suid-sandbox.nix | 6 +- nixos/modules/security/duosec.nix | 11 +- nixos/modules/security/pam.nix | 35 +--- nixos/modules/security/pam_usb.nix | 17 +- .../security/permissions-wrappers/default.nix | 191 ------------------ .../permissions-wrappers/permissions-wrapper.c | 221 --------------------- .../permissions-wrappers/setcap-wrapper-drv.nix | 37 ---- .../permissions-wrappers/setuid-wrapper-drv.nix | 35 ---- nixos/modules/security/polkit.nix | 18 +- nixos/modules/security/sudo.nix | 17 +- nixos/modules/security/wrappers/default.nix | 191 ++++++++++++++++++ .../security/wrappers/permissions-wrapper.c | 221 +++++++++++++++++++++ .../security/wrappers/setcap-wrapper-drv.nix | 37 ++++ .../security/wrappers/setuid-wrapper-drv.nix | 35 ++++ nixos/modules/services/logging/logcheck.nix | 4 +- nixos/modules/services/mail/dovecot.nix | 2 +- nixos/modules/services/mail/exim.nix | 12 +- nixos/modules/services/mail/mail.nix | 2 +- nixos/modules/services/monitoring/munin.nix | 4 +- nixos/modules/services/monitoring/smartd.nix | 2 +- .../modules/services/network-filesystems/samba.nix | 2 +- nixos/modules/services/networking/gale.nix | 2 +- nixos/modules/services/networking/prayer.nix | 2 +- nixos/modules/services/networking/smokeping.nix | 20 +- nixos/modules/services/scheduling/atd.nix | 2 +- nixos/modules/services/scheduling/cron.nix | 18 +- nixos/modules/services/scheduling/fcron.nix | 13 +- nixos/modules/services/system/dbus.nix | 4 +- .../x11/desktop-managers/enlightenment.nix | 11 +- .../modules/services/x11/desktop-managers/kde4.nix | 2 +- .../modules/services/x11/desktop-managers/kde5.nix | 2 +- nixos/modules/system/boot/stage-2-init.sh | 8 +- nixos/modules/tasks/network-interfaces.nix | 47 ++--- nixos/modules/virtualisation/virtualbox-host.nix | 4 +- nixos/tests/smokeping.nix | 2 +- pkgs/applications/editors/sublime3/default.nix | 2 +- .../networking/browsers/chromium/default.nix | 4 +- .../instant-messengers/gale/gale-install.in.patch | 2 +- .../gitlab/remove-hardcoded-locations.patch | 2 +- .../virtualization/virtualbox/hardened.patch | 6 +- pkgs/build-support/build-fhs-userenv/env.nix | 2 +- pkgs/desktops/enlightenment/enlightenment.nix | 6 +- .../kde-frameworks/kinit/start_kdeinit-path.patch | 2 +- pkgs/development/libraries/libgksu/default.nix | 4 +- pkgs/development/libraries/polkit/default.nix | 2 +- pkgs/development/tools/unity3d/default.nix | 2 +- pkgs/os-specific/linux/fuse/default.nix | 2 +- pkgs/os-specific/linux/mdadm/4.nix | 2 +- pkgs/os-specific/linux/mdadm/default.nix | 2 +- pkgs/os-specific/linux/pam/default.nix | 2 +- pkgs/os-specific/linux/util-linux/default.nix | 2 +- pkgs/servers/interlock/default.nix | 2 +- pkgs/servers/mail/petidomo/default.nix | 2 +- .../monitoring/nagios/plugins/official-2.x.nix | 4 +- pkgs/tools/X11/x11vnc/default.nix | 4 +- pkgs/tools/admin/certbot/default.nix | 2 +- pkgs/tools/misc/debian-devscripts/default.nix | 2 +- pkgs/tools/security/ecryptfs/default.nix | 2 +- pkgs/tools/security/ecryptfs/helper.nix | 2 +- pkgs/tools/security/sudo/default.nix | 2 +- pkgs/tools/system/at/default.nix | 2 +- pkgs/tools/system/cron/default.nix | 2 +- pkgs/tools/system/ts/default.nix | 2 +- 73 files changed, 607 insertions(+), 797 deletions(-) delete mode 100644 nixos/modules/security/permissions-wrappers/default.nix delete mode 100644 nixos/modules/security/permissions-wrappers/permissions-wrapper.c delete mode 100644 nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix delete mode 100644 nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix create mode 100644 nixos/modules/security/wrappers/default.nix create mode 100644 nixos/modules/security/wrappers/permissions-wrapper.c create mode 100644 nixos/modules/security/wrappers/setcap-wrapper-drv.nix create mode 100644 nixos/modules/security/wrappers/setuid-wrapper-drv.nix (limited to 'nixos/tests') diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml index bf8be1b68f2..ade7d5581ce 100644 --- a/nixos/doc/manual/release-notes/rl-1609.xml +++ b/nixos/doc/manual/release-notes/rl-1609.xml @@ -202,7 +202,7 @@ following incompatible changes: The directory container setuid wrapper programs, - /var/permissions-wrappers, /var/setuid-wrappers, is now updated atomically to prevent failures if the switch to a new configuration is interrupted. diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index 177010e2a32..94aa674fed6 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -15,6 +15,14 @@ has the following highlights: xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs manual for more information. + + + + Setting capabilities on programs is now supported with a + setcap-wrapper functionality. This + functionality and the setuid-wrapper are merged + into a single "wrappers" module. + The following new services were added since the last release: diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index 7003c074522..8a7b3ea0bfd 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -168,8 +168,8 @@ in ${cfg.extraInit} - # The setuid wrappers override other bin directories. - export PATH="${config.security.permissionsWrapperDir}:$PATH" + # The setuid/setcap wrappers override other bin directories. + export PATH="${config.security.wrapperDir}:$PATH" # ~/bin if it exists overrides other bin directories. export PATH="$HOME/bin:$PATH" diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index bb379dafc64..657c28f095d 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -343,7 +343,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) { # Skip special filesystems. next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs"; - next if $mountPoint eq "/var/permissions-wrappers"; + next if $mountPoint eq "/run/wrappers"; # Skip the optional fields. my $n = 6; $n++ while $fields[$n] ne "-"; $n++; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 4e9f8ab60f2..36b1a47956d 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -92,14 +92,13 @@ fi mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home mkdir -m 01777 -p $mountPoint/tmp mkdir -m 0755 -p $mountPoint/tmp/root -mkdir -m 0755 -p $mountPoint/var/permissions-wrappers +mkdir -m 0755 -p $mountPoint/var mkdir -m 0700 -p $mountPoint/root mount --rbind /dev $mountPoint/dev mount --rbind /proc $mountPoint/proc mount --rbind /sys $mountPoint/sys mount --rbind / $mountPoint/tmp/root mount -t tmpfs -o "mode=0755" none $mountPoint/run -mount -t tmpfs -o "mode=0755" none $mountPoint/var/permissions-wrappers rm -rf $mountPoint/var/run ln -s /run $mountPoint/var/run for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done @@ -260,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate # Ask the user to set a root password. -if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/permissions-wrappers/passwd ] && [ -t 0 ]; then +if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then echo "setting root password..." - chroot $mountPoint /var/permissions-wrappers/passwd + chroot $mountPoint /run/wrappers/passwd fi diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f7206ea931b..bd351460a52 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -113,7 +113,7 @@ ./security/prey.nix ./security/rngd.nix ./security/rtkit.nix - ./security/permissions-wrappers + ./security/wrappers ./security/sudo.nix ./services/amqp/activemq/default.nix ./services/amqp/rabbitmq.nix diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix index 30767a03291..0172368e968 100644 --- a/nixos/modules/programs/kbdlight.nix +++ b/nixos/modules/programs/kbdlight.nix @@ -11,13 +11,6 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kbdlight ]; - - security.permissionsWrappers.setuid = - [ { program = "kbdlight"; - source = "${pkgs.kbdlight.out}/bin/kbdlight"; - owner = "root"; - group = "root"; - setuid = true; - }]; + security.setuidPrograms = [ "kbdlight" ]; }; } diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix index c89f8e93721..09cd1113d9c 100644 --- a/nixos/modules/programs/light.nix +++ b/nixos/modules/programs/light.nix @@ -21,13 +21,6 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.light ]; - - security.permissionsWrappers.setuid = - [ { program = "light"; - source = "${pkgs.light.out}/bin/light"; - owner = "root"; - group = "root"; - setuid = true; - }]; + security.setuidPrograms = [ "light" ]; }; } diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 08d96cbcf4b..c5a50318026 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -101,49 +101,9 @@ in chpasswd = { rootOK = true; }; }; - - security.permissionsWrappers.setuid = - [ - { program = "su"; - source = "${pkgs.shadow.su}/bin/su"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "chfn"; - source = "${pkgs.shadow.out}/bin/chfn"; - owner = "root"; - group = "root"; - setuid = true; - } - ] ++ - (lib.optionals config.users.mutableUsers - map (x: x // { owner = "root"; - group = "root"; - setuid = true; - }) - [ - { program = "passwd"; - source = "${pkgs.shadow.out}/bin/passwd"; - } - - { program = "sg"; - source = "${pkgs.shadow.out}/bin/sg"; - } - - { program = "newgrp"; - source = "${pkgs.shadow.out}/bin/newgrp"; - } - - { program = "newuidmap"; - source = "${pkgs.shadow.out}/bin/newuidmap"; - } - - { program = "newgidmap"; - source = "${pkgs.shadow.out}/bin/newgidmap"; - } - ] - ); + security.setuidPrograms = [ + "su" "chfn" "newuidmap" "newgidmap" + ] ++ lib.optionals config.users.mutableUsers + [ "passwd" "sg" "newgrp" ]; }; } diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index 799f27b6708..e7b870864ee 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -19,7 +19,7 @@ with lib; config = mkIf (cfg.confineSUIDApplications) { security.apparmor.profiles = [ (pkgs.writeText "ping" '' #include - /var/permissions-wrappers/ping { + /run/wrappers/ping { #include #include #include @@ -33,7 +33,7 @@ with lib; ${pkgs.attr.out}/lib/libattr.so* mr, ${pkgs.iputils}/bin/ping mixr, - /var/permissions-wrappers/ping.real r, + /run/wrappers/ping.real r, #/etc/modules.conf r, diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix index 6fe25213639..0699fbb728a 100644 --- a/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixos/modules/security/chromium-suid-sandbox.nix @@ -27,10 +27,6 @@ in config = mkIf cfg.enable { environment.systemPackages = [ sandbox ]; - security.permissionsWrappers.setuid = [ - { program = sandbox.passthru.sandboxExecutableName; - source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; - } - ]; + security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ]; }; } diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index e5b35427015..ee62c34438e 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -188,16 +188,7 @@ in environment.systemPackages = [ pkgs.duo-unix ]; - security.permissionsWrappers.setuid = - [ - { program = "login_duo"; - source = "${pkgs.duo-unix.out}/bin/login_duo"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "login_duo" ]; environment.etc = loginCfgFile ++ pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index c5088b64bb3..3c944acf6cf 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -472,33 +472,14 @@ in ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; - security.permissionsWrappers.setuid = - [ - { program = "unix_chkpwd"; - source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; - owner = "root"; - group = "root"; - setuid = true; - } - - - - ] ++ (optional config.security.pam.enableEcryptfs - { program = "umount.ecryptfs_private"; - source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; - owner = "root"; - group = "root"; - setuid = true; - } - ) ++ (optional config.security.pam.enableEcryptfs - { program = "mount.ecryptfs_private"; - source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; - owner = "root"; - group = "root"; - setuid = true; - } - ); - + security.setuidPrograms = + optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ]; + + security.wrappers.unix_chkpwd = { + source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; + owner = "root"; + setuid = true; + }; environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 53a7921a244..032f8e38d11 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -33,22 +33,7 @@ in config = mkIf (cfg.enable || anyUsbAuth) { # Make sure pmount and pumount are setuid wrapped. - security.permissionsWrappers.setuid = - [ - { program = "pmount"; - source = "${pkgs.pmount.out}/bin/pmount"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "pumount"; - source = "${pkgs.pmount.out}/bin/pumount"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "pmount" "pumount" ]; environment.systemPackages = [ pkgs.pmount ]; diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix deleted file mode 100644 index 480bd371040..00000000000 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ /dev/null @@ -1,191 +0,0 @@ -{ config, lib, pkgs, ... }: -let - - inherit (config.security) run-permissionsWrapperDir permissionsWrapperDir; - - isNotNull = v: if v != null then true else false; - - cfg = config.security.permissionsWrappers; - - setcapWrappers = import ./setcap-wrapper-drv.nix { - inherit config lib pkgs; - }; - - setuidWrappers = import ./setuid-wrapper-drv.nix { - inherit config lib pkgs; - }; - - ###### Activation script for the setcap wrappers - configureSetcapWrapper = - { program - , capabilities - , source ? null - , owner ? "nobody" - , group ? "nogroup" - }: '' - cp ${setcapWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program} - - # Prevent races - chmod 0000 $permissionsWrapperDir/${program} - chown ${owner}.${group} $permissionsWrapperDir/${program} - - # Set desired capabilities on the file plus cap_setpcap so - # the wrapper program can elevate the capabilities set on - # its file into the Ambient set. - # - # Only set the capabilities though if we're being told to - # do so. - ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $permissionsWrapperDir/${program} - - # Set the executable bit - chmod u+rx,g+x,o+x $permissionsWrapperDir/${program} - ''; - - ###### Activation script for the setuid wrappers - configureSetuidWrapper = - { program - , source ? null - , owner ? "nobody" - , group ? "nogroup" - , setuid ? false - , setgid ? false - , permissions ? "u+rx,g+x,o+x" - }: '' - cp ${setuidWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program} - - # Prevent races - chmod 0000 $permissionsWrapperDir/${program} - chown ${owner}.${group} $permissionsWrapperDir/${program} - - chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $permissionsWrapperDir/${program} - ''; -in -{ - - ###### interface - - options = { - security.permissionsWrappers.setcap = lib.mkOption { - type = lib.types.listOf lib.types.attrs; - default = []; - example = - [ { program = "ping"; - source = "${pkgs.iputils.out}/bin/ping"; - owner = "nobody"; - group = "nogroup"; - capabilities = "cap_net_raw+ep"; - } - ]; - description = '' - This option sets capabilities on a wrapper program that - propagates those capabilities down to the wrapped, real - program. - - The `program` attribute is the name of the program to be - wrapped. If no `source` attribute is provided, specifying the - absolute path to the program, then the program will be - searched for in the path environment variable. - - NOTE: cap_setpcap, which is required for the wrapper program - to be able to raise caps into the Ambient set is NOT raised to - the Ambient set so that the real program cannot modify its own - capabilities!! This may be too restrictive for cases in which - the real program needs cap_setpcap but it at least leans on - the side security paranoid vs. too relaxed. - ''; - }; - - security.permissionsWrappers.setuid = lib.mkOption { - type = lib.types.listOf lib.types.attrs; - default = []; - example = - [ { program = "sendmail"; - source = "/nix/store/.../bin/sendmail"; - owner = "nobody"; - group = "postdrop"; - setuid = false; - setgid = true; - permissions = "u+rx,g+x,o+x"; - } - ]; - description = '' - This option allows the ownership and permissions on the setuid - wrappers for specific programs to be overridden from the - default (setuid root, but not setgid root). - ''; - }; - - security.permissionsWrapperDir = lib.mkOption { - type = lib.types.path; - default = "/var/permissions-wrappers"; - internal = true; - description = '' - This option defines the path to the permissions wrappers. It - should not be overriden. - ''; - }; - - security.run-permissionsWrapperDir = lib.mkOption { - type = lib.types.path; - default = "/run/permissions-wrapper-dirs"; - internal = true; - description = '' - This option defines the run path to the permissions - wrappers. It should not be overriden. - ''; - }; - - }; - - - ###### implementation - - config = { - - # Make sure our setcap-wrapper dir exports to the PATH env - # variable when initializing the shell - environment.extraInit = '' - # The permissions wrappers override other bin directories. - export PATH="${permissionsWrapperDir}:$PATH" - ''; - - system.activationScripts.wrapper-dir = '' - mkdir -p "${permissionsWrapperDir}" - ''; - - ###### setcap activation script - system.activationScripts.permissions-wrappers = - lib.stringAfter [ "users" ] - '' - # Look in the system path and in the default profile for - # programs to be wrapped. - PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin - - mkdir -p ${run-permissionsWrapperDir} - permissionsWrapperDir=$(mktemp --directory --tmpdir=${run-permissionsWrapperDir} permissions-wrappers.XXXXXXXXXX) - chmod a+rx $permissionsWrapperDir - - ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)} - ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)} - - if [ -L ${permissionsWrapperDir} ]; then - # Atomically replace the symlink - # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ - old=$(readlink ${permissionsWrapperDir}) - ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp - mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir} - rm --force --recursive $old - elif [ -d ${permissionsWrapperDir} ]; then - # Compatibility with old state, just remove the folder and symlink - rm -f ${permissionsWrapperDir}/* - # if it happens to be a tmpfs - ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true - rm -d ${permissionsWrapperDir} - ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir} - else - # For initial setup - ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir} - fi - ''; - }; -} diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c deleted file mode 100644 index cb9d8d6b37b..00000000000 --- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c +++ /dev/null @@ -1,221 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -// Make sure assertions are not compiled out, we use them to codify -// invariants about this program and we want it to fail fast and -// loudly if they are violated. -#undef NDEBUG - -extern char **environ; - -// The SOURCE_PROG and WRAPPER_DIR macros are supplied at compile time -// for a security reason: So they cannot be changed at runtime. -static char * sourceProg = SOURCE_PROG; -static char * wrapperDir = WRAPPER_DIR; - -// Make sure we have the WRAPPER_TYPE macro specified at compile -// time... -#ifdef WRAPPER_SETCAP -static char * wrapperType = "setcap"; -#elif defined WRAPPER_SETUID -static char * wrapperType = "setuid"; -#else -#error "Program must be compiled with either the WRAPPER_SETCAP or WRAPPER_SETUID macro" -#endif - -// Update the capabilities of the running process to include the given -// capability in the Ambient set. -static void set_ambient_cap(cap_value_t cap) -{ - capng_get_caps_process(); - - if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap)) - { - printf("cannot raise the capability into the Inheritable set\n"); - exit(1); - } - - capng_apply(CAPNG_SELECT_CAPS); - - if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0)) - { - perror("cannot raise the capability into the Ambient set\n"); - exit(1); - } -} - -// Given the path to this program, fetch its configured capability set -// (as set by `setcap ... /path/to/file`) and raise those capabilities -// into the Ambient set. -static int make_caps_ambient(const char *selfPath) -{ - cap_t caps = cap_get_file(selfPath); - - if(!caps) - { - fprintf(stderr, "could not retreive the capability set for this file\n"); - return 1; - } - - // We use `cap_to_text` and iteration over the tokenized result - // string because, as of libcap's current release, there is no - // facility for retrieving an array of `cap_value_t`'s that can be - // given to `prctl` in order to lift that capability into the - // Ambient set. - // - // Some discussion was had around shot-gunning all of the - // capabilities we know about into the Ambient set but that has a - // security smell and I deemed the risk of the current - // implementation crashing the program to be lower than the risk - // of a privilege escalation security hole being introduced by - // raising all capabilities, even ones we didn't intend for the - // program, into the Ambient set. - // - // `cap_t` which is returned by `cap_get_*` is an opaque type and - // even if we could retrieve the bitmasks (which, as far as I can - // tell we cannot) in order to get the `cap_value_t` - // representation for each capability we would have to take the - // total number of capabilities supported and iterate over the - // sequence of integers up-to that maximum total, testing each one - // against the bitmask ((bitmask >> n) & 1) to see if it's set and - // aggregating each "capability integer n" that is set in the - // bitmask. - // - // That, combined with the fact that we can't easily get the - // bitmask anyway seemed much more brittle than fetching the - // `cap_t`, transforming it into a textual representation, - // tokenizing the string, and using `cap_from_name` on the token - // to get the `cap_value_t` that we need for `prctl`. There is - // indeed risk involved if the output string format of - // `cap_to_text` ever changes but at this time the combination of - // factors involving the below list have led me to the conclusion - // that the best implementation at this time is reading then - // parsing with *lots of documentation* about why we're doing it - // this way. - // - // 1. No explicit API for fetching an array of `cap_value_t`'s or - // for transforming a `cap_t` into such a representation - // 2. The risk of a crash is lower than lifting all capabilities - // into the Ambient set - // 3. libcap is depended on heavily in the Linux ecosystem so - // there is a high chance that the output representation of - // `cap_to_text` will not change which reduces our risk that - // this parsing step will cause a crash - // - // The preferred method, should it ever be available in the - // future, would be to use libcap API's to transform the result - // from a `cap_get_*` into an array of `cap_value_t`'s that can - // then be given to prctl. - // - // - Parnell - ssize_t capLen; - char* capstr = cap_to_text(caps, &capLen); - cap_free(caps); - - // TODO: For now, we assume that cap_to_text always starts its - // result string with " =" and that the first capability is listed - // immediately after that. We should verify this. - assert(capLen >= 2); - capstr += 2; - - char* saveptr = NULL; - for(char* tok = strtok_r(capstr, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr)) - { - cap_value_t capnum; - if (cap_from_name(tok, &capnum)) - { - fprintf(stderr, "cap_from_name failed, skipping: %s\n", tok); - } - else if (capnum == CAP_SETPCAP) - { - // Check for the cap_setpcap capability, we set this on the - // wrapper so it can elevate the capabilities to the Ambient - // set but we do not want to propagate it down into the - // wrapped program. - // - // TODO: what happens if that's the behavior you want - // though???? I'm preferring a strict vs. loose policy here. - fprintf(stderr, "cap_setpcap in set, skipping it\n"); - } - else - { - set_ambient_cap(capnum); - printf("raised %s into the Ambient capability set\n", tok); - } - } - cap_free(capstr); - - return 0; -} - -int main(int argc, char * * argv) -{ - // I *think* it's safe to assume that a path from a symbolic link - // should safely fit within the PATH_MAX system limit. Though I'm - // not positive it's safe... - char selfPath[PATH_MAX]; - int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath) - 1); - - assert(selfPathSize > 0); - - selfPath[selfPathSize] = '\0'; - - // Make sure that we are being executed from the right location, - // i.e., `safeWrapperDir'. This is to prevent someone from creating - // hard link `X' from some other location, along with a false - // `X.real' file, to allow arbitrary programs from being executed - // with elevated capabilities. - int len = strlen(wrapperDir); - if (len > 0 && '/' == wrapperDir[len - 1]) - --len; - assert(!strncmp(selfPath, wrapperDir, len)); - assert('/' == wrapperDir[0]); - assert('/' == selfPath[len]); - - // Make *really* *really* sure that we were executed as - // `selfPath', and not, say, as some other setuid program. That - // is, our effective uid/gid should match the uid/gid of - // `selfPath'. - struct stat st; - assert(lstat(selfPath, &st) != -1); - - assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())); - assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid())); - - // And, of course, we shouldn't be writable. - assert(!(st.st_mode & (S_IWGRP | S_IWOTH))); - - struct stat stR; - stat(sourceProg, &stR); - - // Make sure the program we're wrapping is non-zero - assert(stR.st_size > 0); - - // Read the capabilities set on the file and raise them in to the - // Ambient set so the program we're wrapping receives the - // capabilities too! - if (strcmp(wrapperType, "setcap") == 0) - assert(!make_caps_ambient(selfPath)); - - execve(sourceProg, argv, environ); - - fprintf(stderr, "%s: cannot run `%s': %s\n", - argv[0], sourceProg, strerror(errno)); - - exit(1); -} - - diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix deleted file mode 100644 index 2ae3067b1b1..00000000000 --- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - cfg = config.security.permissionsWrappers; - - # Produce a shell-code splice intended to be stitched into one of - # the build or install phases within the derivation. - mkSetcapWrapper = { program, source ? null, ...}: '' - if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then - # If we can't find the program, fall back to the - # system profile. - source=/nix/var/nix/profiles/default/bin/${program} - fi - - gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \ - -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ - -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include - ''; -in - -# This is only useful for Linux platforms and a kernel version of -# 4.3 or greater -assert pkgs.stdenv.isLinux; -assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"; - -pkgs.stdenv.mkDerivation { - name = "setcap-wrapper"; - unpackPhase = "true"; - buildInputs = [ pkgs.linuxHeaders ]; - installPhase = '' - mkdir -p $out/bin - - # Concat together all of our shell splices to compile - # binary wrapper programs for all configured setcap programs. - ${lib.concatMapStrings mkSetcapWrapper cfg.setcap} - ''; -} diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix deleted file mode 100644 index 53cce2ff48e..00000000000 --- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - cfg = config.security.permissionsWrappers; - - # Produce a shell-code splice intended to be stitched into one of - # the build or install phases within the derivation. - mkSetuidWrapper = { program, source ? null, ...}: '' - if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then - # If we can't find the program, fall back to the - # system profile. - source=/nix/var/nix/profiles/default/bin/${program} - fi - - gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \ - -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ - -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include - ''; -in - -# This is only useful for Linux platforms and a kernel version of -# 4.3 or greater -assert pkgs.stdenv.isLinux; - -pkgs.stdenv.mkDerivation { - name = "setuid-wrapper"; - unpackPhase = "true"; - installPhase = '' - mkdir -p $out/bin - - # Concat together all of our shell splices to compile - # binary wrapper programs for all configured setcap programs. - ${lib.concatMapStrings mkSetuidWrapper cfg.setuid} - ''; -} diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 098319d5ded..547b40cedfd 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -83,22 +83,8 @@ in security.pam.services.polkit-1 = {}; - security.permissionsWrappers.setuid = - [ - { program = "pkexec"; - source = "${pkgs.polkit.out}/bin/pkexec"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "polkit-agent-helper-1"; - owner = "root"; - group = "root"; - setuid = true; - source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; - } - ]; + security.setuidPrograms = [ "pkexec" ]; + security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; system.activationScripts.polkit = '' diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 652f23c2938..f5612e1b0c5 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -81,22 +81,7 @@ in ${cfg.extraConfig} ''; - security.permissionsWrappers.setuid = - [ - { program = "sudo"; - source = "${pkgs.sudo.out}/bin/sudo"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "sudoedit"; - source = "${pkgs.sudo.out}/bin/sudoedit"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "sudo" "sudoedit" ]; environment.systemPackages = [ sudo ]; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix new file mode 100644 index 00000000000..d12209b375b --- /dev/null +++ b/nixos/modules/security/wrappers/default.nix @@ -0,0 +1,191 @@ +{ config, lib, pkgs, ... }: +let + + inherit (config.security) wrapperDir; + + isNotNull = v: if v != null || v != "" then true else false; + + cfg = config.security.wrappers; + + setcapWrappers = import ./setcap-wrapper-drv.nix { + inherit config lib pkgs; + }; + + setuidWrappers = import ./setuid-wrapper-drv.nix { + inherit config lib pkgs; + }; + + ###### Activation script for the setcap wrappers + mkSetcapProgram = + { program + , capabilities + , source ? null + , owner ? "nobody" + , group ? "nogroup" + ... + }: '' + cp ${setcapWrappers}/bin/${program}.wrapper $wrapperDir/${program} + + # Prevent races + chmod 0000 $wrapperDir/${program} + chown ${owner}.${group} $wrapperDir/${program} + + # Set desired capabilities on the file plus cap_setpcap so + # the wrapper program can elevate the capabilities set on + # its file into the Ambient set. + # + # Only set the capabilities though if we're being told to + # do so. + ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program} + + # Set the executable bit + chmod u+rx,g+x,o+x $wrapperDir/${program} + ''; + + ###### Activation script for the setuid wrappers + mkSetuidProgram = + { program + , source ? null + , owner ? "nobody" + , group ? "nogroup" + , setuid ? false + , setgid ? false + , permissions ? "u+rx,g+x,o+x" + ... + }: '' + cp ${setuidWrappers}/bin/${program}.wrapper $wrapperDir/${program} + + # Prevent races + chmod 0000 $wrapperDir/${program} + chown ${owner}.${group} $wrapperDir/${program} + + chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program} + ''; +in +{ + + ###### interface + + options = { + security.wrappers.setcap = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + default = []; + example = + [ { program = "ping"; + source = "${pkgs.iputils.out}/bin/ping"; + owner = "nobody"; + group = "nogroup"; + capabilities = "cap_net_raw+ep"; + } + ]; + description = '' + This option sets capabilities on a wrapper program that + propagates those capabilities down to the wrapped, real + program. + + The program attribute is the name of the + program to be wrapped. If no source + attribute is provided, specifying the absolute path to the + program, then the program will be searched for in the path + environment variable. + + NOTE: cap_setpcap, which is required for the wrapper program + to be able to raise caps into the Ambient set is NOT raised to + the Ambient set so that the real program cannot modify its own + capabilities!! This may be too restrictive for cases in which + the real program needs cap_setpcap but it at least leans on + the side security paranoid vs. too relaxed. + ''; + }; + + security.setuidPrograms = mkOption { + type = types.listOf types.str; + default = []; + example = ["passwd"]; + description = '' + The Nix store cannot contain setuid/setgid programs directly. + For this reason, NixOS can automatically generate wrapper + programs that have the necessary privileges. This option + lists the names of programs in the system environment for + which setuid root wrappers should be created. + ''; + }; + + security.wrappers = lib.mkOption { + type = lib.types.attrs; + default = {}; + example = { + sendmail.source = "/nix/store/.../bin/sendmail"; + }; + description = '' + This option allows the ownership and permissions on the setuid + wrappers for specific programs to be overridden from the + default (setuid root, but not setgid root). + ''; + }; + + security.old-wrapperDir = lib.mkOption { + type = lib.types.path; + default = "/var/setuid-wrappers"; + internal = true; + description = '' + This option defines the path to the wrapper programs. It + should not be overriden. + ''; + }; + + security.wrapperDir = lib.mkOption { + type = lib.types.path; + default = "/run/wrappers"; + internal = true; + description = '' + This option defines the path to the wrapper programs. It + should not be overriden. + ''; + }; + }; + + ###### implementation + config = { + # Make sure our setcap-wrapper dir exports to the PATH env + # variable when initializing the shell + environment.extraInit = '' + # The permissions wrappers override other bin directories. + export PATH="${wrapperDir}:$PATH" + ''; + + ###### setcap activation script + system.activationScripts.wrappers = + let + programs = + (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) + config.security.setuidPrograms) + ++ lib.mapAttrsToList + (n: v: (if v ? "program" then v else v // {program=n;})) + cfg.wrappers; + + wrapperPrograms = + builtins.map + (s: if (s ? "setuid" && s.setuid == true) || + (s ? "setguid" && s.setguid == true) || + (s ? "permissions") + then mkSetuidProgram s + else if (s ? "capabilities") + then mkSetcapProgram s + else "" + ) programs; + + in lib.stringAfter [ "users" ] + '' + # Look in the system path and in the default profile for + # programs to be wrapped. + WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin + + mkdir -p ${wrapperDir} + wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX) + chmod a+rx $wrapperDir + + ${lib.concatStringsSep "\n" (builtins.filter isNotNull cfg.wrappers)} + ''; + }; +} diff --git a/nixos/modules/security/wrappers/permissions-wrapper.c b/nixos/modules/security/wrappers/permissions-wrapper.c new file mode 100644 index 00000000000..cb9d8d6b37b --- /dev/null +++ b/nixos/modules/security/wrappers/permissions-wrapper.c @@ -0,0 +1,221 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +// Make sure assertions are not compiled out, we use them to codify +// invariants about this program and we want it to fail fast and +// loudly if they are violated. +#undef NDEBUG + +extern char **environ; + +// The SOURCE_PROG and WRAPPER_DIR macros are supplied at compile time +// for a security reason: So they cannot be changed at runtime. +static char * sourceProg = SOURCE_PROG; +static char * wrapperDir = WRAPPER_DIR; + +// Make sure we have the WRAPPER_TYPE macro specified at compile +// time... +#ifdef WRAPPER_SETCAP +static char * wrapperType = "setcap"; +#elif defined WRAPPER_SETUID +static char * wrapperType = "setuid"; +#else +#error "Program must be compiled with either the WRAPPER_SETCAP or WRAPPER_SETUID macro" +#endif + +// Update the capabilities of the running process to include the given +// capability in the Ambient set. +static void set_ambient_cap(cap_value_t cap) +{ + capng_get_caps_process(); + + if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap)) + { + printf("cannot raise the capability into the Inheritable set\n"); + exit(1); + } + + capng_apply(CAPNG_SELECT_CAPS); + + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0)) + { + perror("cannot raise the capability into the Ambient set\n"); + exit(1); + } +} + +// Given the path to this program, fetch its configured capability set +// (as set by `setcap ... /path/to/file`) and raise those capabilities +// into the Ambient set. +static int make_caps_ambient(const char *selfPath) +{ + cap_t caps = cap_get_file(selfPath); + + if(!caps) + { + fprintf(stderr, "could not retreive the capability set for this file\n"); + return 1; + } + + // We use `cap_to_text` and iteration over the tokenized result + // string because, as of libcap's current release, there is no + // facility for retrieving an array of `cap_value_t`'s that can be + // given to `prctl` in order to lift that capability into the + // Ambient set. + // + // Some discussion was had around shot-gunning all of the + // capabilities we know about into the Ambient set but that has a + // security smell and I deemed the risk of the current + // implementation crashing the program to be lower than the risk + // of a privilege escalation security hole being introduced by + // raising all capabilities, even ones we didn't intend for the + // program, into the Ambient set. + // + // `cap_t` which is returned by `cap_get_*` is an opaque type and + // even if we could retrieve the bitmasks (which, as far as I can + // tell we cannot) in order to get the `cap_value_t` + // representation for each capability we would have to take the + // total number of capabilities supported and iterate over the + // sequence of integers up-to that maximum total, testing each one + // against the bitmask ((bitmask >> n) & 1) to see if it's set and + // aggregating each "capability integer n" that is set in the + // bitmask. + // + // That, combined with the fact that we can't easily get the + // bitmask anyway seemed much more brittle than fetching the + // `cap_t`, transforming it into a textual representation, + // tokenizing the string, and using `cap_from_name` on the token + // to get the `cap_value_t` that we need for `prctl`. There is + // indeed risk involved if the output string format of + // `cap_to_text` ever changes but at this time the combination of + // factors involving the below list have led me to the conclusion + // that the best implementation at this time is reading then + // parsing with *lots of documentation* about why we're doing it + // this way. + // + // 1. No explicit API for fetching an array of `cap_value_t`'s or + // for transforming a `cap_t` into such a representation + // 2. The risk of a crash is lower than lifting all capabilities + // into the Ambient set + // 3. libcap is depended on heavily in the Linux ecosystem so + // there is a high chance that the output representation of + // `cap_to_text` will not change which reduces our risk that + // this parsing step will cause a crash + // + // The preferred method, should it ever be available in the + // future, would be to use libcap API's to transform the result + // from a `cap_get_*` into an array of `cap_value_t`'s that can + // then be given to prctl. + // + // - Parnell + ssize_t capLen; + char* capstr = cap_to_text(caps, &capLen); + cap_free(caps); + + // TODO: For now, we assume that cap_to_text always starts its + // result string with " =" and that the first capability is listed + // immediately after that. We should verify this. + assert(capLen >= 2); + capstr += 2; + + char* saveptr = NULL; + for(char* tok = strtok_r(capstr, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr)) + { + cap_value_t capnum; + if (cap_from_name(tok, &capnum)) + { + fprintf(stderr, "cap_from_name failed, skipping: %s\n", tok); + } + else if (capnum == CAP_SETPCAP) + { + // Check for the cap_setpcap capability, we set this on the + // wrapper so it can elevate the capabilities to the Ambient + // set but we do not want to propagate it down into the + // wrapped program. + // + // TODO: what happens if that's the behavior you want + // though???? I'm preferring a strict vs. loose policy here. + fprintf(stderr, "cap_setpcap in set, skipping it\n"); + } + else + { + set_ambient_cap(capnum); + printf("raised %s into the Ambient capability set\n", tok); + } + } + cap_free(capstr); + + return 0; +} + +int main(int argc, char * * argv) +{ + // I *think* it's safe to assume that a path from a symbolic link + // should safely fit within the PATH_MAX system limit. Though I'm + // not positive it's safe... + char selfPath[PATH_MAX]; + int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath) - 1); + + assert(selfPathSize > 0); + + selfPath[selfPathSize] = '\0'; + + // Make sure that we are being executed from the right location, + // i.e., `safeWrapperDir'. This is to prevent someone from creating + // hard link `X' from some other location, along with a false + // `X.real' file, to allow arbitrary programs from being executed + // with elevated capabilities. + int len = strlen(wrapperDir); + if (len > 0 && '/' == wrapperDir[len - 1]) + --len; + assert(!strncmp(selfPath, wrapperDir, len)); + assert('/' == wrapperDir[0]); + assert('/' == selfPath[len]); + + // Make *really* *really* sure that we were executed as + // `selfPath', and not, say, as some other setuid program. That + // is, our effective uid/gid should match the uid/gid of + // `selfPath'. + struct stat st; + assert(lstat(selfPath, &st) != -1); + + assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())); + assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid())); + + // And, of course, we shouldn't be writable. + assert(!(st.st_mode & (S_IWGRP | S_IWOTH))); + + struct stat stR; + stat(sourceProg, &stR); + + // Make sure the program we're wrapping is non-zero + assert(stR.st_size > 0); + + // Read the capabilities set on the file and raise them in to the + // Ambient set so the program we're wrapping receives the + // capabilities too! + if (strcmp(wrapperType, "setcap") == 0) + assert(!make_caps_ambient(selfPath)); + + execve(sourceProg, argv, environ); + + fprintf(stderr, "%s: cannot run `%s': %s\n", + argv[0], sourceProg, strerror(errno)); + + exit(1); +} + + diff --git a/nixos/modules/security/wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/wrappers/setcap-wrapper-drv.nix new file mode 100644 index 00000000000..03dca5c9f42 --- /dev/null +++ b/nixos/modules/security/wrappers/setcap-wrapper-drv.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.security.wrappers; + + # Produce a shell-code splice intended to be stitched into one of + # the build or install phases within the derivation. + mkSetcapWrapper = { program, source ? null, ...}: '' + if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then + # If we can't find the program, fall back to the + # system profile. + source=/nix/var/nix/profiles/default/bin/${program} + fi + + gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \ + -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ + -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include + ''; +in + +# This is only useful for Linux platforms and a kernel version of +# 4.3 or greater +assert pkgs.stdenv.isLinux; +assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"; + +pkgs.stdenv.mkDerivation { + name = "setcap-wrapper"; + unpackPhase = "true"; + buildInputs = [ pkgs.linuxHeaders ]; + installPhase = '' + mkdir -p $out/bin + + # Concat together all of our shell splices to compile + # binary wrapper programs for all configured setcap programs. + ${lib.concatMapStrings mkSetcapWrapper cfg.setcap} + ''; +} diff --git a/nixos/modules/security/wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/wrappers/setuid-wrapper-drv.nix new file mode 100644 index 00000000000..e08ae799bf4 --- /dev/null +++ b/nixos/modules/security/wrappers/setuid-wrapper-drv.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.security.wrappers; + + # Produce a shell-code splice intended to be stitched into one of + # the build or install phases within the derivation. + mkSetuidWrapper = { program, source ? null, ...}: '' + if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then + # If we can't find the program, fall back to the + # system profile. + source=/nix/var/nix/profiles/default/bin/${program} + fi + + gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \ + -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ + -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include + ''; +in + +# This is only useful for Linux platforms and a kernel version of +# 4.3 or greater +assert pkgs.stdenv.isLinux; + +pkgs.stdenv.mkDerivation { + name = "setuid-wrapper"; + unpackPhase = "true"; + installPhase = '' + mkdir -p $out/bin + + # Concat together all of our shell splices to compile + # binary wrapper programs for all configured setcap programs. + ${lib.concatMapStrings mkSetuidWrapper cfg.setuid} + ''; +} diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index 86451ec318c..c933c496479 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -29,8 +29,8 @@ let }; cronJob = '' - @reboot logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} - 2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} + @reboot logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} + 2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} ''; writeIgnoreRule = name: {level, regex, ...}: diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 6b37a8a4ea2..7cea2f75439 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -13,7 +13,7 @@ let '' base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} - sendmail_path = /var/permissions-wrappers/sendmail + sendmail_path = /run/wrappers/sendmail '' (if isNull cfg.sslServerCert then '' diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index 6dfb8fdef11..71414bddd5d 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -70,7 +70,7 @@ in etc."exim.conf".text = '' exim_user = ${cfg.user} exim_group = ${cfg.group} - exim_path = /var/permissions-wrappers/exim + exim_path = /run/wrappers/exim spool_directory = ${cfg.spoolDir} ${cfg.config} ''; @@ -89,15 +89,7 @@ in gid = config.ids.gids.exim; }; - security.permissionsWrappers.setuid = - [ - { program = "exim"; - source = "${pkgs.exim.out}/bin/exim"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "exim" ]; systemd.services.exim = { description = "Exim Mail Daemon"; diff --git a/nixos/modules/services/mail/mail.nix b/nixos/modules/services/mail/mail.nix index e8b16349f1a..aef02eddbe1 100644 --- a/nixos/modules/services/mail/mail.nix +++ b/nixos/modules/services/mail/mail.nix @@ -26,7 +26,7 @@ with lib; config = mkIf (config.services.mail.sendmailSetuidWrapper != null) { - security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ]; + security.wrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ]; }; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index a80565fa280..cd4a5125029 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -34,7 +34,7 @@ let cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file) wrapProgram $file \ - --set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ + --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ --set MUNIN_LIBDIR "${pkgs.munin}/lib" \ --set MUNIN_PLUGSTATE "/var/run/munin" @@ -183,7 +183,7 @@ in mkdir -p /etc/munin/plugins rm -rf /etc/munin/plugins/* - PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash + PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash ''; serviceConfig = { ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/"; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index 99fd5c4d367..af02d73597f 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -124,7 +124,7 @@ in }; mailer = mkOption { - default = "/var/permissions-wrappers/sendmail"; + default = "/run/wrappers/sendmail"; type = types.path; description = '' Sendmail-compatible binary to be used to send the messages. diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 884966363b8..8cc8f21851c 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -30,7 +30,7 @@ let '' [ global ] security = ${cfg.securityType} - passwd program = /var/permissions-wrappers/passwd %u + passwd program = /run/wrappers/passwd %u pam password change = ${smbToString cfg.syncPasswordsByPam} invalid users = ${smbToString cfg.invalidUsers} diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix index bc9b884f11b..f4c75c17290 100644 --- a/nixos/modules/services/networking/gale.nix +++ b/nixos/modules/services/networking/gale.nix @@ -141,7 +141,7 @@ in setgid = false; }; - security.permissionsWrappers.setuid = [ cfg.setuidWrapper ]; + security.wrappers.setuid = [ cfg.setuidWrapper ]; systemd.services.gale-galed = { description = "Gale messaging daemon"; diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index 67d8cece611..58e6ad8a683 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -18,7 +18,7 @@ let var_prefix = "${stateDir}" prayer_user = "${prayerUser}" prayer_group = "${prayerGroup}" - sendmail_path = "/var/permissions-wrappers/sendmail" + sendmail_path = "/run/wrappers/sendmail" use_http_port ${cfg.port} diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index 67aa313c860..b7bb55f5508 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -219,14 +219,14 @@ in type = types.string; default = '' + FPing - binary = ${config.security.permissionsWrapperDir}/fping + binary = ${config.security.wrapperDir}/fping ''; description = "Probe configuration"; }; sendmail = mkOption { type = types.nullOr types.path; default = null; - example = "/var/permissions-wrappers/sendmail"; + example = "/run/wrappers/sendmail"; description = "Use this sendmail compatible script to deliver alerts"; }; smokeMailTemplate = mkOption { @@ -273,21 +273,7 @@ in message = "services.smokeping: sendmail and Mailhost cannot both be enabled."; } ]; - security.permissionsWrappers.setuid = [ - { program = "fping"; - source = "${pkgs.fping}/bin/fping"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "fping"; - source = "${pkgs.fping}/bin/fping6"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "fping" "fping6" ]; environment.systemPackages = [ pkgs.fping ]; users.extraUsers = singleton { name = cfg.user; diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 9c4f8d59faa..316ab847b34 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -42,7 +42,7 @@ in config = mkIf cfg.enable { - security.permissionsWrappers.setuid = map (program: { + security.wrappers.setuid = map (program: { inherit program; source = "${pkgs.atd}/bin/${program}"; diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index e33961658f0..26ce3c98d67 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -20,7 +20,7 @@ let cronNixosPkg = pkgs.cron.override { # The mail.nix nixos module, if there is any local mail system enabled, # should have sendmail in this path. - sendmailPath = "/var/permissions-wrappers/sendmail"; + sendmailPath = "/run/wrappers/sendmail"; }; allFiles = @@ -61,7 +61,7 @@ in A list of Cron jobs to be appended to the system-wide crontab. See the manual page for crontab for the expected format. If you want to get the results mailed you must setuid - sendmail. See + sendmail. See If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root will is allowed to have its own crontab file. The /var/cron/cron.deny file @@ -92,21 +92,9 @@ in config = mkMerge [ { services.cron.enable = mkDefault (allFiles != []); } - (mkIf (config.services.cron.enable) { - - security.permissionsWrappers.setuid = - [ - { program = "crontab"; - source = "${pkgs.cronNixosPkg.out}/bin/crontab"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "crontab" ]; environment.systemPackages = [ cronNixosPkg ]; - environment.etc.crontab = { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; } '' diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index 5804f0ee72f..f0de996224f 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -96,7 +96,7 @@ in fcronallow = /etc/fcron.allow fcrondeny = /etc/fcron.deny shell = /bin/sh - sendmail = /var/permissions-wrappers/sendmail + sendmail = /run/wrappers/sendmail editor = /run/current-system/sw/bin/vi ''; target = "fcron.conf"; @@ -106,16 +106,7 @@ in environment.systemPackages = [ pkgs.fcron ]; - security.permissionsWrappers.setuid = - [ - { program = "fcrontab"; - source = "${pkgs.fcron.out}/bin/fcrontab"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "fcrontab" ]; systemd.services.fcron = { description = "fcron daemon"; after = [ "local-fs.target" ]; diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index d15d5551e34..47fc4426af0 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -38,7 +38,7 @@ let sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf sed '${./dbus-system-local.conf.in}' \ - -e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \ + -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \ -e 's,@extra@,${systemExtraxml},' \ > "$out/system-local.conf" @@ -114,7 +114,7 @@ in systemd.packages = [ pkgs.dbus.daemon ]; - security.permissionsWrappers.setuid = singleton + security.wrappers.setuid = singleton { program = "dbus-daemon-launch-helper"; source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper"; owner = "root"; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 9d0ff77c2ae..feee6ba87ec 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -62,16 +62,7 @@ in ''; }]; - security.permissionsWrappers.setuid = - [ - { program = "e_freqset"; - source = "${e.enlightenment.out}/bin/e_freqset"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "e_freqset" ]; environment.etc = singleton { source = "${pkgs.xkeyboard_config}/etc/X11/xkb"; target = "X11/xkb"; diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix index 31d2ebcdf1a..d21a1f28dca 100644 --- a/nixos/modules/services/x11/desktop-managers/kde4.nix +++ b/nixos/modules/services/x11/desktop-managers/kde4.nix @@ -131,7 +131,7 @@ in ''; }; - security.permissionsWrappers.setuid = singleton + security.wrappers.setuid = singleton { program = "kcheckpass"; source = "${kde_workspace}/lib/kde4/libexec/kcheckpass"; owner = "root"; diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix index f886c60793d..a4124aaefa9 100644 --- a/nixos/modules/services/x11/desktop-managers/kde5.nix +++ b/nixos/modules/services/x11/desktop-managers/kde5.nix @@ -68,7 +68,7 @@ in ''; }; - security.permissionsWrappers.setuid = [ + security.wrappers.setuid = [ { program = "kcheckpass"; source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass"; diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 86f552cd3ca..ffc0700806c 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -131,10 +131,10 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then cat /etc/resolv.conf | resolvconf -m 1000 -a host fi -# Create /var/permissions-wrappers as a tmpfs. -rm -rf /var/permissions-wrappers -mkdir -m 0755 -p /var/permissions-wrappers -mount -t tmpfs -o "mode=0755" tmpfs /var/permissions-wrappers +# Create /run/wrappers as a tmpfs. +rm -rf /run/wrappers +mkdir -m 0755 -p /run/wrappers +mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers # Log the script output to /dev/kmsg or /run/log/stage-2-init.log. # Only at this point are all the necessary prerequisites ready for these commands. diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 61519c6a3ce..1afcddd915f 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -898,38 +898,23 @@ in # Capabilities won't work unless we have at-least a 4.3 Linux # kernel because we need the ambient capability - security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") ( - [ - { program = "ping"; - source = "${pkgs.iputils.out}/bin/ping"; - capabilities = "cap_net_raw+p"; - } + security.wrappers = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") { + ping = { + source = "${pkgs.iputils.out}/bin/ping"; + capabilities = "cap_net_raw+p"; + }; - { program = "ping6"; - source = "${pkgs.iputils.out}/bin/ping6"; - capabilities = "cap_net_raw+p"; - } - ] - ); - - # If our linux kernel IS older than 4.3, let's setuid ping and ping6 - security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") ( - [ - { program = "ping"; - source = "${pkgs.iputils.out}/bin/ping"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "ping6"; - source = "${pkgs.iputils.out}/bin/ping6"; - owner = "root"; - group = "root"; - setuid = true; - } - ] - ); + ping6 = { + source = "${pkgs.iputils.out}/bin/ping6"; + capabilities = "cap_net_raw+p"; + }; + }; + + # If the linux kernel IS older than 4.3, create setuid wrappers + # for ping and ping6 + security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [ + "ping" "ping6" + ]; # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index b3647482f2c..405a630dfa7 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -68,7 +68,7 @@ in boot.extraModulePackages = [ kernelModules ]; environment.systemPackages = [ virtualbox ]; - security.permissionsWrappers.setuid = let + security.wrappers.setuid = let mkSuid = program: { inherit program; source = "${virtualbox}/libexec/virtualbox/${program}"; @@ -99,7 +99,7 @@ in SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor" ''; - # Since we lack the right setuid binaries, set up a host-only network by default. + # Since we lack the right setuid/setcap binaries, set up a host-only network by default. } (mkIf cfg.addNetworkInterface { systemd.services."vboxnet0" = { description = "VirtualBox vboxnet0 Interface"; diff --git a/nixos/tests/smokeping.nix b/nixos/tests/smokeping.nix index 7e2d84f4422..5e2d013abc5 100644 --- a/nixos/tests/smokeping.nix +++ b/nixos/tests/smokeping.nix @@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : { mailHost = "127.0.0.2"; probeConfig = '' + FPing - binary = /var/permissions-wrappers/fping + binary = /run/wrappers/fping offset = 0% ''; }; diff --git a/pkgs/applications/editors/sublime3/default.nix b/pkgs/applications/editors/sublime3/default.nix index 0f7d50088a9..1c24ff4737b 100644 --- a/pkgs/applications/editors/sublime3/default.nix +++ b/pkgs/applications/editors/sublime3/default.nix @@ -1,5 +1,5 @@ { fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2, - pkexecPath ? "/var/permissions-wrappers/pkexec", libredirect, + pkexecPath ? "/run/wrappers/pkexec", libredirect, gksuSupport ? false, gksu}: assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux"; diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index dd8fd32adfd..7009cf17fab 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -83,9 +83,9 @@ in stdenv.mkDerivation { ed -v -s "$out/bin/chromium" << EOF 2i - if [ -x "/var/permissions-wrappers/${sandboxExecutableName}" ] + if [ -x "/run/wrappers/${sandboxExecutableName}" ] then - export CHROME_DEVEL_SANDBOX="/var/permissions-wrappers/${sandboxExecutableName}" + export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}" else export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}" fi diff --git a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch index 9a83fc09e4e..4b59f1a376d 100644 --- a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch +++ b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch @@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644 + is_nixos=no +fi + -+if [ -u /var/permissions-wrappers/gksign ]; then ++if [ -u /run/wrappers/gksign ]; then + cat < -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit" -+#define EXECUTE "/var/permissions-wrappers/start_kdeinit" ++#define EXECUTE "/run/wrappers/start_kdeinit" #if KDEINIT_OOM_PROTECT diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix index 7da4a900b7e..6d57ca2397e 100644 --- a/pkgs/development/libraries/libgksu/default.nix +++ b/pkgs/development/libraries/libgksu/default.nix @@ -57,8 +57,8 @@ stdenv.mkDerivation rec { # Fix some binary paths sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c - sed -i -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|g' libgksu/libgksu.c - sed -i -e 's|/bin/su\([^d]\)|/var/permissions-wrappers/su\1|g' libgksu/libgksu.c + sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c + sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/su\1|g' libgksu/libgksu.c touch NEWS README ''; diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix index 0f7106181b8..b2e2ecf0493 100644 --- a/pkgs/development/libraries/polkit/default.nix +++ b/pkgs/development/libraries/polkit/default.nix @@ -5,7 +5,7 @@ let system = "/var/run/current-system/sw"; - setuid = "/var/permissions-wrappers"; #TODO: from config.security.wrapperDir; + setuid = "/run/wrappers"; #TODO: from config.security.wrapperDir; foolVars = { SYSCONF = "/etc"; diff --git a/pkgs/development/tools/unity3d/default.nix b/pkgs/development/tools/unity3d/default.nix index 1fc56b98656..2d4977a3195 100644 --- a/pkgs/development/tools/unity3d/default.nix +++ b/pkgs/development/tools/unity3d/default.nix @@ -94,7 +94,7 @@ in stdenv.mkDerivation rec { unitydir="$out/opt/Unity/Editor" mkdir -p $unitydir mv Editor/* $unitydir - ln -sf /var/permissions-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox + ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox mkdir -p $out/share/applications sed "/^Exec=/c\Exec=$out/bin/unity-editor" \ diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix index a36934004d2..29bcc58c7c0 100644 --- a/pkgs/os-specific/linux/fuse/default.nix +++ b/pkgs/os-specific/linux/fuse/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { # Ensure that FUSE calls the setuid wrapper, not # $out/bin/fusermount. It falls back to calling fusermount in # $PATH, so it should also work on non-NixOS systems. - export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/permissions-wrappers\"" + export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\"" sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh diff --git a/pkgs/os-specific/linux/mdadm/4.nix b/pkgs/os-specific/linux/mdadm/4.nix index abe8632773f..af8e53ec3a2 100644 --- a/pkgs/os-specific/linux/mdadm/4.nix +++ b/pkgs/os-specific/linux/mdadm/4.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { preConfigure = '' sed -e 's@/lib/udev@''${out}/lib/udev@' \ -e 's@ -Werror @ @' \ - -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile + -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile ''; meta = { diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix index 531d55a7f12..d9bdf21723b 100644 --- a/pkgs/os-specific/linux/mdadm/default.nix +++ b/pkgs/os-specific/linux/mdadm/default.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { preConfigure = '' sed -e 's@/lib/udev@''${out}/lib/udev@' \ -e 's@ -Werror @ @' \ - -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile + -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile ''; meta = { diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix index 196af58183f..dc61b3f27f6 100644 --- a/pkgs/os-specific/linux/pam/default.nix +++ b/pkgs/os-specific/linux/pam/default.nix @@ -34,7 +34,7 @@ stdenv.mkDerivation rec { postInstall = '' mv -v $out/sbin/unix_chkpwd{,.orig} - ln -sv /var/permissions-wrappers/unix_chkpwd $out/sbin/unix_chkpwd + ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd ''; /* rm -rf $out/etc mkdir -p $modules/lib diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index 1c4a7b798ce..90fbf861448 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation rec { --enable-last --enable-mesg --disable-use-tty-group - --enable-fs-paths-default=/var/permissions-wrappers:/var/run/current-system/sw/bin:/sbin + --enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin ${if ncurses == null then "--without-ncurses" else ""} ${if systemd == null then "" else '' --with-systemd diff --git a/pkgs/servers/interlock/default.nix b/pkgs/servers/interlock/default.nix index af733540ff3..b58c1b50e03 100644 --- a/pkgs/servers/interlock/default.nix +++ b/pkgs/servers/interlock/default.nix @@ -30,7 +30,7 @@ buildGoPackage rec { -e 's|/bin/chown|${coreutils}/bin/chown|' \ -e 's|/bin/date|${coreutils}/bin/date|' \ -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \ - -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|' \ + -e 's|/usr/bin/sudo|/run/wrappers/sudo|' \ -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|' ''; } diff --git a/pkgs/servers/mail/petidomo/default.nix b/pkgs/servers/mail/petidomo/default.nix index c112af567fd..1770517047f 100644 --- a/pkgs/servers/mail/petidomo/default.nix +++ b/pkgs/servers/mail/petidomo/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/permissions-wrappers/sendmail" }: +{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }: stdenv.mkDerivation rec { name = "petidomo-4.3"; diff --git a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix index ac1cb1a5398..30bd7e8a7c3 100644 --- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix +++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix @@ -16,8 +16,8 @@ stdenv.mkDerivation rec { # configured on the build machine). preConfigure= " configureFlagsArray=( - --with-ping-command='/var/permissions-wrappers/ping -n -U -w %d -c %d %s' - --with-ping6-command='/var/permissions-wrappers/ping6 -n -U -w %d -c %d %s' + --with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s' + --with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s' ) "; diff --git a/pkgs/tools/X11/x11vnc/default.nix b/pkgs/tools/X11/x11vnc/default.nix index 5f96a35af6f..b343a7da378 100644 --- a/pkgs/tools/X11/x11vnc/default.nix +++ b/pkgs/tools/X11/x11vnc/default.nix @@ -20,10 +20,10 @@ stdenv.mkDerivation rec { configureFlags="--mandir=$out/share/man" substituteInPlace x11vnc/unixpw.c \ - --replace '"/bin/su"' '"/var/permissions-wrappers/su"' \ + --replace '"/bin/su"' '"/run/wrappers/su"' \ --replace '"/bin/true"' '"${coreutils}/bin/true"' - sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/permissions-wrappers/su|g' x11vnc/ssltools.h + sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h ''; meta = { diff --git a/pkgs/tools/admin/certbot/default.nix b/pkgs/tools/admin/certbot/default.nix index 23eb02e294a..366213d2e1e 100644 --- a/pkgs/tools/admin/certbot/default.nix +++ b/pkgs/tools/admin/certbot/default.nix @@ -31,7 +31,7 @@ python2Packages.buildPythonApplication rec { buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]); patchPhase = '' - substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/permissions-wrappers/sendmail" + substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail" substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers" ''; diff --git a/pkgs/tools/misc/debian-devscripts/default.nix b/pkgs/tools/misc/debian-devscripts/default.nix index 2261bfc6637..be3b674de04 100644 --- a/pkgs/tools/misc/debian-devscripts/default.nix +++ b/pkgs/tools/misc/debian-devscripts/default.nix @@ -2,7 +2,7 @@ , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper , python3Packages , perlPackages, curl, gnupg, diffutils -, sendmailPath ? "/var/permissions-wrappers/sendmail" +, sendmailPath ? "/run/wrappers/sendmail" }: let diff --git a/pkgs/tools/security/ecryptfs/default.nix b/pkgs/tools/security/ecryptfs/default.nix index 7e941e5378a..98e06d1de3e 100644 --- a/pkgs/tools/security/ecryptfs/default.nix +++ b/pkgs/tools/security/ecryptfs/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { }; # TODO: replace wrapperDir below with from config.security.wrapperDir; - wrapperDir = "/var/permissions-wrappers"; + wrapperDir = "/run/wrappers"; postPatch = '' FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)" diff --git a/pkgs/tools/security/ecryptfs/helper.nix b/pkgs/tools/security/ecryptfs/helper.nix index 6e3e6766a28..3daaadcaad6 100644 --- a/pkgs/tools/security/ecryptfs/helper.nix +++ b/pkgs/tools/security/ecryptfs/helper.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; - # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/permissions-wrappers + # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers installPhase = '' mkdir -p $out/bin $out/libexec cp $src $out/libexec/ecryptfs-helper.py diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix index a3a13f19803..0d2953c6f45 100644 --- a/pkgs/tools/security/sudo/default.nix +++ b/pkgs/tools/security/sudo/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, coreutils, pam, groff -, sendmailPath ? "/var/permissions-wrappers/sendmail" +, sendmailPath ? "/run/wrappers/sendmail" , withInsults ? false }: diff --git a/pkgs/tools/system/at/default.nix b/pkgs/tools/system/at/default.nix index 2fb5b9670c8..9f8bad00ca4 100644 --- a/pkgs/tools/system/at/default.nix +++ b/pkgs/tools/system/at/default.nix @@ -1,4 +1,4 @@ -{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/permissions-wrappers/sendmail" }: +{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }: stdenv.mkDerivation { name = "at-3.1.16"; diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index f7f2a6158a2..8a6a5dc15d3 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation { #define _PATH_SENDMAIL "${sendmailPath}" #undef _PATH_DEFPATH - #define _PATH_DEFPATH "/var/permissions-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" + #define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" __EOT__ # Implicit saved uids do not work here due to way NixOS uses setuid wrappers diff --git a/pkgs/tools/system/ts/default.nix b/pkgs/tools/system/ts/default.nix index 1384ea04fb6..1dfb856d4d6 100644 --- a/pkgs/tools/system/ts/default.nix +++ b/pkgs/tools/system/ts/default.nix @@ -1,5 +1,5 @@ {stdenv, fetchurl, -sendmailPath ? "/var/permissions-wrappers/sendmail" }: +sendmailPath ? "/run/wrappers/sendmail" }: stdenv.mkDerivation rec { -- cgit 1.4.1 From 4aa0923009dac4d2307b5fe018b944180bfad6a2 Mon Sep 17 00:00:00 2001 From: Parnell Springmeyer Date: Sun, 29 Jan 2017 04:11:01 -0600 Subject: Getting rid of the var indirection and using a bin path instead --- nixos/modules/installer/tools/nixos-install.sh | 4 +-- nixos/modules/security/apparmor-suid.nix | 3 +- nixos/modules/security/wrappers/default.nix | 33 ++++++++++++++++++++-- nixos/modules/services/logging/logcheck.nix | 4 +-- nixos/modules/services/mail/dovecot.nix | 2 +- nixos/modules/services/mail/exim.nix | 2 +- nixos/modules/services/monitoring/munin.nix | 4 +-- nixos/modules/services/monitoring/smartd.nix | 2 +- .../modules/services/network-filesystems/samba.nix | 2 +- nixos/modules/services/networking/prayer.nix | 2 +- nixos/modules/services/networking/smokeping.nix | 2 +- nixos/modules/services/scheduling/atd.nix | 4 +-- nixos/modules/services/scheduling/cron.nix | 2 +- nixos/modules/services/scheduling/fcron.nix | 2 +- nixos/modules/system/boot/stage-2-init.sh | 5 ---- nixos/modules/virtualisation/virtualbox-host.nix | 4 +-- nixos/tests/smokeping.nix | 2 +- pkgs/applications/editors/sublime3/default.nix | 2 +- .../networking/browsers/chromium/default.nix | 4 +-- .../instant-messengers/gale/gale-install.in.patch | 2 +- .../gitlab/remove-hardcoded-locations.patch | 2 +- .../virtualization/virtualbox/hardened.patch | 6 ++-- pkgs/build-support/build-fhs-userenv/env.nix | 2 +- pkgs/desktops/enlightenment/enlightenment.nix | 6 ++-- .../kde-frameworks/kinit/start_kdeinit-path.patch | 2 +- pkgs/development/libraries/libgksu/default.nix | 4 +-- pkgs/development/libraries/polkit/default.nix | 2 +- pkgs/development/tools/unity3d/default.nix | 2 +- pkgs/os-specific/linux/fuse/default.nix | 2 +- pkgs/os-specific/linux/mdadm/4.nix | 2 +- pkgs/os-specific/linux/mdadm/default.nix | 2 +- pkgs/os-specific/linux/pam/default.nix | 2 +- pkgs/os-specific/linux/util-linux/default.nix | 2 +- pkgs/servers/interlock/default.nix | 2 +- pkgs/servers/mail/petidomo/default.nix | 2 +- .../monitoring/nagios/plugins/official-2.x.nix | 4 +-- pkgs/tools/X11/x11vnc/default.nix | 4 +-- pkgs/tools/admin/certbot/default.nix | 2 +- pkgs/tools/misc/debian-devscripts/default.nix | 2 +- pkgs/tools/security/ecryptfs/default.nix | 2 +- pkgs/tools/security/ecryptfs/helper.nix | 2 +- pkgs/tools/security/sudo/default.nix | 2 +- pkgs/tools/system/at/default.nix | 2 +- pkgs/tools/system/cron/default.nix | 2 +- pkgs/tools/system/ts/default.nix | 2 +- 45 files changed, 86 insertions(+), 65 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 36b1a47956d..57bc249360e 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -259,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate # Ask the user to set a root password. -if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then +if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then echo "setting root password..." - chroot $mountPoint /run/wrappers/passwd + chroot $mountPoint /run/wrappers/bin/passwd fi diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index e7b870864ee..dfbf5d859ba 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -19,7 +19,7 @@ with lib; config = mkIf (cfg.confineSUIDApplications) { security.apparmor.profiles = [ (pkgs.writeText "ping" '' #include - /run/wrappers/ping { + /run/wrappers/bin/ping { #include #include #include @@ -33,7 +33,6 @@ with lib; ${pkgs.attr.out}/lib/libattr.so* mr, ${pkgs.iputils}/bin/ping mixr, - /run/wrappers/ping.real r, #/etc/modules.conf r, diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 0170da03689..8837ac35a53 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -17,7 +17,9 @@ let source=/nix/var/nix/profiles/default/bin/${program} fi - gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.wrapperDir}\" \ + parentWrapperDir=$(dirname ${wrapperDir}) + + gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \ -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include ''; @@ -155,7 +157,7 @@ in security.wrapperDir = lib.mkOption { type = lib.types.path; - default = "/run/wrappers"; + default = "/run/wrappers/bin"; internal = true; description = '' This option defines the path to the wrapper programs. It @@ -181,11 +183,36 @@ in # programs to be wrapped. WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin + if [ -d ${config.security.old-wrapperDir} ]; then + rm -rf ${config.security.old-wrapperDir} + fi + + parentWrapperDir="$(dirname ${wrapperDir})" + mkdir -p ${wrapperDir} - wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX) + wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX) chmod a+rx $wrapperDir ${lib.concatStringsSep "\n" mkWrappedPrograms} + + if [ -L ${wrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink ${wrapperDir}) + ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp + mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} + rm --force --recursive $old + elif [ -d ${wrapperDir} ]; then + # Compatibility with old state, just remove the folder and symlink + rm -f ${wrapperDir}/* + # if it happens to be a tmpfs + ${pkgs.utillinux}/bin/umount ${wrapperDir} || true + rm -d ${wrapperDir} + ln -d --symbolic $wrapperDir ${wrapperDir} + else + # For initial setup + ln --symbolic $wrapperDir ${wrapperDir} + fi ''; }; } diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index c933c496479..72925b95cae 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -29,8 +29,8 @@ let }; cronJob = '' - @reboot logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} - 2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} + @reboot logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} + 2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} ''; writeIgnoreRule = name: {level, regex, ...}: diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 7cea2f75439..3b25e41edb1 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -13,7 +13,7 @@ let '' base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} - sendmail_path = /run/wrappers/sendmail + sendmail_path = /run/wrappers/bin/sendmail '' (if isNull cfg.sslServerCert then '' diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index 71414bddd5d..b05344fa9b5 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -70,7 +70,7 @@ in etc."exim.conf".text = '' exim_user = ${cfg.user} exim_group = ${cfg.group} - exim_path = /run/wrappers/exim + exim_path = /run/wrappers/bin/exim spool_directory = ${cfg.spoolDir} ${cfg.config} ''; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index cd4a5125029..6d2ce538368 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -34,7 +34,7 @@ let cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file) wrapProgram $file \ - --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ + --set PATH "/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" \ --set MUNIN_LIBDIR "${pkgs.munin}/lib" \ --set MUNIN_PLUGSTATE "/var/run/munin" @@ -183,7 +183,7 @@ in mkdir -p /etc/munin/plugins rm -rf /etc/munin/plugins/* - PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash + PATH="/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash ''; serviceConfig = { ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/"; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index af02d73597f..4d10299a987 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -124,7 +124,7 @@ in }; mailer = mkOption { - default = "/run/wrappers/sendmail"; + default = "/run/wrappers/bin/sendmail"; type = types.path; description = '' Sendmail-compatible binary to be used to send the messages. diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 8cc8f21851c..09a11585bc9 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -30,7 +30,7 @@ let '' [ global ] security = ${cfg.securityType} - passwd program = /run/wrappers/passwd %u + passwd program = /run/wrappers/bin/passwd %u pam password change = ${smbToString cfg.syncPasswordsByPam} invalid users = ${smbToString cfg.invalidUsers} diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index 58e6ad8a683..8cd4a082353 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -18,7 +18,7 @@ let var_prefix = "${stateDir}" prayer_user = "${prayerUser}" prayer_group = "${prayerGroup}" - sendmail_path = "/run/wrappers/sendmail" + sendmail_path = "/run/wrappers/bin/sendmail" use_http_port ${cfg.port} diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index b7bb55f5508..eedc2759337 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -226,7 +226,7 @@ in sendmail = mkOption { type = types.nullOr types.path; default = null; - example = "/run/wrappers/sendmail"; + example = "/run/wrappers/bin/sendmail"; description = "Use this sendmail compatible script to deliver alerts"; }; smokeMailTemplate = mkOption { diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 7b4937b5c67..f3ada6b7496 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -42,13 +42,13 @@ in config = mkIf cfg.enable { - security.wrappers.setuid = map (program: "${program}" = { + security.wrappers = map (program: {"${program}" = { source = "${pkgs.atd}/bin/${program}"; owner = "atd"; group = "atd"; setuid = true; setgid = true; - }) [ "at" "atq" "atrm" "batch" ]; + };}) [ "at" "atq" "atrm" "batch" ]; environment.systemPackages = [ at ]; diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index 7bd1e481804..48c5f6be316 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -20,7 +20,7 @@ let cronNixosPkg = pkgs.cron.override { # The mail.nix nixos module, if there is any local mail system enabled, # should have sendmail in this path. - sendmailPath = "/run/wrappers/sendmail"; + sendmailPath = "/run/wrappers/bin/sendmail"; }; allFiles = diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index f0de996224f..339b0de66e9 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -96,7 +96,7 @@ in fcronallow = /etc/fcron.allow fcrondeny = /etc/fcron.deny shell = /bin/sh - sendmail = /run/wrappers/sendmail + sendmail = /run/wrappers/bin/sendmail editor = /run/current-system/sw/bin/vi ''; target = "fcron.conf"; diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index ffc0700806c..f827e530f87 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -131,11 +131,6 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then cat /etc/resolv.conf | resolvconf -m 1000 -a host fi -# Create /run/wrappers as a tmpfs. -rm -rf /run/wrappers -mkdir -m 0755 -p /run/wrappers -mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers - # Log the script output to /dev/kmsg or /run/log/stage-2-init.log. # Only at this point are all the necessary prerequisites ready for these commands. exec {logOutFd}>&1 {logErrFd}>&2 diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index 70ee44680ab..501ed9bc683 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -69,12 +69,12 @@ in environment.systemPackages = [ virtualbox ]; security.wrappers = let - mkSuid = program: "${program}" = { + mkSuid = program: {"${program}" = { source = "${virtualbox}/libexec/virtualbox/${program}"; owner = "root"; group = "vboxusers"; setuid = true; - }; + };}; in mkIf cfg.enableHardening (map mkSuid [ "VBoxHeadless" "VBoxNetAdpCtl" diff --git a/nixos/tests/smokeping.nix b/nixos/tests/smokeping.nix index 5e2d013abc5..4c77e4b7861 100644 --- a/nixos/tests/smokeping.nix +++ b/nixos/tests/smokeping.nix @@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : { mailHost = "127.0.0.2"; probeConfig = '' + FPing - binary = /run/wrappers/fping + binary = /run/wrappers/bin/fping offset = 0% ''; }; diff --git a/pkgs/applications/editors/sublime3/default.nix b/pkgs/applications/editors/sublime3/default.nix index 1c24ff4737b..f900a4e9147 100644 --- a/pkgs/applications/editors/sublime3/default.nix +++ b/pkgs/applications/editors/sublime3/default.nix @@ -1,5 +1,5 @@ { fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2, - pkexecPath ? "/run/wrappers/pkexec", libredirect, + pkexecPath ? "/run/wrappers/bin/pkexec", libredirect, gksuSupport ? false, gksu}: assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux"; diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index 7009cf17fab..c59d6b00945 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -83,9 +83,9 @@ in stdenv.mkDerivation { ed -v -s "$out/bin/chromium" << EOF 2i - if [ -x "/run/wrappers/${sandboxExecutableName}" ] + if [ -x "/run/wrappers/bin/${sandboxExecutableName}" ] then - export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}" + export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${sandboxExecutableName}" else export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}" fi diff --git a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch index 4b59f1a376d..33e3e09a96d 100644 --- a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch +++ b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch @@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644 + is_nixos=no +fi + -+if [ -u /run/wrappers/gksign ]; then ++if [ -u /run/wrappers/bin/gksign ]; then + cat < -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit" -+#define EXECUTE "/run/wrappers/start_kdeinit" ++#define EXECUTE "/run/wrappers/bin/start_kdeinit" #if KDEINIT_OOM_PROTECT diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix index 6d57ca2397e..e96ef7329a2 100644 --- a/pkgs/development/libraries/libgksu/default.nix +++ b/pkgs/development/libraries/libgksu/default.nix @@ -57,8 +57,8 @@ stdenv.mkDerivation rec { # Fix some binary paths sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c - sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c - sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/su\1|g' libgksu/libgksu.c + sed -i -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|g' libgksu/libgksu.c + sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/bin/su\1|g' libgksu/libgksu.c touch NEWS README ''; diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix index b2e2ecf0493..27482743d2c 100644 --- a/pkgs/development/libraries/polkit/default.nix +++ b/pkgs/development/libraries/polkit/default.nix @@ -5,7 +5,7 @@ let system = "/var/run/current-system/sw"; - setuid = "/run/wrappers"; #TODO: from config.security.wrapperDir; + setuid = "/run/wrappers/bin"; #TODO: from config.security.wrapperDir; foolVars = { SYSCONF = "/etc"; diff --git a/pkgs/development/tools/unity3d/default.nix b/pkgs/development/tools/unity3d/default.nix index 2d4977a3195..73cb902ae69 100644 --- a/pkgs/development/tools/unity3d/default.nix +++ b/pkgs/development/tools/unity3d/default.nix @@ -94,7 +94,7 @@ in stdenv.mkDerivation rec { unitydir="$out/opt/Unity/Editor" mkdir -p $unitydir mv Editor/* $unitydir - ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox + ln -sf /run/wrappers/bin/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox mkdir -p $out/share/applications sed "/^Exec=/c\Exec=$out/bin/unity-editor" \ diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix index 29bcc58c7c0..db18b13bfb8 100644 --- a/pkgs/os-specific/linux/fuse/default.nix +++ b/pkgs/os-specific/linux/fuse/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { # Ensure that FUSE calls the setuid wrapper, not # $out/bin/fusermount. It falls back to calling fusermount in # $PATH, so it should also work on non-NixOS systems. - export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\"" + export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\"" sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh diff --git a/pkgs/os-specific/linux/mdadm/4.nix b/pkgs/os-specific/linux/mdadm/4.nix index af8e53ec3a2..05d98de0b23 100644 --- a/pkgs/os-specific/linux/mdadm/4.nix +++ b/pkgs/os-specific/linux/mdadm/4.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { preConfigure = '' sed -e 's@/lib/udev@''${out}/lib/udev@' \ -e 's@ -Werror @ @' \ - -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile + -e 's@/usr/sbin/sendmail@/run/wrappers/bin/sendmail@' -i Makefile ''; meta = { diff --git a/pkgs/os-specific/linux/mdadm/default.nix b/pkgs/os-specific/linux/mdadm/default.nix index d9bdf21723b..e0109791ef2 100644 --- a/pkgs/os-specific/linux/mdadm/default.nix +++ b/pkgs/os-specific/linux/mdadm/default.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { preConfigure = '' sed -e 's@/lib/udev@''${out}/lib/udev@' \ -e 's@ -Werror @ @' \ - -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile + -e 's@/usr/sbin/sendmail@/run/wrappers/bin/sendmail@' -i Makefile ''; meta = { diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix index dc61b3f27f6..5189b84ff7e 100644 --- a/pkgs/os-specific/linux/pam/default.nix +++ b/pkgs/os-specific/linux/pam/default.nix @@ -34,7 +34,7 @@ stdenv.mkDerivation rec { postInstall = '' mv -v $out/sbin/unix_chkpwd{,.orig} - ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd + ln -sv /run/wrappers/bin/unix_chkpwd $out/sbin/unix_chkpwd ''; /* rm -rf $out/etc mkdir -p $modules/lib diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index 90fbf861448..6c3aacbef29 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation rec { --enable-last --enable-mesg --disable-use-tty-group - --enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin + --enable-fs-paths-default=/run/wrappers/bin:/var/run/current-system/sw/bin:/sbin ${if ncurses == null then "--without-ncurses" else ""} ${if systemd == null then "" else '' --with-systemd diff --git a/pkgs/servers/interlock/default.nix b/pkgs/servers/interlock/default.nix index b58c1b50e03..a0b59d332a3 100644 --- a/pkgs/servers/interlock/default.nix +++ b/pkgs/servers/interlock/default.nix @@ -30,7 +30,7 @@ buildGoPackage rec { -e 's|/bin/chown|${coreutils}/bin/chown|' \ -e 's|/bin/date|${coreutils}/bin/date|' \ -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \ - -e 's|/usr/bin/sudo|/run/wrappers/sudo|' \ + -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|' \ -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|' ''; } diff --git a/pkgs/servers/mail/petidomo/default.nix b/pkgs/servers/mail/petidomo/default.nix index 1770517047f..395f3ded7fd 100644 --- a/pkgs/servers/mail/petidomo/default.nix +++ b/pkgs/servers/mail/petidomo/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }: +{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/bin/sendmail" }: stdenv.mkDerivation rec { name = "petidomo-4.3"; diff --git a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix index 30bd7e8a7c3..1ea6f88084d 100644 --- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix +++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix @@ -16,8 +16,8 @@ stdenv.mkDerivation rec { # configured on the build machine). preConfigure= " configureFlagsArray=( - --with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s' - --with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s' + --with-ping-command='/run/wrappers/bin/ping -n -U -w %d -c %d %s' + --with-ping6-command='/run/wrappers/bin/ping6 -n -U -w %d -c %d %s' ) "; diff --git a/pkgs/tools/X11/x11vnc/default.nix b/pkgs/tools/X11/x11vnc/default.nix index b343a7da378..2d319cccf20 100644 --- a/pkgs/tools/X11/x11vnc/default.nix +++ b/pkgs/tools/X11/x11vnc/default.nix @@ -20,10 +20,10 @@ stdenv.mkDerivation rec { configureFlags="--mandir=$out/share/man" substituteInPlace x11vnc/unixpw.c \ - --replace '"/bin/su"' '"/run/wrappers/su"' \ + --replace '"/bin/su"' '"/run/wrappers/bin/su"' \ --replace '"/bin/true"' '"${coreutils}/bin/true"' - sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h + sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/bin/su|g' x11vnc/ssltools.h ''; meta = { diff --git a/pkgs/tools/admin/certbot/default.nix b/pkgs/tools/admin/certbot/default.nix index 366213d2e1e..3648cb2c136 100644 --- a/pkgs/tools/admin/certbot/default.nix +++ b/pkgs/tools/admin/certbot/default.nix @@ -31,7 +31,7 @@ python2Packages.buildPythonApplication rec { buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]); patchPhase = '' - substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail" + substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/bin/sendmail" substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers" ''; diff --git a/pkgs/tools/misc/debian-devscripts/default.nix b/pkgs/tools/misc/debian-devscripts/default.nix index be3b674de04..cbc7a2e7e46 100644 --- a/pkgs/tools/misc/debian-devscripts/default.nix +++ b/pkgs/tools/misc/debian-devscripts/default.nix @@ -2,7 +2,7 @@ , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper , python3Packages , perlPackages, curl, gnupg, diffutils -, sendmailPath ? "/run/wrappers/sendmail" +, sendmailPath ? "/run/wrappers/bin/sendmail" }: let diff --git a/pkgs/tools/security/ecryptfs/default.nix b/pkgs/tools/security/ecryptfs/default.nix index 98e06d1de3e..ab4867a4cc8 100644 --- a/pkgs/tools/security/ecryptfs/default.nix +++ b/pkgs/tools/security/ecryptfs/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { }; # TODO: replace wrapperDir below with from config.security.wrapperDir; - wrapperDir = "/run/wrappers"; + wrapperDir = "/run/wrappers/bin"; postPatch = '' FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)" diff --git a/pkgs/tools/security/ecryptfs/helper.nix b/pkgs/tools/security/ecryptfs/helper.nix index 3daaadcaad6..05327ad3a09 100644 --- a/pkgs/tools/security/ecryptfs/helper.nix +++ b/pkgs/tools/security/ecryptfs/helper.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; - # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers + # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers/bin installPhase = '' mkdir -p $out/bin $out/libexec cp $src $out/libexec/ecryptfs-helper.py diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix index 0d2953c6f45..9f56a9d7f26 100644 --- a/pkgs/tools/security/sudo/default.nix +++ b/pkgs/tools/security/sudo/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, coreutils, pam, groff -, sendmailPath ? "/run/wrappers/sendmail" +, sendmailPath ? "/run/wrappers/bin/sendmail" , withInsults ? false }: diff --git a/pkgs/tools/system/at/default.nix b/pkgs/tools/system/at/default.nix index 9f8bad00ca4..185645763fd 100644 --- a/pkgs/tools/system/at/default.nix +++ b/pkgs/tools/system/at/default.nix @@ -1,4 +1,4 @@ -{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }: +{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/bin/sendmail" }: stdenv.mkDerivation { name = "at-3.1.16"; diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 8a6a5dc15d3..dec1bacd741 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation { #define _PATH_SENDMAIL "${sendmailPath}" #undef _PATH_DEFPATH - #define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" + #define _PATH_DEFPATH "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" __EOT__ # Implicit saved uids do not work here due to way NixOS uses setuid wrappers diff --git a/pkgs/tools/system/ts/default.nix b/pkgs/tools/system/ts/default.nix index 1dfb856d4d6..97b35378673 100644 --- a/pkgs/tools/system/ts/default.nix +++ b/pkgs/tools/system/ts/default.nix @@ -1,5 +1,5 @@ {stdenv, fetchurl, -sendmailPath ? "/run/wrappers/sendmail" }: +sendmailPath ? "/run/wrappers/bin/sendmail" }: stdenv.mkDerivation rec { -- cgit 1.4.1 From 3cec7d10dfb80b7466f171e7a59ac9af3bab2862 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sat, 11 Feb 2017 13:55:09 -0500 Subject: kdm: drop service --- nixos/modules/misc/ids.nix | 4 +- nixos/modules/module-list.nix | 1 - .../modules/services/x11/desktop-managers/kde4.nix | 202 --------------------- .../services/x11/display-managers/default.nix | 3 - .../modules/services/x11/display-managers/kdm.nix | 161 ---------------- .../system/boot/loader/grub/install-grub.pl | 2 - nixos/modules/testing/test-instrumentation.nix | 9 - nixos/tests/kde4.nix | 70 ------- 8 files changed, 2 insertions(+), 450 deletions(-) delete mode 100644 nixos/modules/services/x11/desktop-managers/kde4.nix delete mode 100644 nixos/modules/services/x11/display-managers/kdm.nix delete mode 100644 nixos/tests/kde4.nix (limited to 'nixos/tests') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 60e00ce874a..1566dbe1677 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -64,7 +64,7 @@ cups = 36; foldingathome = 37; sabnzbd = 38; - kdm = 39; + #kdm = 39; # dropped in 17.03 ghostone = 40; git = 41; fourstore = 42; @@ -333,7 +333,7 @@ #cups = 36; # unused #foldingathome = 37; # unused #sabnzd = 38; # unused - #kdm = 39; # unused + #kdm = 39; # unused, even before 17.03 ghostone = 40; git = 41; fourstore = 42; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index afaaccb0156..7c9c9ac2a1e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -559,7 +559,6 @@ ./services/x11/display-managers/auto.nix ./services/x11/display-managers/default.nix ./services/x11/display-managers/gdm.nix - ./services/x11/display-managers/kdm.nix ./services/x11/display-managers/lightdm.nix ./services/x11/display-managers/sddm.nix ./services/x11/display-managers/slim.nix diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix deleted file mode 100644 index f0de9120c69..00000000000 --- a/nixos/modules/services/x11/desktop-managers/kde4.nix +++ /dev/null @@ -1,202 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - xcfg = config.services.xserver; - cfg = xcfg.desktopManager.kde4; - xorg = pkgs.xorg; - kde_workspace = config.services.xserver.desktopManager.kde4.kdeWorkspacePackage; - - # Disable Nepomuk and Strigi by default. As of KDE 4.7, they don't - # really work very well (e.g. searching files often fails to find - # files), segfault sometimes and consume significant resources. - # They can be re-enabled in the KDE System Settings under "Desktop - # Search". - disableNepomuk = pkgs.writeTextFile - { name = "nepomuk-config"; - destination = "/share/config/nepomukserverrc"; - text = - '' - [Basic Settings] - Start Nepomuk=false - - [Service-nepomukstrigiservice] - autostart=false - ''; - }; - - phononBackends = { - gstreamer = [ - pkgs.phonon-backend-gstreamer - pkgs.gst_all.gstPluginsBase - pkgs.gst_all.gstPluginsGood - pkgs.gst_all.gstPluginsUgly - pkgs.gst_all.gstPluginsBad - pkgs.gst_all.gstFfmpeg # for mp3 playback - pkgs.gst_all.gstreamer # needed? - ]; - - vlc = [pkgs.phonon-backend-vlc]; - }; - - phononBackendPackages = flip concatMap cfg.phononBackends - (name: attrByPath [name] (throw "unknown phonon backend `${name}'") phononBackends); - -in - -{ - options = { - - services.xserver.desktopManager.kde4 = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the KDE 4 desktop environment."; - }; - - phononBackends = mkOption { - type = types.listOf types.str; - default = ["gstreamer"]; - example = ["gstreamer" "vlc"]; - description = "Which phonon multimedia backend kde should use"; - }; - - kdeWorkspacePackage = mkOption { - internal = true; - default = pkgs.kde4.kde_workspace; - defaultText = "pkgs.kde4.kde_workspace"; - type = types.package; - description = "Custom kde-workspace, used for NixOS rebranding."; - }; - - enablePIM = mkOption { - type = types.bool; - default = true; - description = "Whether to enable PIM support. Note that enabling this pulls in Akonadi and MariaDB as dependencies."; - }; - - enableNepomuk = mkOption { - type = types.bool; - default = false; - description = "Whether to enable Nepomuk (deprecated)."; - }; - }; - }; - - - config = mkIf (xcfg.enable && cfg.enable) { - warnings = [ - "KDE4 is long unmaintained and will be removed. Please update to KDE5." - ]; - - # If KDE 4 is enabled, make it the default desktop manager (unless - # overridden by the user's configuration). - # !!! doesn't work yet ("Multiple definitions. Only one is allowed - # for this option.") - # services.xserver.desktopManager.default = mkOverride 900 "kde4"; - - services.xserver.desktopManager.session = singleton - { name = "kde4"; - bgSupport = true; - start = - '' - # The KDE icon cache is supposed to update itself - # automatically, but it uses the timestamp on the icon - # theme directory as a trigger. Since in Nix the - # timestamp is always the same, this doesn't work. So as - # a workaround, nuke the icon cache on login. This isn't - # perfect, since it may require logging out after - # installing new applications to update the cache. - # See http://lists-archives.org/kde-devel/26175-what-when-will-icon-cache-refresh.html - rm -fv $HOME/.kde/cache-*/icon-cache.kcache - - # Qt writes a weird ‘libraryPath’ line to - # ~/.config/Trolltech.conf that causes the KDE plugin - # paths of previous KDE invocations to be searched. - # Obviously using mismatching KDE libraries is potentially - # disastrous, so here we nuke references to the Nix store - # in Trolltech.conf. A better solution would be to stop - # Qt from doing this wackiness in the first place. - if [ -e $HOME/.config/Trolltech.conf ]; then - sed -e '/nix\\store\|nix\/store/ d' -i $HOME/.config/Trolltech.conf - fi - - # Load PulseAudio module for routing support. - # See http://colin.guthr.ie/2009/10/so-how-does-the-kde-pulseaudio-support-work-anyway/ - ${optionalString config.hardware.pulseaudio.enable '' - ${getBin config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1" - ''} - - # Start KDE. - exec ${kde_workspace}/bin/startkde - ''; - }; - - security.setuidOwners = singleton - { program = "kcheckpass"; - source = "${kde_workspace}/lib/kde4/libexec/kcheckpass"; - owner = "root"; - group = "root"; - setuid = true; - }; - - environment.systemPackages = - [ pkgs.kde4.kdelibs - - pkgs.kde4.kde_baseapps # Splitted kdebase - kde_workspace - pkgs.kde4.kde_runtime - pkgs.kde4.konsole - pkgs.kde4.kate - - pkgs.kde4.kde_wallpapers # contains kdm's default background - pkgs.kde4.oxygen_icons - - # Starts KDE's Polkit authentication agent. - pkgs.kde4.polkit_kde_agent - - # Miscellaneous runtime dependencies. - pkgs.kde4.qt4 # needed for qdbus - pkgs.shared_mime_info - xorg.xmessage # so that startkde can show error messages - xorg.xset # used by startkde, non-essential - xorg.xauth # used by kdesu - ] - ++ optionals cfg.enablePIM - [ pkgs.kde4.kdepim_runtime - pkgs.kde4.akonadi - pkgs.mysql # used by akonadi - ] - ++ (if cfg.enableNepomuk then - [ pkgs.shared_desktop_ontologies # used by nepomuk - pkgs.strigi # used by nepomuk - pkgs.virtuoso # to enable Nepomuk to find Virtuoso - ] else - [ disableNepomuk ]) - ++ optional config.hardware.pulseaudio.enable pkgs.kde4.kmix # Perhaps this should always be enabled - ++ optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil - ++ optional config.networking.networkmanager.enable pkgs.kde4.plasma-nm - ++ phononBackendPackages; - - environment.pathsToLink = [ "/share" ]; - - environment.profileRelativeEnvVars = mkIf (elem "gstreamer" cfg.phononBackends) { - GST_PLUGIN_SYSTEM_PATH = [ "/lib/gstreamer-0.10" ]; - }; - - environment.etc = singleton - { source = "${pkgs.xkeyboard_config}/etc/X11/xkb"; - target = "X11/xkb"; - }; - - # Enable helpful DBus services. - services.udisks2.enable = true; - services.upower.enable = config.powerManagement.enable; - - security.pam.services.kde = { allowNullPassword = true; }; - - }; - -} diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 98d2d0ea834..7418ce56357 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -55,9 +55,6 @@ let fi ''} - # Handle being called by kdm. - if test "''${1:0:1}" = /; then eval exec "$1"; fi - # Start PulseAudio if enabled. ${optionalString (config.hardware.pulseaudio.enable) '' ${optionalString (!config.hardware.pulseaudio.systemWide) diff --git a/nixos/modules/services/x11/display-managers/kdm.nix b/nixos/modules/services/x11/display-managers/kdm.nix deleted file mode 100644 index bfb763f2858..00000000000 --- a/nixos/modules/services/x11/display-managers/kdm.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - dmcfg = config.services.xserver.displayManager; - cfg = dmcfg.kdm; - - inherit (pkgs.kde4) kdebase_workspace; - - defaultConfig = - '' - [Shutdown] - HaltCmd=${config.systemd.package}/sbin/shutdown -h now - RebootCmd=${config.systemd.package}/sbin/shutdown -r now - ${optionalString (config.system.boot.loader.id == "grub") '' - BootManager=${if config.boot.loader.grub.version == 2 then "Grub2" else "Grub"} - ''} - - [X-*-Core] - Xrdb=${pkgs.xorg.xrdb}/bin/xrdb - SessionsDirs=${dmcfg.session.desktops} - Session=${dmcfg.session.script} - FailsafeClient=${pkgs.xterm}/bin/xterm - - [X-:*-Core] - ServerCmd=${dmcfg.xserverBin} ${toString dmcfg.xserverArgs} - # KDM calls `rm' somewhere to clean up some temporary directory. - SystemPath=${pkgs.coreutils}/bin - # The default timeout (15) is too short in a heavily loaded boot process. - ServerTimeout=60 - # Needed to prevent the X server from dying on logout and not coming back: - TerminateServer=true - ${optionalString (cfg.setupScript != "") - '' - Setup=${cfg.setupScript} - ''} - - [X-*-Greeter] - HiddenUsers=root,${concatStringsSep "," dmcfg.hiddenUsers} - PluginsLogin=${kdebase_workspace}/lib/kde4/kgreet_classic.so - ${optionalString (cfg.themeDirectory != null) - '' - UseTheme=true - Theme=${cfg.themeDirectory} - '' - } - - ${optionalString (cfg.enableXDMCP) - '' - [Xdmcp] - Enable=true - ''} - ''; - - kdmrc = pkgs.runCommand "kdmrc" - { config = defaultConfig + cfg.extraConfig; - preferLocalBuild = true; - } - '' - echo "$config" > $out - - # The default kdmrc would add "-nolisten tcp", and we already - # have that managed by nixos. Hence the grep. - cat ${kdebase_workspace}/share/config/kdm/kdmrc | grep -v nolisten >> $out - ''; - -in - -{ - - ###### interface - - options = { - - services.xserver.displayManager.kdm = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the KDE display manager. - ''; - }; - - enableXDMCP = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable XDMCP, which allows remote logins. - ''; - }; - - themeDirectory = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The path to a KDM theme directory. This theme - will be used by the KDM greeter. - ''; - }; - - setupScript = mkOption { - type = types.lines; - default = ""; - description = '' - The path to a KDM setup script. This script is run as root just - before KDM starts. Can be used for setting up - monitors with xrandr, for example. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Options appended to kdmrc, the - configuration file of KDM. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - warnings = [ - "KDM is long unmaintained and will be removed. Please update to SDDM." - ]; - - services.xserver.displayManager.slim.enable = false; - - services.xserver.displayManager.job = - { execCmd = - '' - mkdir -m 0755 -p /var/lib/kdm - chown kdm /var/lib/kdm - ${(optionalString (config.system.boot.loader.id == "grub" && config.system.build.grub != null) "PATH=${config.system.build.grub}/sbin:$PATH ") + - "KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon -logfile /dev/stderr"} - ''; - logsXsession = true; - }; - - security.pam.services.kde = { allowNullPassword = true; startSession = true; }; - - users.extraUsers = singleton - { name = "kdm"; - uid = config.ids.uids.kdm; - description = "KDM user"; - }; - - environment.systemPackages = - [ pkgs.kde4.kde_wallpapers ]; # contains kdm's default background - - }; - -} diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index 24442ca12a3..f92b17720f6 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -256,8 +256,6 @@ else { # ‘grub-reboot’ sets a one-time saved entry, which we process here and # then delete. if [ \"\${next_entry}\" ]; then - # FIXME: KDM expects the next line to be present. - set default=\"\${saved_entry}\" set default=\"\${next_entry}\" set next_entry= save_env next_entry diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 099ead3d846..7f5b55d5cca 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -123,15 +123,6 @@ let kernel = config.boot.kernelPackages.kernel; in users.extraUsers.root.initialHashedPassword = mkOverride 150 ""; services.xserver.displayManager.logToJournal = true; - - # Bump kdm's X server start timeout to account for heavily loaded - # VM host systems. - services.xserver.displayManager.kdm.extraConfig = - '' - [X-:*-Core] - ServerTimeout=240 - ''; - }; } diff --git a/nixos/tests/kde4.nix b/nixos/tests/kde4.nix deleted file mode 100644 index 9ecfe687056..00000000000 --- a/nixos/tests/kde4.nix +++ /dev/null @@ -1,70 +0,0 @@ -import ./make-test.nix ({ pkgs, ... }: { - name = "kde4"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ domenkozar eelco chaoflow ]; - }; - - machine = - { config, pkgs, ... }: - - { imports = [ ./common/user-account.nix ]; - - virtualisation.memorySize = 1024; - - services.xserver.enable = true; - - services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - services.httpd.documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html"; - - services.xserver.displayManager.kdm.enable = true; - services.xserver.displayManager.kdm.extraConfig = - '' - [X-:0-Core] - AutoLoginEnable=true - AutoLoginUser=alice - AutoLoginPass=foobar - ''; - - services.xserver.desktopManager.kde4.enable = true; - - # Include most of KDE. We don't really test these here, but at - # least they should build. - environment.systemPackages = - [ pkgs.kde4.kdemultimedia - pkgs.kde4.kdegraphics - pkgs.kde4.kdeutils - pkgs.kde4.kdegames - #pkgs.kde4.kdeedu - pkgs.kde4.kdeaccessibility - pkgs.kde4.kdeadmin - pkgs.kde4.kdenetwork - pkgs.kde4.kdetoys - pkgs.kde4.kdewebdev - pkgs.xorg.xmessage - ]; - }; - - testScript = '' - $machine->waitUntilSucceeds("pgrep plasma-desktop"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow(qr/plasma-desktop/); - - # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 kwrite /var/log/messages &'"); - $machine->waitForWindow(qr/messages.*KWrite/); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 konqueror http://localhost/ &'"); - $machine->waitForWindow(qr/Valgrind.*Konqueror/); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 gwenview ${pkgs.kde4.kde_wallpapers}/share/wallpapers/Hanami/contents/images/1280x1024.jpg &'"); - $machine->waitForWindow(qr/Gwenview/); - - $machine->sleep(10); - - $machine->screenshot("screen"); - ''; - -}) -- cgit 1.4.1 From 96d767de621242a5df6de5db82a9b088d24ef606 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 12 Feb 2017 18:17:08 -0500 Subject: pam_oath: require OATH and pam_unix credentials to be valid --- nixos/modules/security/pam.nix | 4 +- nixos/release.nix | 1 + nixos/tests/pam-oath-login.nix | 126 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 nixos/tests/pam-oath-login.nix (limited to 'nixos/tests') diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 96e7c45d496..67652fbd1e7 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -253,6 +253,8 @@ let "auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"} ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} + ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth + "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} '' + # Modules in this block require having the password set in PAM_AUTHTOK. # pam_unix is marked as 'sufficient' on NixOS which means nothing will run @@ -271,8 +273,6 @@ let "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} ${optionalString cfg.otpwAuth "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} - ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth - "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} ${optionalString use_ldap "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} ${optionalString config.services.sssd.enable diff --git a/nixos/release.nix b/nixos/release.nix index c061b9801a0..0f93deddf26 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -283,6 +283,7 @@ in rec { tests.leaps = callTest tests/leaps.nix { }; tests.nsd = callTest tests/nsd.nix {}; tests.openssh = callTest tests/openssh.nix {}; + tests.pam-oath-login = callTest tests/pam-oath-login.nix {}; #tests.panamax = hydraJob (import tests/panamax.nix { system = "x86_64-linux"; }); tests.peerflix = callTest tests/peerflix.nix {}; tests.postgresql = callTest tests/postgresql.nix {}; diff --git a/nixos/tests/pam-oath-login.nix b/nixos/tests/pam-oath-login.nix new file mode 100644 index 00000000000..4364d6e354a --- /dev/null +++ b/nixos/tests/pam-oath-login.nix @@ -0,0 +1,126 @@ +import ./make-test.nix ({ pkgs, latestKernel ? false, ... }: + +let + oathSnakeoilSecret = "cdd4083ef8ff1fa9178c6d46bfb1a3"; + + # With HOTP mode the password is calculated based on a counter of + # how many passwords have been made. In this env, we'll always be on + # the 0th counter, so the password is static. + # + # Generated in nix-shell -p oathToolkit + # via: oathtool -v -d6 -w10 cdd4083ef8ff1fa9178c6d46bfb1a3 + # and picking a the first 4: + oathSnakeOilPassword1 = "143349"; + oathSnakeOilPassword2 = "801753"; + oathSnakeOilPassword3 = "019933"; + oathSnakeOilPassword4 = "403895"; + + alicePassword = "foobar"; + # Generated via: mkpasswd -m sha-512 and passing in "foobar" + hashedAlicePassword = "$6$MsMrE1q.1HrCgTS$Vq2e/uILzYjSN836TobAyN9xh9oi7EmCmucnZID25qgPoibkw8qTCugiAPnn4eCGvn1A.7oEBFJaaGUaJsQQY."; + +in +{ + name = "pam-oath-login"; + + machine = + { config, pkgs, lib, ... }: + { + security.pam.oath = { + enable = true; + }; + + users.extraUsers.alice = { + isNormalUser = true; + name = "alice"; + uid = 1000; + hashedPassword = hashedAlicePassword; + extraGroups = [ "wheel" ]; + createHome = true; + home = "/home/alice"; + }; + + + systemd.services.setupOathSnakeoilFile = { + wantedBy = [ "default.target" ]; + before = [ "default.target" ]; + unitConfig = { + type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + touch /etc/users.oath + chmod 600 /etc/users.oath + chown root /etc/users.oath + echo "HOTP/E/6 alice - ${oathSnakeoilSecret}" > /etc/users.oath + ''; + }; + }; + + testScript = + '' + $machine->waitForUnit('multi-user.target'); + $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty1'"); + $machine->screenshot("postboot"); + + + subtest "Invalid password", sub { + $machine->fail("pgrep -f 'agetty.*tty2'"); + $machine->sendKeys("alt-f2"); + $machine->waitUntilSucceeds("[ \$(fgconsole) = 2 ]"); + $machine->waitForUnit('getty@tty2.service'); + $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty2'"); + + $machine->waitUntilTTYMatches(2, "login: "); + $machine->sendChars("alice\n"); + $machine->waitUntilTTYMatches(2, "login: alice"); + $machine->waitUntilSucceeds("pgrep login"); + + $machine->waitUntilTTYMatches(2, "One-time password"); + $machine->sendChars("${oathSnakeOilPassword1}\n"); + $machine->waitUntilTTYMatches(2, "Password: "); + $machine->sendChars("blorg\n"); + $machine->waitUntilTTYMatches(2, "Login incorrect"); + }; + + subtest "Invalid oath token", sub { + $machine->fail("pgrep -f 'agetty.*tty3'"); + $machine->sendKeys("alt-f3"); + $machine->waitUntilSucceeds("[ \$(fgconsole) = 3 ]"); + $machine->waitForUnit('getty@tty3.service'); + $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty3'"); + + $machine->waitUntilTTYMatches(3, "login: "); + $machine->sendChars("alice\n"); + $machine->waitUntilTTYMatches(3, "login: alice"); + $machine->waitUntilSucceeds("pgrep login"); + $machine->waitUntilTTYMatches(3, "One-time password"); + $machine->sendChars("000000\n"); + $machine->waitUntilTTYMatches(3, "Login incorrect"); + $machine->waitUntilTTYMatches(3, "login:"); + }; + + subtest "Happy path (both passwords are mandatory to get us in)", sub { + $machine->fail("pgrep -f 'agetty.*tty4'"); + $machine->sendKeys("alt-f4"); + $machine->waitUntilSucceeds("[ \$(fgconsole) = 4 ]"); + $machine->waitForUnit('getty@tty4.service'); + $machine->waitUntilSucceeds("pgrep -f 'agetty.*tty4'"); + + $machine->waitUntilTTYMatches(4, "login: "); + $machine->sendChars("alice\n"); + $machine->waitUntilTTYMatches(4, "login: alice"); + $machine->waitUntilSucceeds("pgrep login"); + $machine->waitUntilTTYMatches(4, "One-time password"); + $machine->sendChars("${oathSnakeOilPassword2}\n"); + $machine->waitUntilTTYMatches(4, "Password: "); + $machine->sendChars("${alicePassword}\n"); + + $machine->waitUntilSucceeds("pgrep -u alice bash"); + $machine->sendChars("touch done4\n"); + $machine->waitForFile("/home/alice/done4"); + }; + + ''; + +}) -- cgit 1.4.1 From b7a24e0a2b540c0598fc3ff4056feb1208ec89f9 Mon Sep 17 00:00:00 2001 From: Ian-Woo Kim Date: Fri, 3 Feb 2017 12:50:02 -0800 Subject: nixos-container: added test for port forwarding ( nixos/tests/containers-portforward.nix ) --- nixos/tests/containers-portforward.nix | 63 ++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 nixos/tests/containers-portforward.nix (limited to 'nixos/tests') diff --git a/nixos/tests/containers-portforward.nix b/nixos/tests/containers-portforward.nix new file mode 100644 index 00000000000..78cc445c2dd --- /dev/null +++ b/nixos/tests/containers-portforward.nix @@ -0,0 +1,63 @@ +# Test for NixOS' container support. + +let + hostIp = "192.168.0.1"; + hostPort = 10080; + containerIp = "192.168.0.100"; + containerPort = 80; +in + +import ./make-test.nix ({ pkgs, ...} : { + name = "containers-portforward"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ aristid aszlig eelco chaoflow kampfschlaefer ianwookim ]; + }; + + machine = + { config, pkgs, ... }: + { imports = [ ../modules/installer/cd-dvd/channel.nix ]; + virtualisation.writableStore = true; + virtualisation.memorySize = 768; + + containers.webserver = + { privateNetwork = true; + hostAddress = hostIp; + localAddress = containerIp; + forwardPorts = [ { protocol = "tcp"; hostPort = hostPort; containerPort = containerPort; } ]; + config = + { services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowPing = true; + }; + }; + + virtualisation.pathsInNixDB = [ pkgs.stdenv ]; + }; + + testScript = + '' + $machine->succeed("nixos-container list") =~ /webserver/ or die; + + # Start the webserver container. + $machine->succeed("nixos-container start webserver"); + + # wait two seconds for the container to start and the network to be up + sleep 2; + + # Since "start" returns after the container has reached + # multi-user.target, we should now be able to access it. + #my $ip = $machine->succeed("nixos-container show-ip webserver"); + #chomp $ip; + $machine->succeed("ping -n -c1 ${hostIp}"); + $machine->succeed("curl --fail http://${hostIp}:${toString hostPort}/ > /dev/null"); + + # Stop the container. + $machine->succeed("nixos-container stop webserver"); + $machine->fail("curl --fail --connect-timeout 2 http://${hostIp}:${toString hostPort}/ > /dev/null"); + + # Destroying a declarative container should fail. + $machine->fail("nixos-container destroy webserver"); + ''; + +}) -- cgit 1.4.1 From 9debdaf512bc510f7f5d5450c4902e7d1f713274 Mon Sep 17 00:00:00 2001 From: Profpatsch Date: Thu, 2 Feb 2017 22:21:03 +0100 Subject: networking.bonds: add support for arbitrary driverOptions Until now the four attributes available very selectively provided a small subset, while copying upstream documentation. We make driver options an arbitrary key-value set and point to kernel documentation, which is always up-to-date. This way every option can be set. The four already existing options are deprecated with a warning. --- .../modules/tasks/network-interfaces-scripted.nix | 36 +++++++++++++++++----- nixos/modules/tasks/network-interfaces.nix | 20 ++++++++++++ nixos/tests/networking.nix | 2 +- 3 files changed, 50 insertions(+), 8 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 062598de83e..d94d9db54ca 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -37,11 +37,24 @@ let ip link del "${i}" 2>/dev/null || true ''; -in + # warn that these attributes are deprecated (2017-2-2) + # Should be removed in the release after next + bondDeprecation = rec { + deprecated = [ "lacp_rate" "miimon" "mode" "xmit_hash_policy" ]; + filterDeprecated = bond: (filterAttrs (attrName: attr: + elem attrName deprecated && attr != null) bond); + }; -{ + bondWarnings = + let oneBondWarnings = bondName: bond: + mapAttrsToList (bondText bondName) (bondDeprecation.filterDeprecated bond); + bondText = bondName: optName: _: + "${bondName}.${optName} is deprecated, use ${bondName}.driverOptions"; + in { + warnings = flatten (mapAttrsToList oneBondWarnings cfg.bonds); + }; - config = mkIf (!cfg.useNetworkd) { + normalConfig = { systemd.services = let @@ -296,10 +309,11 @@ in echo "Creating new bond ${n}..." ip link add name "${n}" type bond \ - ${optionalString (v.mode != null) "mode ${toString v.mode}"} \ - ${optionalString (v.miimon != null) "miimon ${toString v.miimon}"} \ - ${optionalString (v.xmit_hash_policy != null) "xmit_hash_policy ${toString v.xmit_hash_policy}"} \ - ${optionalString (v.lacp_rate != null) "lacp_rate ${toString v.lacp_rate}"} + ${let opts = (mapAttrs (const toString) + (bondDeprecation.filterDeprecated v)) + // v.driverOptions; + in concatStringsSep "\n" + (mapAttrsToList (set: val: " ${set} ${val} \\") opts)} # !!! There must be a better way to wait for the interface while [ ! -d "/sys/class/net/${n}" ]; do sleep 0.1; done; @@ -410,6 +424,14 @@ in KERNEL=="tun", TAG+="systemd" ''; + }; +in + +{ + config = mkMerge [ + bondWarnings + (mkIf (!cfg.useNetworkd) normalConfig) + ]; } diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 28c7b358093..898207ef7a3 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -587,11 +587,28 @@ in description = "The interfaces to bond together"; }; + driverOptions = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample { + interfaces = [ "eth0" "wlan0" ]; + miimon = 100; + mode = "active-backup"; + }; + description = '' + Options for the bonding driver. + Documentation can be found in + + ''; + + }; + lacp_rate = mkOption { default = null; example = "fast"; type = types.nullOr types.str; description = '' + DEPRECATED, use `driverOptions`. Option specifying the rate in which we'll ask our link partner to transmit LACPDU packets in 802.3ad mode. ''; @@ -602,6 +619,7 @@ in example = 100; type = types.nullOr types.int; description = '' + DEPRECATED, use `driverOptions`. Miimon is the number of millisecond in between each round of polling by the device driver for failed links. By default polling is not enabled and the driver is trusted to properly detect and handle @@ -614,6 +632,7 @@ in example = "active-backup"; type = types.nullOr types.str; description = '' + DEPRECATED, use `driverOptions`. The mode which the bond will be running. The default mode for the bonding driver is balance-rr, optimizing for throughput. More information about valid modes can be found at @@ -626,6 +645,7 @@ in example = "layer2+3"; type = types.nullOr types.str; description = '' + DEPRECATED, use `driverOptions`. Selects the transmit hash policy to use for slave selection in balance-xor, 802.3ad, and tlb modes. ''; diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index 83103f35d48..8b573869c15 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -236,8 +236,8 @@ let firewall.allowPing = true; useDHCP = false; bonds.bond = { - mode = "balance-rr"; interfaces = [ "eth1" "eth2" ]; + driverOptions.mode = "balance-rr"; }; interfaces.eth1.ip4 = mkOverride 0 [ ]; interfaces.eth2.ip4 = mkOverride 0 [ ]; -- cgit 1.4.1 From fd78ff23f7dd0db1a468189672aeb85f53d4ec99 Mon Sep 17 00:00:00 2001 From: Jörg Thalheim Date: Wed, 15 Feb 2017 11:05:50 +0100 Subject: replace ping6 with ping reason: after the upgrade of iputils from 20151218 to 20161105 functionality of ping6 and tracepath6 was merged into ping and tracepath. Ping is now mostly a drop-in replacment for ping6, except that selecting a specific interface is done by encoding it into the address (ex.: fe80::1%eth0) rather then specifing it with the `-I` flag. --- nixos/modules/tasks/network-interfaces.nix | 6 ------ nixos/tests/cjdns.nix | 12 +++++------ nixos/tests/containers-bridge.nix | 2 +- nixos/tests/containers-extra_veth.nix | 2 +- nixos/tests/containers-ipv6.nix | 2 +- nixos/tests/ipv6.nix | 12 +++++------ nixos/tests/networking.nix | 24 +++++++++++----------- .../monitoring/nagios/plugins/official-2.x.nix | 4 ++-- 8 files changed, 29 insertions(+), 35 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 28c7b358093..59043444ef7 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -940,14 +940,8 @@ in source = "${pkgs.iputils.out}/bin/ping"; capabilities = "cap_net_raw+p"; }; - - ping6 = { - source = "${pkgs.iputils.out}/bin/ping6"; - capabilities = "cap_net_raw+p"; - }; } else { ping.source = "${pkgs.iputils.out}/bin/ping"; - "ping6".source = "${pkgs.iputils.out}/bin/ping6"; }; # Set the host and domain names in the activation script. Don't diff --git a/nixos/tests/cjdns.nix b/nixos/tests/cjdns.nix index f32ec52dfc2..46666379924 100644 --- a/nixos/tests/cjdns.nix +++ b/nixos/tests/cjdns.nix @@ -109,14 +109,14 @@ import ./make-test.nix ({ pkgs, ...} : { # ping a few times each to let the routing table establish itself - $alice->succeed("ping6 -c 4 $carolIp6"); - $bob->succeed("ping6 -c 4 $carolIp6"); + $alice->succeed("ping -c 4 $carolIp6"); + $bob->succeed("ping -c 4 $carolIp6"); - $carol->succeed("ping6 -c 4 $aliceIp6"); - $carol->succeed("ping6 -c 4 $bobIp6"); + $carol->succeed("ping -c 4 $aliceIp6"); + $carol->succeed("ping -c 4 $bobIp6"); - $alice->succeed("ping6 -c 4 $bobIp6"); - $bob->succeed("ping6 -c 4 $aliceIp6"); + $alice->succeed("ping -c 4 $bobIp6"); + $bob->succeed("ping -c 4 $aliceIp6"); $alice->waitForUnit("httpd.service"); diff --git a/nixos/tests/containers-bridge.nix b/nixos/tests/containers-bridge.nix index bb32d852a6f..598abd22e61 100644 --- a/nixos/tests/containers-bridge.nix +++ b/nixos/tests/containers-bridge.nix @@ -66,7 +66,7 @@ import ./make-test.nix ({ pkgs, ...} : { "${containerIp6}" =~ /([^\/]+)\/([0-9+])/; my $ip6 = $1; chomp $ip6; - $machine->succeed("ping6 -n -c 1 $ip6"); + $machine->succeed("ping -n -c 1 $ip6"); $machine->succeed("curl --fail http://[$ip6]/ > /dev/null"); # Stop the container. diff --git a/nixos/tests/containers-extra_veth.nix b/nixos/tests/containers-extra_veth.nix index 2a54b1d961c..6339c8c558b 100644 --- a/nixos/tests/containers-extra_veth.nix +++ b/nixos/tests/containers-extra_veth.nix @@ -84,7 +84,7 @@ import ./make-test.nix ({ pkgs, ...} : { # Ping on main veth $machine->succeed("ping -n -c 1 192.168.0.100"); - $machine->succeed("ping6 -n -c 1 fc00::2"); + $machine->succeed("ping -n -c 1 fc00::2"); # Ping on the first extra veth $machine->succeed("ping -n -c 1 192.168.1.100 >&2"); diff --git a/nixos/tests/containers-ipv6.nix b/nixos/tests/containers-ipv6.nix index 320465ebb95..f676ed122bb 100644 --- a/nixos/tests/containers-ipv6.nix +++ b/nixos/tests/containers-ipv6.nix @@ -47,7 +47,7 @@ import ./make-test.nix ({ pkgs, ...} : { # multi-user.target, we should now be able to access it. my $ip = "${localIp}"; chomp $ip; - $machine->succeed("ping6 -n -c 1 $ip"); + $machine->succeed("ping -n -c 1 $ip"); $machine->succeed("curl --fail http://[$ip]/ > /dev/null"); # Stop the container. diff --git a/nixos/tests/ipv6.nix b/nixos/tests/ipv6.nix index 4e2e6379cad..060f6321679 100644 --- a/nixos/tests/ipv6.nix +++ b/nixos/tests/ipv6.nix @@ -54,22 +54,22 @@ import ./make-test.nix ({ pkgs, ...} : { } subtest "loopback address", sub { - $client->succeed("ping6 -c 1 ::1 >&2"); - $client->fail("ping6 -c 1 ::2 >&2"); + $client->succeed("ping -c 1 ::1 >&2"); + $client->fail("ping -c 1 ::2 >&2"); }; subtest "local link addressing", sub { my $clientIp = waitForAddress $client, "eth1", "link"; my $serverIp = waitForAddress $server, "eth1", "link"; - $client->succeed("ping6 -c 1 -I eth1 $clientIp >&2"); - $client->succeed("ping6 -c 1 -I eth1 $serverIp >&2"); + $client->succeed("ping -c 1 $clientIp%eth1 >&2"); + $client->succeed("ping -c 1 $serverIp%eth1 >&2"); }; subtest "global addressing", sub { my $clientIp = waitForAddress $client, "eth1", "global"; my $serverIp = waitForAddress $server, "eth1", "global"; - $client->succeed("ping6 -c 1 $clientIp >&2"); - $client->succeed("ping6 -c 1 $serverIp >&2"); + $client->succeed("ping -c 1 $clientIp >&2"); + $client->succeed("ping -c 1 $serverIp >&2"); $client->succeed("curl --fail -g http://[$serverIp]"); $client->fail("curl --fail -g http://[$clientIp]"); }; diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index 83103f35d48..541f03324ab 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -166,24 +166,24 @@ let # Test vlan 1 $client->waitUntilSucceeds("ping -c 1 192.168.1.1"); $client->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $client->waitUntilSucceeds("ping6 -c 1 fd00:1234:5678:1::1"); - $client->waitUntilSucceeds("ping6 -c 1 fd00:1234:5678:1::2"); + $client->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::1"); + $client->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::2"); $router->waitUntilSucceeds("ping -c 1 192.168.1.1"); $router->waitUntilSucceeds("ping -c 1 192.168.1.2"); - $router->waitUntilSucceeds("ping6 -c 1 fd00:1234:5678:1::1"); - $router->waitUntilSucceeds("ping6 -c 1 fd00:1234:5678:1::2"); + $router->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::1"); + $router->waitUntilSucceeds("ping -c 1 fd00:1234:5678:1::2"); # Test vlan 2 $client->waitUntilSucceeds("ping -c 1 192.168.2.1"); $client->waitUntilSucceeds("ping -c 1 192.168.2.2"); - $client->waitUntilSucceeds("ping6 -c 1 fd00:1234:5678:2::1"); - $client->waitUntilSucceeds("ping6 -c 1 fd00:1234:5678:2::2"); + $client->waitUntilSucceeds("ping -c 1 fd00:1234:5678:2::1"); + $client->waitUntilSucceeds("ping -c 1 fd00:1234:5678:2::2"); $router->waitUntilSucceeds("ping -c 1 192.168.2.1"); $router->waitUntilSucceeds("ping -c 1 192.168.2.2"); - $router->waitUntilSucceeds("ping6 -c 1 fd00:1234:5678:2::1"); - $router->waitUntilSucceeds("ping6 -c 1 fd00:1234:5678:2::2"); + $router->waitUntilSucceeds("ping -c 1 fd00:1234:5678:2::1"); + $router->waitUntilSucceeds("ping -c 1 fd00:1234:5678:2::2"); ''; }; dhcpOneIf = { @@ -390,11 +390,11 @@ let $client2->succeed("ip addr >&2"); # Test ipv6 - $client1->waitUntilSucceeds("ping6 -c 1 fc00::1"); - $client1->waitUntilSucceeds("ping6 -c 1 fc00::2"); + $client1->waitUntilSucceeds("ping -c 1 fc00::1"); + $client1->waitUntilSucceeds("ping -c 1 fc00::2"); - $client2->waitUntilSucceeds("ping6 -c 1 fc00::1"); - $client2->waitUntilSucceeds("ping6 -c 1 fc00::2"); + $client2->waitUntilSucceeds("ping -c 1 fc00::1"); + $client2->waitUntilSucceeds("ping -c 1 fc00::2"); ''; }; vlan = let diff --git a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix index 1ea6f88084d..67c3954ef56 100644 --- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix +++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix @@ -16,8 +16,8 @@ stdenv.mkDerivation rec { # configured on the build machine). preConfigure= " configureFlagsArray=( - --with-ping-command='/run/wrappers/bin/ping -n -U -w %d -c %d %s' - --with-ping6-command='/run/wrappers/bin/ping6 -n -U -w %d -c %d %s' + --with-ping-command='/run/wrappers/bin/ping -4 -n -U -w %d -c %d %s' + --with-ping6-command='/run/wrappers/bin/ping -6 -n -U -w %d -c %d %s' ) "; -- cgit 1.4.1 From 5af8b120a6d5e8abaf2e0397e9ac077a3ab33897 Mon Sep 17 00:00:00 2001 From: aszlig Date: Fri, 17 Feb 2017 19:28:55 +0100 Subject: nixos/tests/taskserver: Add test for manual config This subtest actually serves two purposes: 1. Test manual PKI configuration 2. Test changing of configuration files In order to only test manual PKI configuration it would have been enough to just add another server with a manual config. But as the switch from automatic PKI config to manual config is probably one of the most fundamental changes in configuration, so it serves *very* well to also check whether changes in the NixOS configuration actually have an impact in the real system. So instead of adding another server, we now create a dummy "newServer" machine, which is the new configuration for "server" and use switch-to-configuration to switch "server" to the config of "newServer". Signed-off-by: aszlig --- nixos/tests/taskserver.nix | 129 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 124 insertions(+), 5 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/tests/taskserver.nix b/nixos/tests/taskserver.nix index d770b20a775..cdccb11d888 100644 --- a/nixos/tests/taskserver.nix +++ b/nixos/tests/taskserver.nix @@ -1,4 +1,62 @@ -import ./make-test.nix { +import ./make-test.nix ({ pkgs, ... }: let + snakeOil = pkgs.runCommand "snakeoil-certs" { + outputs = [ "out" "cacert" "cert" "key" "crl" ]; + buildInputs = [ pkgs.gnutls.bin ]; + caTemplate = pkgs.writeText "snakeoil-ca.template" '' + cn = server + expiration_days = -1 + cert_signing_key + ca + ''; + certTemplate = pkgs.writeText "snakeoil-cert.template" '' + cn = server + expiration_days = -1 + tls_www_server + encryption_key + signing_key + ''; + crlTemplate = pkgs.writeText "snakeoil-crl.template" '' + expiration_days = -1 + ''; + userCertTemplace = pkgs.writeText "snakoil-user-cert.template" '' + organization = snakeoil + cn = server + expiration_days = -1 + tls_www_client + encryption_key + signing_key + ''; + } '' + certtool -p --bits 4096 --outfile ca.key + certtool -s --template "$caTemplate" --load-privkey ca.key \ + --outfile "$cacert" + certtool -p --bits 4096 --outfile "$key" + certtool -c --template "$certTemplate" \ + --load-ca-privkey ca.key \ + --load-ca-certificate "$cacert" \ + --load-privkey "$key" \ + --outfile "$cert" + certtool --generate-crl --template "$crlTemplate" \ + --load-ca-privkey ca.key \ + --load-ca-certificate "$cacert" \ + --outfile "$crl" + + mkdir "$out" + + # Stripping key information before the actual PEM-encoded values is solely + # to make test output a bit less verbose when copying the client key to the + # actual client. + certtool -p --bits 4096 | sed -n \ + -e '/^----* *BEGIN/,/^----* *END/p' > "$out/alice.key" + + certtool -c --template "$userCertTemplace" \ + --load-privkey "$out/alice.key" \ + --load-ca-privkey ca.key \ + --load-ca-certificate "$cacert" \ + --outfile "$out/alice.cert" + ''; + +in { name = "taskserver"; nodes = rec { @@ -12,6 +70,23 @@ import ./make-test.nix { }; }; + # New generation of the server with manual config + newServer = { lib, nodes, ... }: { + imports = [ server ]; + services.taskserver.pki.manual = { + ca.cert = snakeOil.cacert; + server.cert = snakeOil.cert; + server.key = snakeOil.key; + server.crl = snakeOil.crl; + }; + # This is to avoid assigning a different network address to the new + # generation. + networking = lib.mapAttrs (lib.const lib.mkForce) { + inherit (nodes.server.config.networking) + hostName interfaces primaryIPAddress extraHosts; + }; + }; + client1 = { pkgs, ... }: { environment.systemPackages = [ pkgs.taskwarrior pkgs.gnutls ]; users.users.alice.isNormalUser = true; @@ -26,6 +101,8 @@ import ./make-test.nix { testScript = { nodes, ... }: let cfg = nodes.server.config.services.taskserver; portStr = toString cfg.listenPort; + newServerSystem = nodes.newServer.config.system.build.toplevel; + switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test"; in '' sub su ($$) { my ($user, $cmd) = @_; @@ -33,8 +110,8 @@ import ./make-test.nix { return "su - $user -c '$esc'"; } - sub setupClientsFor ($$) { - my ($org, $user) = @_; + sub setupClientsFor ($$;$) { + my ($org, $user, $extraInit) = @_; for my $client ($client1, $client2) { $client->nest("initialize client for user $user", sub { @@ -58,6 +135,8 @@ import ./make-test.nix { } }); + eval { &$extraInit($client, $org, $user) }; + $client->succeed(su $user, "task config taskd.server server:${portStr} >&2" ); @@ -104,7 +183,10 @@ import ./make-test.nix { return su $user, $cmd; } - startAll; + # Explicitly start the VMs so that we don't accidentally start newServer + $server->start; + $client1->start; + $client2->start; $server->waitForUnit("taskserver.service"); @@ -162,5 +244,42 @@ import ./make-test.nix { restartServer; testSync "bar"; }; + + subtest "check manual configuration", sub { + $server->succeed('${switchToNewServer} >&2'); + $server->waitForUnit("taskserver.service"); + $server->waitForOpenPort(${portStr}); + + $server->succeed( + "nixos-taskserver org add manualOrg", + "nixos-taskserver user add manualOrg alice" + ); + + setupClientsFor "manualOrg", "alice", sub { + my ($client, $org, $user) = @_; + my $cfgpath = "/home/$user/.task"; + + $client->copyFileFromHost("${snakeOil.cacert}", "$cfgpath/ca.cert"); + for my $file ('alice.key', 'alice.cert') { + $client->copyFileFromHost("${snakeOil}/$file", "$cfgpath/$file"); + } + + for my $file ("$user.key", "$user.cert") { + $client->copyFileFromHost( + "${snakeOil}/$file", "$cfgpath/$file" + ); + } + $client->copyFileFromHost( + "${snakeOil.cacert}", "$cfgpath/ca.cert" + ); + $client->succeed( + (su "alice", "task config taskd.ca $cfgpath/ca.cert"), + (su "alice", "task config taskd.key $cfgpath/$user.key"), + (su $user, "task config taskd.certificate $cfgpath/$user.cert") + ); + }; + + testSync "alice"; + }; ''; -} +}) -- cgit 1.4.1 From 0b27c74eb2517d307b1c1bbd04567157fba7cb63 Mon Sep 17 00:00:00 2001 From: Tomasz Czyż Date: Sun, 26 Feb 2017 10:14:32 +0000 Subject: pgjwt: init at 0.0.1 (#22644) --- nixos/release.nix | 1 + nixos/tests/pgjwt.nix | 42 +++++++++++++++++++++++++++ pkgs/servers/sql/postgresql/pgjwt/default.nix | 25 ++++++++++++++++ pkgs/top-level/all-packages.nix | 2 ++ 4 files changed, 70 insertions(+) create mode 100644 nixos/tests/pgjwt.nix create mode 100644 pkgs/servers/sql/postgresql/pgjwt/default.nix (limited to 'nixos/tests') diff --git a/nixos/release.nix b/nixos/release.nix index 0f93deddf26..2bfe8eada0b 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -286,6 +286,7 @@ in rec { tests.pam-oath-login = callTest tests/pam-oath-login.nix {}; #tests.panamax = hydraJob (import tests/panamax.nix { system = "x86_64-linux"; }); tests.peerflix = callTest tests/peerflix.nix {}; + tests.pgjwt = callTest tests/pgjwt.nix {}; tests.postgresql = callTest tests/postgresql.nix {}; tests.printing = callTest tests/printing.nix {}; tests.proxy = callTest tests/proxy.nix {}; diff --git a/nixos/tests/pgjwt.nix b/nixos/tests/pgjwt.nix new file mode 100644 index 00000000000..2cf2963ae31 --- /dev/null +++ b/nixos/tests/pgjwt.nix @@ -0,0 +1,42 @@ +import ./make-test.nix ({ pkgs, ...} : +let + test = pkgs.writeText "test.sql" '' + CREATE EXTENSION pgcrypto; + CREATE EXTENSION pgjwt; + select sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret'); + select * from verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ', 'secret'); + ''; +in +{ + name = "pgjwt"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ spinus ]; + }; + + nodes = { + master = + { pkgs, config, ... }: + + { + services.postgresql = let mypg = pkgs.postgresql95; in { + enable = true; + package = mypg; + extraPlugins =[pkgs.pgjwt]; + initialScript = pkgs.writeText "postgresql-init.sql" + '' + CREATE ROLE postgres WITH superuser login createdb; + ''; + }; + }; + }; + + testScript = '' + startAll; + $master->waitForUnit("postgresql"); + $master->succeed("timeout 10 bash -c 'while ! psql postgres -c \"SELECT 1;\";do sleep 1;done;'"); + $master->succeed("cat ${test} | psql postgres"); + # I can't make original test working :[ + # $master->succeed("${pkgs.perlPackages.TAPParserSourceHandlerpgTAP}/bin/pg_prove -d postgres ${pkgs.pgjwt.src}/test.sql"); + + ''; +}) diff --git a/pkgs/servers/sql/postgresql/pgjwt/default.nix b/pkgs/servers/sql/postgresql/pgjwt/default.nix new file mode 100644 index 00000000000..b4955f8184c --- /dev/null +++ b/pkgs/servers/sql/postgresql/pgjwt/default.nix @@ -0,0 +1,25 @@ +{ stdenv, fetchFromGitHub }: +stdenv.mkDerivation rec { + name = "pgjwt-${version}"; + version = "0.0.1"; + src = fetchFromGitHub { + owner = "michelp"; + repo = "pgjwt"; + rev = "12a41eef15e6d3a22399e03178560d5174d496a3"; + sha256 = "1dgx7kqkf9d7j5qj3xykx238xm8jg0s6c8h7zyl4lx8dmbz9sgsv"; + }; + dontBuild = true; + installPhase = '' + mkdir -p $out/bin # current postgresql extension mechanism in nixos requires bin directory + mkdir -p $out/share/extension + cp pg*sql *.control $out/share/extension + ''; + meta = with stdenv.lib; { + description = "PostgreSQL implementation of JSON Web Tokens"; + longDescription = '' + sign() and verify() functions to create and verify JSON Web Tokens. + ''; + license = licenses.mit; + maintainers = with maintainers; [spinus]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2a5d95916ee..a02327d8185 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2141,6 +2141,8 @@ with pkgs; pgf_graphics = callPackage ../tools/graphics/pgf { }; + pgjwt = callPackage ../servers/sql/postgresql/pgjwt {}; + pigz = callPackage ../tools/compression/pigz { }; pixz = callPackage ../tools/compression/pixz { }; -- cgit 1.4.1 From 6018cf4a692b5e12e433cc332f8d8f79ccd57ba1 Mon Sep 17 00:00:00 2001 From: Dan Peebles Date: Mon, 27 Feb 2017 16:51:36 +0000 Subject: amazon-init.service: fix starting services at startup We now make it happen later in the boot process so that multi-user has already activated, so as to not run afoul of the logic in switch-to-configuration.pl. It's not my favorite solution, but at least it works. Also added a check to the VM test to catch the failure so we don't break in future. Fixes #23121 --- nixos/modules/virtualisation/amazon-init.nix | 5 ++--- nixos/tests/ec2.nix | 21 +++++++++++++++++++-- 2 files changed, 21 insertions(+), 5 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index 5797d9db436..a7362423eb4 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -45,9 +45,8 @@ in { inherit script; description = "Reconfigure the system from EC2 userdata on startup"; - wantedBy = [ "sshd.service" ]; - before = [ "sshd.service" ]; - after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "multi-user.target" ]; requires = [ "network-online.target" ]; restartIfChanged = false; diff --git a/nixos/tests/ec2.nix b/nixos/tests/ec2.nix index e1f7143e3a9..4ec7e56cc6c 100644 --- a/nixos/tests/ec2.nix +++ b/nixos/tests/ec2.nix @@ -25,8 +25,13 @@ let # access. Mostly copied from # modules/profiles/installation-device.nix. system.extraDependencies = - [ pkgs.stdenv pkgs.busybox pkgs.perlPackages.ArchiveCpio - pkgs.unionfs-fuse pkgs.mkinitcpio-nfs-utils + with pkgs; [ + stdenv busybox perlPackages.ArchiveCpio unionfs-fuse mkinitcpio-nfs-utils + + # These are used in the configure-from-userdata tests for EC2. Httpd and valgrind are requested + # directly by the configuration we set, and libxslt.bin is used indirectly as a build dependency + # of the derivation for dbus configuration files. + apacheHttpd valgrind.doc libxslt.bin ]; } ]; @@ -137,6 +142,8 @@ in { # ### http://nixos.org/channels/nixos-unstable nixos userData = '' + { pkgs, ... }: + { imports = [ @@ -146,12 +153,22 @@ in { environment.etc.testFile = { text = "whoa"; }; + + services.httpd = { + enable = true; + adminAddr = "test@example.org"; + documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html"; + }; + networking.firewall.allowedTCPPorts = [ 80 ]; } ''; script = '' $machine->start; $machine->waitForFile("/etc/testFile"); $machine->succeed("cat /etc/testFile | grep -q 'whoa'"); + + $machine->waitForUnit("httpd.service"); + $machine->succeed("curl http://localhost | grep Valgrind"); ''; }; } -- cgit 1.4.1 From 251b9ca0e77963c48d9c198cec964f7a1cd91d4a Mon Sep 17 00:00:00 2001 From: Susan Potter Date: Tue, 28 Feb 2017 09:15:20 -0600 Subject: nginx service: add commonHttpConfig option --- .../modules/services/web-servers/nginx/default.nix | 20 +++++++++++ nixos/tests/nginx.nix | 42 ++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 nixos/tests/nginx.nix (limited to 'nixos/tests') diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 6bc7192963d..548467ae785 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -87,6 +87,8 @@ let server_tokens ${if cfg.serverTokens then "on" else "off"}; + ${cfg.commonHttpConfig} + ${vhosts} ${optionalString cfg.statusPage '' @@ -275,6 +277,24 @@ in ''; }; + commonHttpConfig = mkOption { + type = types.lines; + default = ""; + example = '' + resolver 127.0.0.1 valid=5s; + + log_format myformat '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ''; + description = '' + With nginx you must provide common http context definitions before + they are used, e.g. log_format, resolver, etc. inside of server + or location contexts. Use this attribute to set these definitions + at the appropriate location. + ''; + }; + httpConfig = mkOption { type = types.lines; default = ""; diff --git a/nixos/tests/nginx.nix b/nixos/tests/nginx.nix new file mode 100644 index 00000000000..c2beb5590ef --- /dev/null +++ b/nixos/tests/nginx.nix @@ -0,0 +1,42 @@ +# verifies: +# 1. nginx generates config file with shared http context definitions above +# generated virtual hosts config. + +import ./make-test.nix ({ pkgs, ...} : { + name = "jenkins"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ mbbx6spp ]; + }; + + nodes = { + webserver = + { config, pkgs, ... }: + { services.nginx.enable = true; + services.nginx.commonHttpConfig = '' + log_format ceeformat '@cee: {"status":"$status",' + '"request_time":$request_time,' + '"upstream_response_time":$upstream_response_time,' + '"pipe":"$pipe","bytes_sent":$bytes_sent,' + '"connection":"$connection",' + '"remote_addr":"$remote_addr",' + '"host":"$host",' + '"timestamp":"$time_iso8601",' + '"request":"$request",' + '"http_referer":"$http_referer",' + '"upstream_addr":"$upstream_addr"}'; + ''; + services.nginx.virtualHosts."0.my.test" = { + extraConfig = '' + access_log syslog:server=unix:/dev/log,facility=user,tag=mytag,severity=info ceeformat; + ''; + }; + }; + }; + + testScript = '' + startAll; + + $webserver->waitForUnit("nginx"); + $webserver->waitForOpenPort("80"); + ''; +}) -- cgit 1.4.1 From a6c6d084303ef995a889c04e5f779429d757bc30 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Wed, 1 Mar 2017 03:16:35 +0300 Subject: samba test: fix race condition --- nixos/tests/samba.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/tests/samba.nix b/nixos/tests/samba.nix index d6658ef0400..e446284fc0e 100644 --- a/nixos/tests/samba.nix +++ b/nixos/tests/samba.nix @@ -37,12 +37,11 @@ import ./make-test.nix ({ pkgs, ... }: testScript = '' $server->start; - $server->waitForUnit("samba-smbd"); - $server->waitForUnit("samba-nmbd"); + $server->waitForUnit("samba.target"); $server->succeed("mkdir -p /public; echo bar > /public/foo"); $client->start; - $client->waitForUnit("network.target"); + $client->waitForUnit("remote-fs.target"); $client->succeed("[[ \$(cat /public/foo) = bar ]]"); ''; }) -- cgit 1.4.1 From 0da421ce17a0226e4880c596702adcc58cb19d6c Mon Sep 17 00:00:00 2001 From: Thomas Tuegel Date: Tue, 28 Feb 2017 19:09:56 -0600 Subject: nixos/tests: fix Plasma 5 test --- nixos/release-combined.nix | 2 +- nixos/release.nix | 2 +- nixos/tests/kde5.nix | 50 --------------------------------------------- nixos/tests/plasma5.nix | 51 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 53 insertions(+), 52 deletions(-) delete mode 100644 nixos/tests/kde5.nix create mode 100644 nixos/tests/plasma5.nix (limited to 'nixos/tests') diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 6c048e8a0ac..341724b5847 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -72,7 +72,7 @@ in rec { (all nixos.tests.ecryptfs) (all nixos.tests.ipv6) (all nixos.tests.i3wm) - (all nixos.tests.kde5) + (all nixos.tests.plasma5) #(all nixos.tests.lightdm) (all nixos.tests.login) (all nixos.tests.misc) diff --git a/nixos/release.nix b/nixos/release.nix index 2bfe8eada0b..face44b94e2 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -255,7 +255,7 @@ in rec { tests.influxdb = callTest tests/influxdb.nix {}; tests.ipv6 = callTest tests/ipv6.nix {}; tests.jenkins = callTest tests/jenkins.nix {}; - tests.kde5 = callTest tests/kde5.nix {}; + tests.plasma5 = callTest tests/plasma5.nix {}; tests.keymap = callSubTests tests/keymap.nix {}; tests.initrdNetwork = callTest tests/initrd-network.nix {}; tests.keystone = callTest tests/keystone.nix {}; diff --git a/nixos/tests/kde5.nix b/nixos/tests/kde5.nix deleted file mode 100644 index 2b61d6f3f0a..00000000000 --- a/nixos/tests/kde5.nix +++ /dev/null @@ -1,50 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : - -{ - name = "kde5"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ttuegel ]; - }; - - machine = { lib, ... }: { - imports = [ ./common/user-account.nix ]; - virtualisation.memorySize = 1024; - services.xserver.enable = true; - services.xserver.displayManager.sddm = { - enable = true; - autoLogin = { - enable = true; - user = "alice"; - }; - }; - services.xserver.desktopManager.kde5.enable = true; - virtualisation.writableStore = false; # FIXME - }; - - testScript = { nodes, ... }: - let xdo = "${pkgs.xdotool}/bin/xdotool"; in - '' - startAll; - - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - - $machine->waitUntilSucceeds("pgrep plasmashell"); - $machine->waitForWindow("^Desktop "); - - # Check that logging in has given the user ownership of devices. - $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 dolphin &'"); - $machine->waitForWindow(" Dolphin"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 konsole &'"); - $machine->waitForWindow("Konsole"); - - $machine->execute("su - alice -c 'DISPLAY=:0.0 systemsettings5 &'"); - $machine->waitForWindow("Settings"); - - $machine->execute("${xdo} key Alt+F1 sleep 10"); - $machine->screenshot("screen"); - ''; -}) diff --git a/nixos/tests/plasma5.nix b/nixos/tests/plasma5.nix new file mode 100644 index 00000000000..3dd5121607a --- /dev/null +++ b/nixos/tests/plasma5.nix @@ -0,0 +1,51 @@ +import ./make-test.nix ({ pkgs, ...} : + +{ + name = "kde5"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ttuegel ]; + }; + + machine = { lib, ... }: { + imports = [ ./common/user-account.nix ]; + virtualisation.memorySize = 1024; + services.xserver.enable = true; + services.xserver.displayManager.sddm = { + enable = true; + autoLogin = { + enable = true; + user = "alice"; + }; + }; + services.xserver.desktopManager.plasma5.enable = true; + services.xserver.desktopManager.default = "plasma5"; + virtualisation.writableStore = false; # FIXME + }; + + testScript = { nodes, ... }: + let xdo = "${pkgs.xdotool}/bin/xdotool"; in + '' + startAll; + + $machine->waitForFile("/home/alice/.Xauthority"); + $machine->succeed("xauth merge ~alice/.Xauthority"); + + $machine->waitUntilSucceeds("pgrep plasmashell"); + $machine->waitForWindow("^Desktop "); + + # Check that logging in has given the user ownership of devices. + $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); + + $machine->execute("su - alice -c 'DISPLAY=:0.0 dolphin &'"); + $machine->waitForWindow(" Dolphin"); + + $machine->execute("su - alice -c 'DISPLAY=:0.0 konsole &'"); + $machine->waitForWindow("Konsole"); + + $machine->execute("su - alice -c 'DISPLAY=:0.0 systemsettings5 &'"); + $machine->waitForWindow("Settings"); + + $machine->execute("${xdo} key Alt+F1 sleep 10"); + $machine->screenshot("screen"); + ''; +}) -- cgit 1.4.1 From dcee54c935f893566085471e786aaeecbde75d11 Mon Sep 17 00:00:00 2001 From: Thomas Tuegel Date: Fri, 3 Mar 2017 07:25:45 -0600 Subject: nixos/tests/plasma5: fix test name --- nixos/tests/plasma5.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/tests') diff --git a/nixos/tests/plasma5.nix b/nixos/tests/plasma5.nix index 3dd5121607a..ca787e9c7b9 100644 --- a/nixos/tests/plasma5.nix +++ b/nixos/tests/plasma5.nix @@ -1,7 +1,7 @@ import ./make-test.nix ({ pkgs, ...} : { - name = "kde5"; + name = "plasma5"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ttuegel ]; }; -- cgit 1.4.1 From e7b0b2bb66fb0047ccd6288bd4faaf91ebad00a0 Mon Sep 17 00:00:00 2001 From: Thomas Tuegel Date: Fri, 3 Mar 2017 07:26:17 -0600 Subject: nixos/tests/phabricator: fix renaming warning --- nixos/tests/phabricator.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/tests') diff --git a/nixos/tests/phabricator.nix b/nixos/tests/phabricator.nix index 85faafd5689..fdc39393fae 100644 --- a/nixos/tests/phabricator.nix +++ b/nixos/tests/phabricator.nix @@ -54,7 +54,7 @@ import ./make-test.nix ({ pkgs, ... }: { client = { config, pkgs, ... }: { imports = [ ./common/x11.nix ]; - services.xserver.desktopManager.kde5.enable = true; + services.xserver.desktopManager.plasma5.enable = true; }; }; -- cgit 1.4.1 From 60817e4715a2fd42390a44b189b1c1cd1b888529 Mon Sep 17 00:00:00 2001 From: Thomas Tuegel Date: Fri, 3 Mar 2017 07:26:51 -0600 Subject: nixos/tests/trac: fix renaming warning --- nixos/tests/trac.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/tests') diff --git a/nixos/tests/trac.nix b/nixos/tests/trac.nix index 0d56c564e18..d426bbde68d 100644 --- a/nixos/tests/trac.nix +++ b/nixos/tests/trac.nix @@ -45,7 +45,7 @@ import ./make-test.nix ({ pkgs, ... }: { client = { config, pkgs, ... }: { imports = [ ./common/x11.nix ]; - services.xserver.desktopManager.kde5.enable = true; + services.xserver.desktopManager.plasma5.enable = true; }; }; -- cgit 1.4.1 From f8ad48ea1d83fdae35cbb43e0caafa813f8b4264 Mon Sep 17 00:00:00 2001 From: Joachim Schiele Date: Mon, 6 Mar 2017 21:33:21 +0100 Subject: nixos/tests/leaps.nix: fixed race condition --- nixos/tests/leaps.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'nixos/tests') diff --git a/nixos/tests/leaps.nix b/nixos/tests/leaps.nix index 3c390e1a169..6163fed56b6 100644 --- a/nixos/tests/leaps.nix +++ b/nixos/tests/leaps.nix @@ -24,6 +24,7 @@ import ./make-test.nix ({ pkgs, ... }: '' startAll; $server->waitForOpenPort(6666); - $client->succeed("curl http://server:6666/leaps/ | grep -i 'leaps'"); + $client->waitForUnit("network.target"); + $client->succeed("${pkgs.curl}/bin/curl http://server:6666/leaps/ | grep -i 'leaps'"); ''; }) -- cgit 1.4.1 From 9f062c2c0b98a8f6e715dacc4b90ca712a868fac Mon Sep 17 00:00:00 2001 From: Fernando J Pando Date: Mon, 27 Feb 2017 14:02:11 -0500 Subject: buildbot: 0.9.3 -> 0.9.4 - adds jwt - adds module tests - master.cfg as path in module - fix systemd worker config - builds on darwin - tested on nixos --- .../continuous-integration/buildbot/master.nix | 18 +++------ .../continuous-integration/buildbot/worker.nix | 5 +-- nixos/tests/buildbot.nix | 46 ++++++++++++++++++++++ .../tools/build-managers/buildbot/default.nix | 6 +-- .../tools/build-managers/buildbot/plugins.nix | 20 ++++------ .../tools/build-managers/buildbot/worker.nix | 5 +-- 6 files changed, 66 insertions(+), 34 deletions(-) create mode 100644 nixos/tests/buildbot.nix (limited to 'nixos/tests') diff --git a/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixos/modules/services/continuous-integration/buildbot/master.nix index f638cf4bae3..68306109130 100644 --- a/nixos/modules/services/continuous-integration/buildbot/master.nix +++ b/nixos/modules/services/continuous-integration/buildbot/master.nix @@ -28,7 +28,7 @@ let ${cfg.extraConfig} '' - else pkgs.writeText "master.cfg" cfg.masterCfg; + else cfg.masterCfg; in { options = { @@ -66,13 +66,10 @@ in { }; masterCfg = mkOption { - type = types.nullOr types.str; - description = '' - Optionally pass raw master.cfg file as string. - Other options in this configuration will be ignored. - ''; + type = types.nullOr types.path; + description = "Optionally pass master.cfg path. Other options in this configuration will be ignored."; default = null; - example = "BuildmasterConfig = c = {}"; + example = "/etc/nixos/buildbot/master.cfg"; }; schedulers = mkOption { @@ -88,7 +85,7 @@ in { type = types.listOf types.str; description = "List of Builders."; default = [ - "util.BuilderConfig(name='runtests',workernames=['default-worker'],factory=factory)" + "util.BuilderConfig(name='runtests',workernames=['example-worker'],factory=factory)" ]; }; @@ -183,10 +180,7 @@ in { package = mkOption { type = types.package; default = pkgs.buildbot-ui; - description = '' - Package to use for buildbot. - buildbot-full is required in order to use local workers. - ''; + description = "Package to use for buildbot."; example = pkgs.buildbot-full; }; diff --git a/nixos/modules/services/continuous-integration/buildbot/worker.nix b/nixos/modules/services/continuous-integration/buildbot/worker.nix index 430fd4e53f1..1ad1319d501 100644 --- a/nixos/modules/services/continuous-integration/buildbot/worker.nix +++ b/nixos/modules/services/continuous-integration/buildbot/worker.nix @@ -100,14 +100,11 @@ in { systemd.services.buildbot-worker = { description = "Buildbot Worker."; - after = [ "network.target" ]; + after = [ "network.target" "buildbot-master.service" ]; wantedBy = [ "multi-user.target" ]; - wants = [ "buildbot-master.service" ]; path = cfg.packages; preStart = '' - # NOTE: ensure master has time to start in case running on localhost - ${pkgs.coreutils}/bin/sleep 4 ${pkgs.coreutils}/bin/mkdir -vp ${cfg.buildbotDir} ${cfg.package}/bin/buildbot-worker create-worker ${cfg.buildbotDir} ${cfg.masterUrl} ${cfg.workerUser} ${cfg.workerPass} ''; diff --git a/nixos/tests/buildbot.nix b/nixos/tests/buildbot.nix new file mode 100644 index 00000000000..13a162e6c6e --- /dev/null +++ b/nixos/tests/buildbot.nix @@ -0,0 +1,46 @@ +# Test ensures buildbot master comes up correctly and workers can connect + +import ./make-test.nix ({ pkgs, ... } : { + name = "buildbot"; + + nodes = { + bbmaster = { config, pkgs, nodes, ... }: { + services.buildbot-master = { + enable = true; + factorySteps = [ + "steps.Git(repourl='git://github.com/buildbot/pyflakes.git', mode='incremental')" + "steps.ShellCommand(command=['trial', 'pyflakes'])" + ]; + changeSource = [ + "changes.GitPoller('git://github.com/buildbot/pyflakes.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)" + ]; + }; + networking.firewall.allowedTCPPorts = [ 8010 9989 ]; + }; + + bbworker = { config, pkgs, ... }: { + services.buildbot-worker = { + enable = true; + masterUrl = "bbmaster:9989"; + }; + }; + }; + + testScript = '' + + $bbmaster->waitForUnit("network.target"); + $bbworker->waitForUnit("network.target"); + + # Additional tests to be added + #$bbmaster->waitForUnit("buildbot-master.service"); + #$bbmaster->waitUntilSucceeds("curl -s --head http://bbmaster:8010") =~ /200 OK/ or die; + #$bbworker->waitForUnit("buildbot-worker.service"); + #$bbworker->waitUntilSucceeds("tail -10 /home/bbworker/worker/twistd.log") =~ /success/ or die; + + ''; + + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ nand0p ]; + }; + +}) diff --git a/pkgs/development/tools/build-managers/buildbot/default.nix b/pkgs/development/tools/build-managers/buildbot/default.nix index 427ff705840..b9b8dc71927 100644 --- a/pkgs/development/tools/build-managers/buildbot/default.nix +++ b/pkgs/development/tools/build-managers/buildbot/default.nix @@ -4,10 +4,10 @@ pythonPackages.buildPythonApplication (rec { name = "${pname}-${version}"; pname = "buildbot"; - version = "0.9.3"; + version = "0.9.4"; src = fetchurl { url = "mirror://pypi/b/${pname}/${name}.tar.gz"; - sha256 = "1yw7knk5dcvwms14vqwlp89flhjf8567l17s9cq7vydh760nmg62"; + sha256 = "0wklrn4fszac9wi8zw3vbsznwyff6y57cz0i81zvh46skb6n3086"; }; buildInputs = with pythonPackages; [ @@ -41,6 +41,7 @@ pythonPackages.buildPythonApplication (rec { dateutil txaio autobahn + pyjwt # tls pyopenssl @@ -70,7 +71,6 @@ pythonPackages.buildPythonApplication (rec { homepage = http://buildbot.net/; description = "Continuous integration system that automates the build/test cycle"; maintainers = with maintainers; [ nand0p ryansydnor ]; - platforms = platforms.linux; license = licenses.gpl2; }; }) diff --git a/pkgs/development/tools/build-managers/buildbot/plugins.nix b/pkgs/development/tools/build-managers/buildbot/plugins.nix index f2fdd1535bf..b22759af8fe 100644 --- a/pkgs/development/tools/build-managers/buildbot/plugins.nix +++ b/pkgs/development/tools/build-managers/buildbot/plugins.nix @@ -4,11 +4,11 @@ let buildbot-pkg = pythonPackages.buildPythonPackage rec { name = "${pname}-${version}"; pname = "buildbot-pkg"; - version = "0.9.3"; + version = "0.9.4"; src = fetchurl { url = "mirror://pypi/b/${pname}/${name}.tar.gz"; - sha256 = "02949cvmghyh313i1hmplwxp3nzq789kk85xjx2ir82cpr1d6h6j"; + sha256 = "09a3yvs5hhf8syrkyydznmymgg86dpvgrwy9rb3bryq00wpjb3wn"; }; propagatedBuildInputs = with pythonPackages; [ setuptools ]; @@ -17,7 +17,6 @@ let homepage = http://buildbot.net/; description = "Buildbot Packaging Helper"; maintainers = with maintainers; [ nand0p ryansydnor ]; - platforms = platforms.all; license = licenses.gpl2; }; }; @@ -26,7 +25,7 @@ in { www = pythonPackages.buildPythonPackage rec { name = "${pname}-${version}"; pname = "buildbot_www"; - version = "0.9.3"; + version = "0.9.4"; # NOTE: wheel is used due to buildbot circular dependency format = "wheel"; @@ -34,14 +33,13 @@ in { src = pythonPackages.fetchPypi { inherit pname version format; python = "py2"; - sha256 = "0yggg6mcykcnv41srl2sp2zwx2r38vb6a8jgxh1a4825mspm2jf7"; + sha256 = "08m4h2pf6hgi8igh2j0qzfq49izc2z0qqj6ddxk0di5l306jx4im"; }; meta = with stdenv.lib; { homepage = http://buildbot.net/; description = "Buildbot UI"; maintainers = with maintainers; [ nand0p ryansydnor ]; - platforms = platforms.all; license = licenses.gpl2; }; }; @@ -49,11 +47,11 @@ in { console-view = pythonPackages.buildPythonPackage rec { name = "${pname}-${version}"; pname = "buildbot-console-view"; - version = "0.9.3"; + version = "0.9.4"; src = fetchurl { url = "mirror://pypi/b/${pname}/${name}.tar.gz"; - sha256 = "1rkzakm05x72nvdivc5bc3gab3nyasdfvlwnwril90jj9q1b92dk"; + sha256 = "1w2vv8iyzl7ak4161avp9n6mhh08adav2fl82bbm17a3064apl8n"; }; propagatedBuildInputs = with pythonPackages; [ buildbot-pkg ]; @@ -62,7 +60,6 @@ in { homepage = http://buildbot.net/; description = "Buildbot Console View Plugin"; maintainers = with maintainers; [ nand0p ryansydnor ]; - platforms = platforms.all; license = licenses.gpl2; }; }; @@ -70,11 +67,11 @@ in { waterfall-view = pythonPackages.buildPythonPackage rec { name = "${pname}-${version}"; pname = "buildbot-waterfall-view"; - version = "0.9.3"; + version = "0.9.4"; src = fetchurl { url = "mirror://pypi/b/${pname}/${name}.tar.gz"; - sha256 = "033x2cs0znhk1j0lw067nmjw2m7yy1fdq5qch0sx50jnpjiq6g6g"; + sha256 = "17xn6vrr0k2xabw6hr9sdyy0ry3llyjfmc79qrpgp5bsly2qv3jf"; }; propagatedBuildInputs = with pythonPackages; [ buildbot-pkg ]; @@ -83,7 +80,6 @@ in { homepage = http://buildbot.net/; description = "Buildbot Waterfall View Plugin"; maintainers = with maintainers; [ nand0p ryansydnor ]; - platforms = platforms.all; license = licenses.gpl2; }; }; diff --git a/pkgs/development/tools/build-managers/buildbot/worker.nix b/pkgs/development/tools/build-managers/buildbot/worker.nix index 861ed647c5d..3023555d22c 100644 --- a/pkgs/development/tools/build-managers/buildbot/worker.nix +++ b/pkgs/development/tools/build-managers/buildbot/worker.nix @@ -3,11 +3,11 @@ pythonPackages.buildPythonApplication (rec { name = "${pname}-${version}"; pname = "buildbot-worker"; - version = "0.9.3"; + version = "0.9.4"; src = fetchurl { url = "mirror://pypi/b/${pname}/${name}.tar.gz"; - sha256 = "176kp04g4c7gj15f73wppraqrirbfclyx214gcz966019niikcsp"; + sha256 = "0rdrr8x7sn2nxl51p6h9ad42s3c28lb6sys84zrg0d7fm4zhv7hj"; }; buildInputs = with pythonPackages; [ setuptoolsTrial mock ]; @@ -21,7 +21,6 @@ pythonPackages.buildPythonApplication (rec { homepage = http://buildbot.net/; description = "Buildbot Worker Daemon"; maintainers = with maintainers; [ nand0p ryansydnor ]; - platforms = platforms.all; license = licenses.gpl2; }; }) -- cgit 1.4.1 From 22c265182f9e0d543de0fe46a809180ff2021b85 Mon Sep 17 00:00:00 2001 From: Profpatsch Date: Mon, 6 Mar 2017 13:23:45 +0100 Subject: networking/bonds: fix examples After the change of the bonding options, the examples were not quite correct. The diff is over-the top because the new `let` needs everything indented. Also add a small docstring to the `networkd` attr in the networking test. --- nixos/modules/tasks/network-interfaces.nix | 163 +++++++++++++++-------------- nixos/tests/networking.nix | 4 +- 2 files changed, 85 insertions(+), 82 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 42a1a5a2332..6467259766e 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -560,101 +560,102 @@ in }; - networking.bonds = mkOption { - default = { }; - example = literalExample { - bond0 = { - interfaces = [ "eth0" "wlan0" ]; - miimon = 100; + networking.bonds = + let + driverOptionsExample = { + miimon = "100"; mode = "active-backup"; }; - fatpipe.interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ]; - }; - description = '' - This option allows you to define bond devices that aggregate multiple, - underlying networking interfaces together. The value of this option is - an attribute set. Each attribute specifies a bond, with the attribute - name specifying the name of the bond's network interface - ''; + in mkOption { + default = { }; + example = literalExample { + bond0 = { + interfaces = [ "eth0" "wlan0" ]; + driverOptions = driverOptionsExample; + }; + anotherBond.interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ]; + }; + description = '' + This option allows you to define bond devices that aggregate multiple, + underlying networking interfaces together. The value of this option is + an attribute set. Each attribute specifies a bond, with the attribute + name specifying the name of the bond's network interface + ''; - type = with types; attrsOf (submodule { + type = with types; attrsOf (submodule { - options = { + options = { - interfaces = mkOption { - example = [ "enp4s0f0" "enp4s0f1" "wlan0" ]; - type = types.listOf types.str; - description = "The interfaces to bond together"; - }; + interfaces = mkOption { + example = [ "enp4s0f0" "enp4s0f1" "wlan0" ]; + type = types.listOf types.str; + description = "The interfaces to bond together"; + }; + + driverOptions = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample driverOptionsExample; + description = '' + Options for the bonding driver. + Documentation can be found in + + ''; - driverOptions = mkOption { - type = types.attrsOf types.str; - default = {}; - example = literalExample { - interfaces = [ "eth0" "wlan0" ]; - miimon = 100; - mode = "active-backup"; }; - description = '' - Options for the bonding driver. - Documentation can be found in - - ''; - }; + lacp_rate = mkOption { + default = null; + example = "fast"; + type = types.nullOr types.str; + description = '' + DEPRECATED, use `driverOptions`. + Option specifying the rate in which we'll ask our link partner + to transmit LACPDU packets in 802.3ad mode. + ''; + }; - lacp_rate = mkOption { - default = null; - example = "fast"; - type = types.nullOr types.str; - description = '' - DEPRECATED, use `driverOptions`. - Option specifying the rate in which we'll ask our link partner - to transmit LACPDU packets in 802.3ad mode. - ''; - }; + miimon = mkOption { + default = null; + example = 100; + type = types.nullOr types.int; + description = '' + DEPRECATED, use `driverOptions`. + Miimon is the number of millisecond in between each round of polling + by the device driver for failed links. By default polling is not + enabled and the driver is trusted to properly detect and handle + failure scenarios. + ''; + }; - miimon = mkOption { - default = null; - example = 100; - type = types.nullOr types.int; - description = '' - DEPRECATED, use `driverOptions`. - Miimon is the number of millisecond in between each round of polling - by the device driver for failed links. By default polling is not - enabled and the driver is trusted to properly detect and handle - failure scenarios. - ''; - }; + mode = mkOption { + default = null; + example = "active-backup"; + type = types.nullOr types.str; + description = '' + DEPRECATED, use `driverOptions`. + The mode which the bond will be running. The default mode for + the bonding driver is balance-rr, optimizing for throughput. + More information about valid modes can be found at + https://www.kernel.org/doc/Documentation/networking/bonding.txt + ''; + }; - mode = mkOption { - default = null; - example = "active-backup"; - type = types.nullOr types.str; - description = '' - DEPRECATED, use `driverOptions`. - The mode which the bond will be running. The default mode for - the bonding driver is balance-rr, optimizing for throughput. - More information about valid modes can be found at - https://www.kernel.org/doc/Documentation/networking/bonding.txt - ''; - }; + xmit_hash_policy = mkOption { + default = null; + example = "layer2+3"; + type = types.nullOr types.str; + description = '' + DEPRECATED, use `driverOptions`. + Selects the transmit hash policy to use for slave selection in + balance-xor, 802.3ad, and tlb modes. + ''; + }; - xmit_hash_policy = mkOption { - default = null; - example = "layer2+3"; - type = types.nullOr types.str; - description = '' - DEPRECATED, use `driverOptions`. - Selects the transmit hash policy to use for slave selection in - balance-xor, 802.3ad, and tlb modes. - ''; }; - }; - - }); - }; + }); + }; networking.macvlans = mkOption { default = { }; diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix index 17b04c8db15..6a7e628d8ef 100644 --- a/nixos/tests/networking.nix +++ b/nixos/tests/networking.nix @@ -1,4 +1,6 @@ -{ system ? builtins.currentSystem, networkd }: +{ system ? builtins.currentSystem +# bool: whether to use networkd in the tests +, networkd }: with import ../lib/testing.nix { inherit system; }; with pkgs.lib; -- cgit 1.4.1 From 41625dcab64efe29c3b15876f27ec520927367bf Mon Sep 17 00:00:00 2001 From: Jörg Thalheim Date: Sun, 12 Mar 2017 15:56:31 +0100 Subject: pump.io: fix tests fixes #23568 --- nixos/tests/pump.io.nix | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/tests/pump.io.nix b/nixos/tests/pump.io.nix index 18da52b5134..0991ed3fce1 100644 --- a/nixos/tests/pump.io.nix +++ b/nixos/tests/pump.io.nix @@ -51,16 +51,6 @@ import ./make-test.nix ({ pkgs, ...} : let Vd5WD2HJhLb9u0UxVp9vfWIUDgydopV5ZmWCQ5YvNepb1w== -----END CERTIFICATE----- ''; - - makePump = { opts ? { } }: - { - enable = true; - sslCert = pkgs.writeText "snakeoil.cert" snakeOilCert; - sslKey = pkgs.writeText "snakeoil.pem" snakeOilKey; - secret = "test"; - site = "test"; - } // opts; - in { name = "pumpio"; meta = with pkgs.stdenv.lib.maintainers; { @@ -72,9 +62,14 @@ in { { config, pkgs, ... }: { services = { - pumpio = makePump { opts = { + pumpio = { port = 443; - }; }; + enable = true; + sslCert = pkgs.writeText "snakeoil.cert" snakeOilCert; + sslKey = pkgs.writeText "snakeoil.pem" snakeOilKey; + secretFile = pkgs.writeText "secretFile" "test123"; + site = "test"; + }; mongodb.enable = true; mongodb.extraConfig = '' storage.journal.enabled: false -- cgit 1.4.1 From 308c09d41f309e5055e45c66c07454581945d458 Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Tue, 14 Mar 2017 16:11:51 +0100 Subject: wordpress: security upgrade: 4.7.2 -> 4.7.3 & other improvements (#23837) * Moved the wordpress sources derivation to the attribute pkgs.wordpress. This makes it easier to override. * Also introduce the `package` option for the wordpress virtual host config which defaults to pkgs.wordpress. * Also fixed the test in nixos/tests/wordpress.nix. --- .../services/web-servers/apache-httpd/wordpress.nix | 20 +++++++++----------- nixos/tests/wordpress.nix | 12 ++++-------- pkgs/servers/web-apps/wordpress/default.nix | 12 ++++++++++++ pkgs/top-level/all-packages.nix | 2 ++ 4 files changed, 27 insertions(+), 19 deletions(-) create mode 100644 pkgs/servers/web-apps/wordpress/default.nix (limited to 'nixos/tests') diff --git a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix index a5b6548d3c5..b94ec14308b 100644 --- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix +++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix @@ -4,11 +4,6 @@ with lib; let - - # Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix - version = "4.7.2"; - fullversion = "${version}"; - # Our bare-bones wp-config.php file using the above settings wordpressConfig = pkgs.writeText "wp-config.php" '' Date: Wed, 15 Mar 2017 16:49:08 +0100 Subject: nixos: tests: firefox: make more comprehensive Run Firefox inside an XTerm, it doesn't crash mysteriously this way. Also try opening developer tools and checking that Firefox doesn't crash in the process. --- nixos/tests/firefox.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/tests/firefox.nix b/nixos/tests/firefox.nix index 1bdabe93fec..e1b628c9144 100644 --- a/nixos/tests/firefox.nix +++ b/nixos/tests/firefox.nix @@ -8,15 +8,21 @@ import ./make-test.nix ({ pkgs, ... }: { { config, pkgs, ... }: { imports = [ ./common/x11.nix ]; - environment.systemPackages = [ pkgs.firefox ]; + environment.systemPackages = [ pkgs.firefox pkgs.xdotool ]; }; testScript = '' $machine->waitForX; - $machine->execute("firefox file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html &"); + $machine->execute("xterm -e 'firefox file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html' &"); $machine->waitForWindow(qr/Valgrind/); $machine->sleep(40); # wait until Firefox has finished loading the page + $machine->execute("xdotool key space"); # do I want to make Firefox the + # default browser? I just want to close the dialog + $machine->sleep(2); # wait until Firefox hides the default browser window + $machine->execute("xdotool key F12"); + $machine->sleep(10); # wait until Firefox draws the developer tool panel + $machine->succeed("xwininfo -root -tree | grep Valgrind"); $machine->screenshot("screen"); ''; -- cgit 1.4.1 From b4169bb8dde4a4afa829132703455e4def13a633 Mon Sep 17 00:00:00 2001 From: Jörg Thalheim Date: Wed, 22 Mar 2017 00:08:41 +0100 Subject: munin: fix tests by replacing cron with systemd timer --- nixos/modules/services/monitoring/munin.nix | 20 ++++++++++++++++---- nixos/tests/munin.nix | 1 + 2 files changed, 17 insertions(+), 4 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index 364f18e7543..b8c26a5c89b 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -193,14 +193,26 @@ in }) (mkIf cronCfg.enable { - services.cron.systemCronJobs = [ - "*/5 * * * * munin ${pkgs.munin}/bin/munin-cron --config ${muninConf}" - ]; + systemd.timers.munin-cron = { + description = "batch Munin master programs"; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "*:0/5"; + }; + + systemd.services.munin-cron = { + description = "batch Munin master programs"; + unitConfig.Documentation = "man:munin-cron(8)"; + + serviceConfig = { + Type = "oneshot"; + User = "munin"; + ExecStart = "${pkgs.munin}/bin/munin-cron --config ${muninConf}"; + }; + }; system.activationScripts.munin-cron = stringAfter [ "users" "groups" ] '' mkdir -p /var/{run,log,www,lib}/munin chown -R munin:munin /var/{run,log,www,lib}/munin ''; - })]; } diff --git a/nixos/tests/munin.nix b/nixos/tests/munin.nix index 50746d17b45..40fafc62514 100644 --- a/nixos/tests/munin.nix +++ b/nixos/tests/munin.nix @@ -29,6 +29,7 @@ import ./make-test.nix ({ pkgs, ...} : { startAll; $one->waitForUnit("munin-node.service"); + $one->succeed('systemctl start munin-cron'); $one->waitForFile("/var/lib/munin/one/one-uptime-uptime-g.rrd"); $one->waitForFile("/var/www/munin/one/index.html"); ''; -- cgit 1.4.1 From ae1034ea965f9f86b6cbf1064071923650907618 Mon Sep 17 00:00:00 2001 From: Thomas Tuegel Date: Thu, 23 Mar 2017 18:57:23 -0500 Subject: nixos/sddm: improve test Disable SDDM auto-login to improve testing for SDDM themes. See #24246. --- nixos/tests/sddm.nix | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/tests/sddm.nix b/nixos/tests/sddm.nix index 041d88fbeae..a1bd8f14d23 100644 --- a/nixos/tests/sddm.nix +++ b/nixos/tests/sddm.nix @@ -1,26 +1,24 @@ import ./make-test.nix ({ pkgs, ...} : { name = "sddm"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ttuegel ]; - }; machine = { lib, ... }: { imports = [ ./common/user-account.nix ]; services.xserver.enable = true; - services.xserver.displayManager.sddm = { - enable = true; - autoLogin = { - enable = true; - user = "alice"; - }; - }; + services.xserver.displayManager.sddm.enable = true; services.xserver.windowManager.default = "icewm"; services.xserver.windowManager.icewm.enable = true; services.xserver.desktopManager.default = "none"; }; - testScript = { nodes, ... }: '' + enableOCR = true; + + testScript = { nodes, ... }: let + user = nodes.machine.config.users.extraUsers.alice; + in '' startAll; + $machine->waitForText(qr/ALICE/); + $machine->screenshot("sddm"); + $machine->sendChars("${user.password}\n"); $machine->waitForFile("/home/alice/.Xauthority"); $machine->succeed("xauth merge ~alice/.Xauthority"); $machine->waitForWindow("^IceWM "); -- cgit 1.4.1 From 27ba56f1e01e5015897be087fe25d5bbcfe13d70 Mon Sep 17 00:00:00 2001 From: Thomas Tuegel Date: Fri, 24 Mar 2017 08:02:24 -0500 Subject: nixos/plasma5: also test SDDM theme --- nixos/tests/plasma5.nix | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/tests/plasma5.nix b/nixos/tests/plasma5.nix index ca787e9c7b9..f561fc8c3c4 100644 --- a/nixos/tests/plasma5.nix +++ b/nixos/tests/plasma5.nix @@ -8,25 +8,27 @@ import ./make-test.nix ({ pkgs, ...} : machine = { lib, ... }: { imports = [ ./common/user-account.nix ]; - virtualisation.memorySize = 1024; services.xserver.enable = true; - services.xserver.displayManager.sddm = { - enable = true; - autoLogin = { - enable = true; - user = "alice"; - }; - }; + services.xserver.displayManager.sddm.enable = true; services.xserver.desktopManager.plasma5.enable = true; services.xserver.desktopManager.default = "plasma5"; - virtualisation.writableStore = false; # FIXME + virtualisation.memorySize = 1024; }; - testScript = { nodes, ... }: - let xdo = "${pkgs.xdotool}/bin/xdotool"; in - '' + enableOCR = true; + + testScript = { nodes, ... }: let + user = nodes.machine.config.users.extraUsers.alice; + xdo = "${pkgs.xdotool}/bin/xdotool"; + in '' startAll; + # Wait for display manager to start + $machine->waitForText(qr/${user.description}/); + $machine->screenshot("sddm"); + + # Log in + $machine->sendChars("${user.password}\n"); $machine->waitForFile("/home/alice/.Xauthority"); $machine->succeed("xauth merge ~alice/.Xauthority"); -- cgit 1.4.1 From 352e335f3d643b84f34d5c102a4828712924a267 Mon Sep 17 00:00:00 2001 From: Thomas Tuegel Date: Fri, 24 Mar 2017 10:38:16 -0500 Subject: nixos/sddm: test automatic and manual login --- nixos/release-combined.nix | 2 +- nixos/release.nix | 2 +- nixos/tests/sddm.nix | 90 +++++++++++++++++++++++++++++++++------------- 3 files changed, 67 insertions(+), 27 deletions(-) (limited to 'nixos/tests') diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 63ca39a9b60..5c1112a1c6d 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -92,7 +92,7 @@ in rec { (all nixos.tests.openssh) (all nixos.tests.printing) (all nixos.tests.proxy) - (all nixos.tests.sddm) + (all nixos.tests.sddm.default) (all nixos.tests.simple) (all nixos.tests.udisks2) (all nixos.tests.xfce) diff --git a/nixos/release.nix b/nixos/release.nix index cf7f0a63f4b..3535690a8e6 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -296,7 +296,7 @@ in rec { tests.quake3 = callTest tests/quake3.nix {}; tests.runInMachine = callTest tests/run-in-machine.nix {}; tests.samba = callTest tests/samba.nix {}; - tests.sddm = callTest tests/sddm.nix {}; + tests.sddm = callSubTests tests/sddm.nix {}; tests.simple = callTest tests/simple.nix {}; tests.smokeping = callTest tests/smokeping.nix {}; tests.taskserver = callTest tests/taskserver.nix {}; diff --git a/nixos/tests/sddm.nix b/nixos/tests/sddm.nix index a1bd8f14d23..82be9bc1d72 100644 --- a/nixos/tests/sddm.nix +++ b/nixos/tests/sddm.nix @@ -1,26 +1,66 @@ -import ./make-test.nix ({ pkgs, ...} : { - name = "sddm"; - - machine = { lib, ... }: { - imports = [ ./common/user-account.nix ]; - services.xserver.enable = true; - services.xserver.displayManager.sddm.enable = true; - services.xserver.windowManager.default = "icewm"; - services.xserver.windowManager.icewm.enable = true; - services.xserver.desktopManager.default = "none"; - }; +{ system ? builtins.currentSystem }: + +with import ../lib/testing.nix { inherit system; }; + +let + inherit (pkgs) lib; + + tests = { + default = { + name = "sddm"; + + machine = { lib, ... }: { + imports = [ ./common/user-account.nix ]; + services.xserver.enable = true; + services.xserver.displayManager.sddm.enable = true; + services.xserver.windowManager.default = "icewm"; + services.xserver.windowManager.icewm.enable = true; + services.xserver.desktopManager.default = "none"; + }; - enableOCR = true; - - testScript = { nodes, ... }: let - user = nodes.machine.config.users.extraUsers.alice; - in '' - startAll; - $machine->waitForText(qr/ALICE/); - $machine->screenshot("sddm"); - $machine->sendChars("${user.password}\n"); - $machine->waitForFile("/home/alice/.Xauthority"); - $machine->succeed("xauth merge ~alice/.Xauthority"); - $machine->waitForWindow("^IceWM "); - ''; -}) + enableOCR = true; + + testScript = { nodes, ... }: let + user = nodes.machine.config.users.extraUsers.alice; + in '' + startAll; + $machine->waitForText(qr/ALICE/); + $machine->screenshot("sddm"); + $machine->sendChars("${user.password}\n"); + $machine->waitForFile("/home/alice/.Xauthority"); + $machine->succeed("xauth merge ~alice/.Xauthority"); + $machine->waitForWindow("^IceWM "); + ''; + }; + + autoLogin = { + name = "sddm-autologin"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ttuegel ]; + }; + + machine = { lib, ... }: { + imports = [ ./common/user-account.nix ]; + services.xserver.enable = true; + services.xserver.displayManager.sddm = { + enable = true; + autoLogin = { + enable = true; + user = "alice"; + }; + }; + services.xserver.windowManager.default = "icewm"; + services.xserver.windowManager.icewm.enable = true; + services.xserver.desktopManager.default = "none"; + }; + + testScript = { nodes, ... }: '' + startAll; + $machine->waitForFile("/home/alice/.Xauthority"); + $machine->succeed("xauth merge ~alice/.Xauthority"); + $machine->waitForWindow("^IceWM "); + ''; + }; + }; +in + lib.mapAttrs (lib.const makeTest) tests -- cgit 1.4.1 From 68729958e889b7db114fcb3f5ca297d28ae59165 Mon Sep 17 00:00:00 2001 From: Arnold Krille Date: Sat, 11 Feb 2017 16:46:55 +0100 Subject: network-interfaces: reload bridges on conf changes And adopt the tests to add an interface and remove it again. It should work when deactivating rstp, it will not work when activating rstp for the first bridge as then the userspace daemon is not yet available. But once one bridge is active with stp, it should work with the reload for any further bridge. Fixes #21745. Also see #22547. --- .../modules/tasks/network-interfaces-scripted.nix | 25 +++++ nixos/release.nix | 1 + nixos/tests/containers-restart_networking.nix | 114 +++++++++++++++++++++ 3 files changed, 140 insertions(+) create mode 100644 nixos/tests/containers-restart_networking.nix (limited to 'nixos/tests') diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 3571e00d04e..f30906b84a2 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -239,6 +239,10 @@ let ip link set "${i}" master "${n}" ip link set "${i}" up '')} + # Save list of enslaved interfaces + echo "${flip concatMapStrings v.interfaces (i: '' + ${i} + '')}" > /run/${n}.interfaces # Enable stp on the interface ${optionalString v.rstp '' @@ -250,7 +254,28 @@ let postStop = '' ip link set "${n}" down || true ip link del "${n}" || true + rm -f /run/${n}.interfaces ''; + reload = '' + # Un-enslave child interfaces (old list of interfaces) + for interface in `cat /run/${n}.interfaces`; do + ip link set "$interface" nomaster up + done + + # Enslave child interfaces (new list of interfaces) + ${flip concatMapStrings v.interfaces (i: '' + ip link set "${i}" master "${n}" + ip link set "${i}" up + '')} + # Save list of enslaved interfaces + echo "${flip concatMapStrings v.interfaces (i: '' + ${i} + '')}" > /run/${n}.interfaces + + # (Un-)set stp on the bridge + echo ${if v.rstp then "2" else "0"} > /sys/class/net/${n}/bridge/stp_state + ''; + reloadIfChanged = true; }); createVswitchDevice = n: v: nameValuePair "${n}-netdev" diff --git a/nixos/release.nix b/nixos/release.nix index 3535690a8e6..523d6e291ac 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -228,6 +228,7 @@ in rec { tests.containers-imperative = callTest tests/containers-imperative.nix {}; tests.containers-extra_veth = callTest tests/containers-extra_veth.nix {}; tests.containers-physical_interfaces = callTest tests/containers-physical_interfaces.nix {}; + tests.containers-restart_networking = callTest tests/containers-restart_networking.nix {}; tests.containers-tmpfs = callTest tests/containers-tmpfs.nix {}; tests.containers-hosts = callTest tests/containers-hosts.nix {}; tests.containers-macvlans = callTest tests/containers-macvlans.nix {}; diff --git a/nixos/tests/containers-restart_networking.nix b/nixos/tests/containers-restart_networking.nix new file mode 100644 index 00000000000..086d056c51c --- /dev/null +++ b/nixos/tests/containers-restart_networking.nix @@ -0,0 +1,114 @@ +# Test for NixOS' container support. + +let + client_base = rec { + networking.firewall.enable = false; + + containers.webserver = { + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + config = { + networking.firewall.enable = false; + networking.firewall.allowPing = true; + networking.interfaces.eth0.ip4 = [ + { address = "192.168.1.122"; prefixLength = 24; } + ]; + }; + }; + }; +in import ./make-test.nix ({ pkgs, lib, ...} : +{ + name = "containers-restart_networking"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ kampfschlaefer ]; + }; + + nodes = { + client = { lib, pkgs, ... }: client_base // { + virtualisation.vlans = [ 1 ]; + + networking.bridges.br0 = { + interfaces = []; + rstp = false; + }; + networking.interfaces = { + eth1.ip4 = lib.mkOverride 0 [ ]; + br0.ip4 = [{ address = "192.168.1.1"; prefixLength = 24; }]; + }; + + }; + client_eth1 = { lib, pkgs, ... }: client_base // { + networking.bridges.br0 = { + interfaces = [ "eth1" ]; + rstp = false; + }; + networking.interfaces = { + eth1.ip4 = lib.mkOverride 0 [ ]; + br0.ip4 = [{ address = "192.168.1.2"; prefixLength = 24; }]; + }; + }; + client_eth1_rstp = { lib, pkgs, ... }: client_base // { + networking.bridges.br0 = { + interfaces = [ "eth1" ]; + rstp = true; + }; + networking.interfaces = { + eth1.ip4 = lib.mkOverride 0 [ ]; + br0.ip4 = [{ address = "192.168.1.2"; prefixLength = 24; }]; + }; + }; + }; + + testScript = {nodes, ...}: let + originalSystem = nodes.client.config.system.build.toplevel; + eth1_bridged = nodes.client_eth1.config.system.build.toplevel; + eth1_rstp = nodes.client_eth1_rstp.config.system.build.toplevel; + in '' + $client->start(); + + $client->waitForUnit("default.target"); + + subtest "initial state", sub { + $client->succeed("ping 192.168.1.122 -c 1 -n >&2"); + $client->succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.1 >&2"); + + $client->fail("ip l show eth1 |grep \"master br0\" >&2"); + $client->fail("grep eth1 /run/br0.interfaces >&2"); + }; + + subtest "interfaces without stp", sub { + $client->succeed("${eth1_bridged}/bin/switch-to-configuration test >&2"); + + $client->succeed("ping 192.168.1.122 -c 1 -n >&2"); + $client->succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.2 >&2"); + + $client->succeed("ip l show eth1 |grep \"master br0\" >&2"); + $client->succeed("grep eth1 /run/br0.interfaces >&2"); + }; + + # activating rstp needs another service, therefor the bridge will restart and the container will loose its connectivity + #subtest "interfaces with rstp", sub { + # $client->succeed("${eth1_rstp}/bin/switch-to-configuration test >&2"); + # $client->execute("ip -4 a >&2"); + # $client->execute("ip l >&2"); + # + # $client->succeed("ping 192.168.1.122 -c 1 -n >&2"); + # $client->succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.2 >&2"); + # + # $client->succeed("ip l show eth1 |grep \"master br0\" >&2"); + # $client->succeed("grep eth1 /run/br0.interfaces >&2"); + #}; + + subtest "back to no interfaces and no stp", sub { + $client->succeed("${originalSystem}/bin/switch-to-configuration test >&2"); + + $client->succeed("ping 192.168.1.122 -c 1 -n >&2"); + $client->succeed("nixos-container run webserver -- ping -c 1 -n 192.168.1.1 >&2"); + + $client->fail("ip l show eth1 |grep \"master br0\" >&2"); + $client->fail("grep eth1 /run/br0.interfaces >&2"); + }; + ''; + +}) -- cgit 1.4.1 From ee39d4b98a285bb2812c6e6ab51f4038ac013173 Mon Sep 17 00:00:00 2001 From: aszlig Date: Mon, 27 Mar 2017 04:15:44 +0200 Subject: nixos/tests/virtualbox: Fix @shell@ expansion This has surfaced since f803270b7e00fa7124282809838d5652083b6aad. The commit bumped bash to version 4.4, which caused to change the order of --subst-var flags in substituteAll, which this test was relying on, because it added a @shell@ to boot.initrd.postMountCommands. Our substituter is currently working a bit like this: original.replace('@var1@', 'val1').replace('@var2@', 'val2')... Unfortunately, this means that if @var2@ occurs within @var1@ it is replaced by the new value, so the order of the substvars actually matter. I highly doubt that we want a behaviour like this and I'm wondering why it didn't occur to me as a problem while writing the initial implementation of the VirtualBox tests. Whether to get rid of this and disallowing substitution of substvars within substvars is another topic which I think needs discussion in a different place. As for now, I'm using stdenv.shell, because the closure size of this should fit within the initrd, so it's fine especially because it's just a test. Tested with the net-hostonlyif and systemd-detect-virt tests and they both succeed with this change. Signed-off-by: aszlig Reported-by: @globin on IRC --- nixos/tests/virtualbox.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/tests') diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index 376c4f21dc0..4f7cb176d96 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -65,7 +65,7 @@ let touch /mnt-root/boot-done hostname "${vmName}" mkdir -p /nix/store - unshare -m "@shell@" -c ' + unshare -m ${escapeShellArg pkgs.stdenv.shell} -c ' mount -t vboxsf nixstore /nix/store exec "$stage2Init" ' -- cgit 1.4.1 From 543f5263d2bcd6d35a61d8aa84e31179c2a0a32f Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Thu, 30 Mar 2017 13:25:34 +0200 Subject: nixos/dnscrypt-proxy test: exercise plugin loading --- nixos/tests/dnscrypt-proxy.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'nixos/tests') diff --git a/nixos/tests/dnscrypt-proxy.nix b/nixos/tests/dnscrypt-proxy.nix index 26409949ec6..84562336825 100644 --- a/nixos/tests/dnscrypt-proxy.nix +++ b/nixos/tests/dnscrypt-proxy.nix @@ -15,6 +15,7 @@ import ./make-test.nix ({ pkgs, ... }: { services.dnscrypt-proxy.enable = true; services.dnscrypt-proxy.localPort = localProxyPort; + services.dnscrypt-proxy.extraArgs = [ "-X libdcplugin_example.so" ]; services.dnsmasq.enable = true; services.dnsmasq.servers = [ "127.0.0.1#${toString localProxyPort}" ]; -- cgit 1.4.1 From ce953d0bc90f17dfc35f0e498cfe192bfad0cc20 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 30 Mar 2017 12:21:32 +0200 Subject: panomatic: remove --- nixos/tests/gnome3-gdm.nix | 1 + pkgs/tools/graphics/panomatic/default.nix | 18 ------------------ pkgs/top-level/all-packages.nix | 2 -- 3 files changed, 1 insertion(+), 20 deletions(-) delete mode 100644 pkgs/tools/graphics/panomatic/default.nix (limited to 'nixos/tests') diff --git a/nixos/tests/gnome3-gdm.nix b/nixos/tests/gnome3-gdm.nix index 42425b57ba3..2c9c745021a 100644 --- a/nixos/tests/gnome3-gdm.nix +++ b/nixos/tests/gnome3-gdm.nix @@ -11,6 +11,7 @@ import ./make-test.nix ({ pkgs, ...} : { services.xserver.enable = true; + services.xserver.displayManager.slim.enable = false; services.xserver.displayManager.gdm = { enable = true; autoLogin = { diff --git a/pkgs/tools/graphics/panomatic/default.nix b/pkgs/tools/graphics/panomatic/default.nix deleted file mode 100644 index f14c16775f8..00000000000 --- a/pkgs/tools/graphics/panomatic/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{stdenv, fetchurl, boost, zlib}: - -stdenv.mkDerivation { - name = "panomatic-0.9.4"; - - src = fetchurl { - url = http://aorlinsk2.free.fr/panomatic/bin/panomatic-0.9.4-src.tar.bz2; - sha256 = "0vfkj3k3y8narwwijh996q2zzprjxbr2fhym15nm4fkq14yw4wwn"; - }; - - buildInputs = [ boost zlib ]; - - meta = { - homepage = http://aorlinsk2.free.fr/panomatic/; - description = "Tool that automates the creation of control points in Hugin"; - license = stdenv.lib.licenses.gpl2Plus; - }; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d4a38faed28..2fb97372a48 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3346,8 +3346,6 @@ with pkgs; buildTools = drv.buildTools or [] ++ [haskellPackages.hsb2hs]; }); - panomatic = callPackage ../tools/graphics/panomatic { }; - pamtester = callPackage ../tools/security/pamtester { }; paper-gtk-theme = callPackage ../misc/themes/paper { }; -- cgit 1.4.1 From affce1e2464f226afb6902c5185fee80d847d857 Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Sun, 2 Apr 2017 02:21:59 +0300 Subject: nixos hibernate test: Use waitForOpenPort There was one confusing recent failure of this: http://cache.nixos.org/log/myla8bc17j8spmifdxmrz9jswxwsf5w6-vm-test-run-hibernate.drv I don't have any real ideas on what could cause the problem but there is at least one theoretical one: the system starts hibernating before the listener process manages to open the TCP port for listening, and it can't open it after resuming because not enough pages from the netcat binary have been paged in (and as the 9p filesystem holding it is now toast, they can't be loaded anymore). --- nixos/tests/hibernate.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'nixos/tests') diff --git a/nixos/tests/hibernate.nix b/nixos/tests/hibernate.nix index 7616a75b021..db58a2f5c85 100644 --- a/nixos/tests/hibernate.nix +++ b/nixos/tests/hibernate.nix @@ -13,7 +13,7 @@ import ./make-test.nix (pkgs: { networking.firewall.allowedTCPPorts = [ 4444 ]; - systemd.services.listener.serviceConfig.ExecStart = "${pkgs.netcat}/bin/nc -l 4444"; + systemd.services.listener.serviceConfig.ExecStart = "${pkgs.netcat}/bin/nc -l 4444 -k"; }; probe = { config, lib, pkgs, ...}: { @@ -32,6 +32,7 @@ import ./make-test.nix (pkgs: { $machine->succeed("mkswap /dev/vdb"); $machine->succeed("swapon -a"); $machine->startJob("listener"); + $machine->waitForOpenPort(4444); $machine->succeed("systemctl hibernate &"); $machine->waitForShutdown; $machine->start; -- cgit 1.4.1 From c7453084ef71e286699b7414894178e5559f5563 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 3 Apr 2017 09:05:15 -0400 Subject: docker: test for socket permissions --- nixos/tests/docker.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'nixos/tests') diff --git a/nixos/tests/docker.nix b/nixos/tests/docker.nix index 1b57a94a05d..9096a5868f6 100644 --- a/nixos/tests/docker.nix +++ b/nixos/tests/docker.nix @@ -11,6 +11,21 @@ import ./make-test.nix ({ pkgs, ...} : { { config, pkgs, ... }: { virtualisation.docker.enable = true; + + users.users = { + noprivs = { + isNormalUser = true; + description = "Can't access the docker daemon"; + password = "foobar"; + }; + + hasprivs = { + isNormalUser = true; + description = "Can access the docker daemon"; + password = "foobar"; + extraGroups = [ "docker" ]; + }; + }; }; }; @@ -21,6 +36,8 @@ import ./make-test.nix ({ pkgs, ...} : { $docker->succeed("tar cv --files-from /dev/null | docker import - scratchimg"); $docker->succeed("docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"); $docker->succeed("docker ps | grep sleeping"); + $docker->succeed("sudo -u hasprivs docker ps"); + $docker->fail("sudo -u noprivs docker ps"); $docker->succeed("docker stop sleeping"); ''; }) -- cgit 1.4.1 From 0a6a06346a3c928a3115dfd700993c5c06b0a1e9 Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Thu, 6 Apr 2017 04:44:47 -0400 Subject: sddm: Fix test. For whatever reason, the OCR code is not detecting ALICE but is BOB. OCR output from login screen (blank lines omitted): > Session none + icewm > 08:41 < > Thursday, April 6, 2017 > BOB FOOBAR > Select your user and enter password --- nixos/tests/sddm.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/tests') diff --git a/nixos/tests/sddm.nix b/nixos/tests/sddm.nix index 82be9bc1d72..f78a77efbf0 100644 --- a/nixos/tests/sddm.nix +++ b/nixos/tests/sddm.nix @@ -24,7 +24,7 @@ let user = nodes.machine.config.users.extraUsers.alice; in '' startAll; - $machine->waitForText(qr/ALICE/); + $machine->waitForText(qr/BOB/); $machine->screenshot("sddm"); $machine->sendChars("${user.password}\n"); $machine->waitForFile("/home/alice/.Xauthority"); -- cgit 1.4.1