More fixes and improvements
This commit is contained in:
parent
bae00e8aa8
commit
025555d7f1
@ -202,7 +202,7 @@ following incompatible changes:</para>
|
||||
|
||||
<listitem>
|
||||
<para>The directory container setuid wrapper programs,
|
||||
<filename>/var/setuid-wrappers</filename>, <link
|
||||
<filename>/var/permissions-wrappers</filename>, <link
|
||||
xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
|
||||
updated atomically to prevent failures if the switch to a new
|
||||
configuration is interrupted.</link></para>
|
||||
|
@ -260,7 +260,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
|
||||
|
||||
|
||||
# Ask the user to set a root password.
|
||||
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then
|
||||
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/permissions-wrappers/passwd ] && [ -t 0 ]; then
|
||||
echo "setting root password..."
|
||||
chroot $mountPoint /var/permissions-wrappers/passwd
|
||||
fi
|
||||
|
@ -154,6 +154,10 @@ in
|
||||
export PATH="${config.security.permissionsWrapperDir}:$PATH"
|
||||
'';
|
||||
|
||||
system.activationScripts.wrapper-dir = ''
|
||||
mkdir -p "${config.security.permissionsWrapperDir}"
|
||||
'';
|
||||
|
||||
###### setcap activation script
|
||||
system.activationScripts.setcap =
|
||||
lib.stringAfter [ "users" ]
|
||||
|
@ -5,17 +5,17 @@ let
|
||||
|
||||
# Produce a shell-code splice intended to be stitched into one of
|
||||
# the build or install phases within the derivation.
|
||||
mkSetcapWrapper = { program, source ? null, ...}:
|
||||
''
|
||||
if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
|
||||
# If we can't find the program, fall back to the
|
||||
# system profile.
|
||||
source=/nix/var/nix/profiles/default/bin/${program}
|
||||
fi
|
||||
mkSetcapWrapper = { program, source ? null, ...}: ''
|
||||
if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
|
||||
# If we can't find the program, fall back to the
|
||||
# system profile.
|
||||
source=/nix/var/nix/profiles/default/bin/${program}
|
||||
fi
|
||||
|
||||
gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
|
||||
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
|
||||
'';
|
||||
gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
|
||||
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
|
||||
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
|
||||
'';
|
||||
in
|
||||
|
||||
# This is only useful for Linux platforms and a kernel version of
|
||||
@ -26,7 +26,7 @@ assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.
|
||||
pkgs.stdenv.mkDerivation {
|
||||
name = "setcap-wrapper";
|
||||
unpackPhase = "true";
|
||||
buildInputs = [ pkgs.linuxHeaders pkgs.libcap pkgs.libcap_ng ];
|
||||
buildInputs = [ pkgs.linuxHeaders ];
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
|
||||
|
@ -13,8 +13,9 @@ let
|
||||
source=/nix/var/nix/profiles/default/bin/${program}
|
||||
fi
|
||||
|
||||
gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
|
||||
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
|
||||
gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
|
||||
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
|
||||
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
|
||||
'';
|
||||
in
|
||||
|
||||
|
@ -219,14 +219,14 @@ in
|
||||
type = types.string;
|
||||
default = ''
|
||||
+ FPing
|
||||
binary = ${config.security.wrapperDir}/fping
|
||||
binary = ${config.security.permissionsWrapperDir}/fping
|
||||
'';
|
||||
description = "Probe configuration";
|
||||
};
|
||||
sendmail = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
example = "/var/setuid-wrappers/sendmail";
|
||||
example = "/var/permissions-wrappers/sendmail";
|
||||
description = "Use this sendmail compatible script to deliver alerts";
|
||||
};
|
||||
smokeMailTemplate = mkOption {
|
||||
@ -273,7 +273,14 @@ in
|
||||
message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
|
||||
}
|
||||
];
|
||||
security.setuidPrograms = [ "fping" ];
|
||||
security.permissionsWrappers.setuid = [
|
||||
{ program = "fping";
|
||||
source = "${e.enlightenment.out}/bin/fping";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
];
|
||||
environment.systemPackages = [ pkgs.fping ];
|
||||
users.extraUsers = singleton {
|
||||
name = cfg.user;
|
||||
|
@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : {
|
||||
mailHost = "127.0.0.2";
|
||||
probeConfig = ''
|
||||
+ FPing
|
||||
binary = /var/setuid-wrappers/fping
|
||||
binary = /var/permissions-wrappers/fping
|
||||
offset = 0%
|
||||
'';
|
||||
};
|
||||
|
@ -83,9 +83,9 @@ in stdenv.mkDerivation {
|
||||
ed -v -s "$out/bin/chromium" << EOF
|
||||
2i
|
||||
|
||||
if [ -x "/var/setuid-wrappers/${sandboxExecutableName}" ]
|
||||
if [ -x "/var/permissions-wrappers/${sandboxExecutableName}" ]
|
||||
then
|
||||
export CHROME_DEVEL_SANDBOX="/var/setuid-wrappers/${sandboxExecutableName}"
|
||||
export CHROME_DEVEL_SANDBOX="/var/permissions-wrappers/${sandboxExecutableName}"
|
||||
else
|
||||
export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
|
||||
fi
|
||||
|
@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c
|
||||
#include <unistd.h>
|
||||
|
||||
-#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
|
||||
+#define EXECUTE "/var/setuid-wrappers/start_kdeinit"
|
||||
+#define EXECUTE "/var/permissions-wrappers/start_kdeinit"
|
||||
|
||||
#if KDEINIT_OOM_PROTECT
|
||||
|
||||
|
@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
|
||||
preConfigure = ''
|
||||
sed -e 's@/lib/udev@''${out}/lib/udev@' \
|
||||
-e 's@ -Werror @ @' \
|
||||
-e 's@/usr/sbin/sendmail@/var/setuid-wrappers/sendmail@' -i Makefile
|
||||
-e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
|
||||
'';
|
||||
|
||||
meta = {
|
||||
|
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ makeWrapper ];
|
||||
|
||||
# Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/setuid-wrappers
|
||||
# Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/permissions-wrappers
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin $out/libexec
|
||||
cp $src $out/libexec/ecryptfs-helper.py
|
||||
|
@ -23,7 +23,7 @@ stdenv.mkDerivation {
|
||||
#define _PATH_SENDMAIL "${sendmailPath}"
|
||||
|
||||
#undef _PATH_DEFPATH
|
||||
#define _PATH_DEFPATH "/var/setuid-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
|
||||
#define _PATH_DEFPATH "/var/permissions-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
|
||||
__EOT__
|
||||
|
||||
# Implicit saved uids do not work here due to way NixOS uses setuid wrappers
|
||||
|
Loading…
Reference in New Issue
Block a user