Enable polkit-1

Now both polkit-1 and old policykit are enabled. Packages that can use both will be migrated to new polkit-1, than old one can be disabled. svn path=/nixos/trunk/; revision=21776
2010-05-14 20:28:04 +00:00 · 2010-05-14 20:28:04 +00:00 · 03caab4572
commit 03caab4572
parent 680818c2cc
2 changed files with 46 additions and 6 deletions
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -38,7 +38,7 @@
  ./security/pam.nix
  ./security/pam_usb.nix
  ./security/policykit.nix
-  #./security/polkit.nix # Currently disabled; using the old policykit.
+  ./security/polkit.nix
  ./security/setuid-wrappers.nix
  ./security/sudo.nix
  ./services/audio/alsa.nix
--- a/modules/security/polkit.nix
+++ b/modules/security/polkit.nix
@ -2,23 +2,63 @@

 with pkgs.lib;

+let
+  pkWrapper = pkgs.stdenv.mkDerivation {
+    name = "polkit-wrapper";
+    helper = "polkit-agent-helper-1";
+    buildInputs = [ pkgs.xorg.lndir ];
+
+    builder = pkgs.writeScript "pkwrap-builder" ''
+      source $stdenv/setup
+
+      mkdir -p $out
+      lndir ${pkgs.polkit} $out
+      new=$out/libexec/$helper
+
+      mv $new $out/libexec/.$helper.orig
+      echo "exec ${config.security.wrapperDir}/$helper \"\$@\"" > $new
+      chmod +x $new
+      '';
+  };
+in
+
 {

  config = {

-    environment.systemPackages = [ pkgs.polkit ];
+    environment = {
+      systemPackages = [ pkWrapper ];
+      pathsToLink = [ "/share/polkit-1" "/etc/polkit-1" ];
+      etc = [
+        {
+          source = "${config.system.path}/etc/polkit-1";
+          target = "polkit-1";
+        }
+      ];
+    };

-    services.dbus.packages = [ pkgs.polkit ];
+    services.dbus.packages = [ pkWrapper ];

-    security.pam.services = [ { name = "polkit-1"; } ];
+    security = {
+      pam.services = [ { name = "polkit-1"; } ];
+      setuidPrograms = [ "pkexec" ];

-    security.setuidPrograms = [ "pkexec" ];
+      setuidOwners = [
+        {
+          program = pkWrapper.helper;
+          owner = "root";
+          group = "root";
+          setuid = true;
+          source = pkWrapper + "/libexec/." + pkWrapper.helper + ".orig";
+        }
+      ];
+    };

    system.activationScripts.policyKit = pkgs.stringsWithDeps.noDepEntry
      ''
        mkdir -p /var/lib/polkit-1
+        chmod 700 /var/lib/polkit-1
      '';
-
  };

 }