More derp

nixos/modules/security/chromium-suid-sandbox.nix

@@ -27,6 +27,6 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ sandbox ];
-    security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
+    security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
   };
 }

nixos/modules/security/duosec.nix

@@ -188,7 +188,7 @@ in
 
      environment.systemPackages = [ pkgs.duo-unix ];
 
-     security.setuidPrograms = [ "login_duo" ];
+     security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
      environment.etc = loginCfgFile ++ pamCfgFile;
 
      /* If PAM *and* SSH are enabled, then don't do anything special.

nixos/modules/security/pam.nix

@@ -472,13 +472,18 @@ in
       ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
       ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
 
-    security.setuidPrograms =
+    security.wrapperssetuidPrograms =
       optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
 
-    security.wrappers.unix_chkpwd = {
-      source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
-      owner = "root";
-      setuid = true;
+    security.wrappers = {
+      unix_chkpwd = {
+        source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
+        owner = "root";
+        setuid = true;
+      };
+    } // (mkIf config.security.pam.enableEcryptfs {
+      "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
+       "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
     };
 
     environment.etc =

nixos/modules/security/pam_usb.nix

@@ -33,7 +33,10 @@ in
   config = mkIf (cfg.enable || anyUsbAuth) {
 
     # Make sure pmount and pumount are setuid wrapped.
-    security.setuidPrograms = [ "pmount" "pumount" ];
+    security.wrappers = {
+      pmount.source = "${pkgs.pmount.out}/bin/pmount";
+      pumount.source = "${pkgs.pmount.out}/bin/pumount";
+    };
 
     environment.systemPackages = [ pkgs.pmount ];
 

nixos/modules/security/polkit.nix

@@ -83,8 +83,10 @@ in
 
     security.pam.services.polkit-1 = {};
 
-    security.setuidPrograms = [ "pkexec" ];
-    security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
+    security.wrappers = {
+      pkexec.source = "${pkgs.polkit.out}/bin/pkexec";
+      "polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
+    };
 
     system.activationScripts.polkit =
       ''

nixos/modules/security/sudo.nix

@@ -81,7 +81,10 @@ in
         ${cfg.extraConfig}
       '';
 
-    security.setuidPrograms = [ "sudo" "sudoedit" ];
+    security.wrappers = {
+      sudo.source = "${pkgs.sudo.out}/bin/sudo";
+      sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit";
+    };
 
     environment.systemPackages = [ sudo ];
 

nixos/modules/security/wrappers/default.nix

@@ -4,22 +4,13 @@ let
   inherit (config.security) wrapperDir wrappers setuidPrograms;
 
   programs =
-    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) setuidPrograms)
-    ++
     (lib.mapAttrsToList
       (n: v: (if v ? "program" then v else v // {program=n;}))
       wrappers);
 
   mkWrapper = { program, source ? null, ...}: ''
-    if ! source=${if source != null || source != "" then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
-        # If we can't find the program, fall back to the
-        # system profile.
-        source=/nix/var/nix/profiles/default/bin/${program}
-    fi
-
     parentWrapperDir=$(dirname ${wrapperDir})
-
-    gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
+    gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
         -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
         -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
   '';
@@ -96,19 +87,6 @@ in
   ###### interface
 
   options = {
-    security.setuidPrograms = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [];
-      example = ["passwd"];
-      description = ''
-        The Nix store cannot contain setuid/setgid programs directly.
-        For this reason, NixOS can automatically generate wrapper
-        programs that have the necessary privileges.  This option
-        lists the names of programs in the system environment for
-        which setuid root wrappers should be created.
-      '';
-    };
-
     security.wrappers = lib.mkOption {
       type = lib.types.attrs;
       default = {};

nixos/modules/services/mail/exim.nix

@@ -89,7 +89,7 @@ in
       gid = config.ids.gids.exim;
     };
 
-    security.setuidPrograms = [ "exim" ];
+    security.wrappers.exim.source = "${exim}/bin/exim";
 
     systemd.services.exim = {
       description = "Exim Mail Daemon";

nixos/modules/services/networking/smokeping.nix

@@ -273,7 +273,10 @@ in
         message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
       }
     ];
-    security.setuidPrograms = [ "fping" "fping6" ];
+    security.wrappers = {
+      fping.source = "${pkgs.fping}/bin/fping";
+      "fping6".source = "${pkgs.fping}/bin/fping6";
+    };
     environment.systemPackages = [ pkgs.fping ];
     users.extraUsers = singleton {
       name = cfg.user;

nixos/modules/services/scheduling/cron.nix

@@ -93,7 +93,7 @@ in
 
     { services.cron.enable = mkDefault (allFiles != []); }
     (mkIf (config.services.cron.enable) {
-      security.setuidPrograms = [ "crontab" ];
+      security.wrappers.crontab.source = "${pkgs.cronNixosPkg.out}/bin/crontab";
       environment.systemPackages = [ cronNixosPkg ];
       environment.etc.crontab =
         { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

nixos/modules/services/scheduling/fcron.nix

@@ -106,7 +106,7 @@ in
 
     environment.systemPackages = [ pkgs.fcron ];
 
-    security.setuidPrograms = [ "fcrontab" ];
+    security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab";
     systemd.services.fcron = {
       description = "fcron daemon";
       after = [ "local-fs.target" ];

nixos/modules/services/x11/desktop-managers/enlightenment.nix

@@ -62,7 +62,8 @@ in
       '';
     }];
 
-    security.setuidPrograms = [ "e_freqset" ];
+    security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";
+    
     environment.etc = singleton
       { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
         target = "X11/xkb";

nixos/modules/tasks/network-interfaces.nix

@@ -912,9 +912,10 @@ in
 
     # If the linux kernel IS older than 4.3, create setuid wrappers
     # for ping and ping6
-    security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [
-      "ping" "ping6"
-    ];
+    security.wrappers = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") {
+      ping.source = "${pkgs.iputils.out}/bin/ping";
+      "ping6".source = "${pkgs.iputils.out}/bin/ping6";
+    };
 
     # Set the host and domain names in the activation script.  Don't
     # clear it if it's not configured in the NixOS configuration,