From 628e6a83d0f3b7ddc0592c88fef7978a7ee0063e Mon Sep 17 00:00:00 2001 From: Parnell Springmeyer Date: Sun, 29 Jan 2017 05:33:56 -0600 Subject: [PATCH] More derp --- .../security/chromium-suid-sandbox.nix | 2 +- nixos/modules/security/duosec.nix | 2 +- nixos/modules/security/pam.nix | 15 ++++++++---- nixos/modules/security/pam_usb.nix | 5 +++- nixos/modules/security/polkit.nix | 6 +++-- nixos/modules/security/sudo.nix | 5 +++- nixos/modules/security/wrappers/default.nix | 24 +------------------ nixos/modules/services/mail/exim.nix | 2 +- .../modules/services/networking/smokeping.nix | 5 +++- nixos/modules/services/scheduling/cron.nix | 2 +- nixos/modules/services/scheduling/fcron.nix | 2 +- .../x11/desktop-managers/enlightenment.nix | 3 ++- nixos/modules/tasks/network-interfaces.nix | 7 +++--- 13 files changed, 38 insertions(+), 42 deletions(-) diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix index 0699fbb728a7..0458ffb6c46c 100644 --- a/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixos/modules/security/chromium-suid-sandbox.nix @@ -27,6 +27,6 @@ in config = mkIf cfg.enable { environment.systemPackages = [ sandbox ]; - security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ]; + security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; }; } diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index ee62c34438e5..9ca818e86ffa 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -188,7 +188,7 @@ in environment.systemPackages = [ pkgs.duo-unix ]; - security.setuidPrograms = [ "login_duo" ]; + security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; environment.etc = loginCfgFile ++ pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 3c944acf6cfa..86143dd2ee59 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -472,13 +472,18 @@ in ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; - security.setuidPrograms = + security.wrapperssetuidPrograms = optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ]; - security.wrappers.unix_chkpwd = { - source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; - owner = "root"; - setuid = true; + security.wrappers = { + unix_chkpwd = { + source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; + owner = "root"; + setuid = true; + }; + } // (mkIf config.security.pam.enableEcryptfs { + "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; }; environment.etc = diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 032f8e38d111..6f811dab8d76 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -33,7 +33,10 @@ in config = mkIf (cfg.enable || anyUsbAuth) { # Make sure pmount and pumount are setuid wrapped. - security.setuidPrograms = [ "pmount" "pumount" ]; + security.wrappers = { + pmount.source = "${pkgs.pmount.out}/bin/pmount"; + pumount.source = "${pkgs.pmount.out}/bin/pumount"; + }; environment.systemPackages = [ pkgs.pmount ]; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 547b40cedfd9..419abb8b086d 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -83,8 +83,10 @@ in security.pam.services.polkit-1 = {}; - security.setuidPrograms = [ "pkexec" ]; - security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + security.wrappers = { + pkexec.source = "${pkgs.polkit.out}/bin/pkexec"; + "polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + }; system.activationScripts.polkit = '' diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index f5612e1b0c5d..67a9b9a45ee3 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -81,7 +81,10 @@ in ${cfg.extraConfig} ''; - security.setuidPrograms = [ "sudo" "sudoedit" ]; + security.wrappers = { + sudo.source = "${pkgs.sudo.out}/bin/sudo"; + sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit"; + }; environment.systemPackages = [ sudo ]; diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 8e20d773125f..9909c6406471 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -4,22 +4,13 @@ let inherit (config.security) wrapperDir wrappers setuidPrograms; programs = - (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) setuidPrograms) - ++ (lib.mapAttrsToList (n: v: (if v ? "program" then v else v // {program=n;})) wrappers); mkWrapper = { program, source ? null, ...}: '' - if ! source=${if source != null || source != "" then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then - # If we can't find the program, fall back to the - # system profile. - source=/nix/var/nix/profiles/default/bin/${program} - fi - parentWrapperDir=$(dirname ${wrapperDir}) - - gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \ + gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \ -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include ''; @@ -96,19 +87,6 @@ in ###### interface options = { - security.setuidPrograms = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - example = ["passwd"]; - description = '' - The Nix store cannot contain setuid/setgid programs directly. - For this reason, NixOS can automatically generate wrapper - programs that have the necessary privileges. This option - lists the names of programs in the system environment for - which setuid root wrappers should be created. - ''; - }; - security.wrappers = lib.mkOption { type = lib.types.attrs; default = {}; diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index b05344fa9b56..440eae281f40 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -89,7 +89,7 @@ in gid = config.ids.gids.exim; }; - security.setuidPrograms = [ "exim" ]; + security.wrappers.exim.source = "${exim}/bin/exim"; systemd.services.exim = { description = "Exim Mail Daemon"; diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index eedc27593375..bac794745277 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -273,7 +273,10 @@ in message = "services.smokeping: sendmail and Mailhost cannot both be enabled."; } ]; - security.setuidPrograms = [ "fping" "fping6" ]; + security.wrappers = { + fping.source = "${pkgs.fping}/bin/fping"; + "fping6".source = "${pkgs.fping}/bin/fping6"; + }; environment.systemPackages = [ pkgs.fping ]; users.extraUsers = singleton { name = cfg.user; diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index 48c5f6be3168..cc6eb96bf5da 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -93,7 +93,7 @@ in { services.cron.enable = mkDefault (allFiles != []); } (mkIf (config.services.cron.enable) { - security.setuidPrograms = [ "crontab" ]; + security.wrappers.crontab.source = "${pkgs.cronNixosPkg.out}/bin/crontab"; environment.systemPackages = [ cronNixosPkg ]; environment.etc.crontab = { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; } diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index 339b0de66e98..e4ada2768715 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -106,7 +106,7 @@ in environment.systemPackages = [ pkgs.fcron ]; - security.setuidPrograms = [ "fcrontab" ]; + security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab"; systemd.services.fcron = { description = "fcron daemon"; after = [ "local-fs.target" ]; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index feee6ba87ec8..77050bcb23f1 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -62,7 +62,8 @@ in ''; }]; - security.setuidPrograms = [ "e_freqset" ]; + security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset"; + environment.etc = singleton { source = "${pkgs.xkeyboard_config}/etc/X11/xkb"; target = "X11/xkb"; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 1afcddd915f7..a01bf21af51a 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -912,9 +912,10 @@ in # If the linux kernel IS older than 4.3, create setuid wrappers # for ping and ping6 - security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [ - "ping" "ping6" - ]; + security.wrappers = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") { + ping.source = "${pkgs.iputils.out}/bin/ping"; + "ping6".source = "${pkgs.iputils.out}/bin/ping6"; + }; # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration,