Convert "nixos security options"

svn path=/nixos/branches/fix-style/; revision=14363
2009-03-06 12:25:46 +00:00 · 2009-03-06 12:25:46 +00:00 · f889d6215e
commit f889d6215e
parent b5a7c767c5
2 changed files with 52 additions and 38 deletions
--- a/system/nixos-security.nix
+++ b/system/nixos-security.nix
@ -0,0 +1,49 @@
+{pkgs, config, ...}:
+let
+  inherit (pkgs.lib) mergeOneOption mkOption mkIf;
+in
+{
+  require = [
+    {
+      security = {
+        setuidPrograms = mkOption {
+          default = [
+            "passwd" "su" "crontab" "ping" "ping6"
+            "fusermount" "wodim" "cdrdao" "growisofs"
+          ];
+          description = "
+            Only the programs from system path listed her will be made setuid root
+            (through a wrapper program).  It's better to set
+            <option>security.extraSetuidPrograms</option>.
+          ";
+        };
+
+        extraSetuidPrograms = mkOption {
+          default = [];
+          example = ["fusermount"];
+          description = "
+            This option lists additional programs that must be made setuid
+            root.
+          ";
+        };
+
+        setuidOwners = mkOption {
+          default = [];
+          example = [{
+            program = "sendmail";
+            owner = "nodody";
+            group = "postdrop";
+            setuid = false;
+            setgid = true;
+          }];
+          description = ''
+            List of non-trivial setuid programs from system path, like Postfix sendmail. Default 
+            should probably be nobody:nogroup:false:false - if you are bothering
+            doing anything with a setuid program, "root.root u+s g-s" is not what
+            you are aiming at..
+          '';
+        };
+      };
+    }
+  ];
+}
--- a/system/options.nix
+++ b/system/options.nix
@ -1980,44 +1980,6 @@ in

  security = {

-    setuidPrograms = mkOption {
-      default = [
-        "passwd" "su" "crontab" "ping" "ping6"
-        "fusermount" "wodim" "cdrdao" "growisofs"
-      ];
-      description = "
-        Only the programs from system path listed her will be made setuid root
-        (through a wrapper program).  It's better to set
-        <option>security.extraSetuidPrograms</option>.
-      ";
-    };
-
-    extraSetuidPrograms = mkOption {
-      default = [];
-      example = ["fusermount"];
-      description = "
-        This option lists additional programs that must be made setuid
-        root.
-      ";
-    };
-
-    setuidOwners = mkOption {
-      default = [];
-      example = [{
-        program = "sendmail";
-        owner = "nodody";
-        group = "postdrop";
-        setuid = false;
-        setgid = true;
-      }];
-      description = ''
-        List of non-trivial setuid programs from system path, like Postfix sendmail. Default 
-        should probably be nobody:nogroup:false:false - if you are bothering
-        doing anything with a setuid program, "root.root u+s g-s" is not what
-        you are aiming at..
-      '';
-    };
-
    seccureKeys = {
      public = mkOption {
        default = /var/elliptic-keys/public;
@ -2098,6 +2060,9 @@ in
    # hardware
    (import ../upstart-jobs/pcmcia.nix)

+    # security
+    (import ../system/nixos-security.nix)
+
    # services
    (import ../upstart-jobs/avahi-daemon.nix)
    (import ../upstart-jobs/atd.nix)