pyrox.dev / nixpkgs
lol
fork atom

nixos: make setgid wrappers root-owned

rnhmjoj 31790c81 378d2c5d

options
unified split
Changed files
+8 -8
nixos
modules
programs
ccache.nix
mosh.nix
services
mail
opensmtpd.nix
postfix.nix
x11
desktop-managers
cde.nix
+1 -1
nixos/modules/programs/ccache.nix 
···

       
28

       
28

       
 

       



     

       
29

       
29

       
 

       
      # "nix-ccache --show-stats" and "nix-ccache --clear"


     

       
30

       
30

       
 

       
      security.wrappers.nix-ccache = {


     

       
31

       

       
-

       
        owner = "nobody";


     

       

       
31

       
+

       
        owner = "root";


     

       
32

       
32

       
 

       
        group = "nixbld";


     

       
33

       
33

       
 

       
        setuid = false;


     

       
34

       
34

       
 

       
        setgid = true;
+1 -1
nixos/modules/programs/mosh.nix 
···

       
33

       
33

       
 

       
    security.wrappers = mkIf cfg.withUtempter {


     

       
34

       
34

       
 

       
      utempter = {


     

       
35

       
35

       
 

       
        source = "${pkgs.libutempter}/lib/utempter/utempter";


     

       
36

       

       
-

       
        owner = "nobody";


     

       

       
36

       
+

       
        owner = "root";


     

       
37

       
37

       
 

       
        group = "utmp";


     

       
38

       
38

       
 

       
        setuid = false;


     

       
39

       
39

       
 

       
        setgid = true;
+1 -1
nixos/modules/services/mail/opensmtpd.nix 
···

       
103

       
103

       
 

       
    };


     

       
104

       
104

       
 

       



     

       
105

       
105

       
 

       
    security.wrappers.smtpctl = {


     

       
106

       

       
-

       
      owner = "nobody";


     

       

       
106

       
+

       
      owner = "root";


     

       
107

       
107

       
 

       
      group = "smtpq";


     

       
108

       
108

       
 

       
      setuid = false;


     

       
109

       
109

       
 

       
      setgid = true;
+4 -4
nixos/modules/services/mail/postfix.nix 
···

       
673

       
673

       
 

       
      services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {


     

       
674

       
674

       
 

       
        program = "sendmail";


     

       
675

       
675

       
 

       
        source = "${pkgs.postfix}/bin/sendmail";


     

       
676

       

       
-

       
        owner = "nobody";


     

       

       
676

       
+

       
        owner = "root";


     

       
677

       
677

       
 

       
        group = setgidGroup;


     

       
678

       
678

       
 

       
        setuid = false;


     

       
679

       
679

       
 

       
        setgid = true;


     
···

       
682

       
682

       
 

       
      security.wrappers.mailq = {


     

       
683

       
683

       
 

       
        program = "mailq";


     

       
684

       
684

       
 

       
        source = "${pkgs.postfix}/bin/mailq";


     

       
685

       

       
-

       
        owner = "nobody";


     

       

       
685

       
+

       
        owner = "root";


     

       
686

       
686

       
 

       
        group = setgidGroup;


     

       
687

       
687

       
 

       
        setuid = false;


     

       
688

       
688

       
 

       
        setgid = true;


     
···

       
691

       
691

       
 

       
      security.wrappers.postqueue = {


     

       
692

       
692

       
 

       
        program = "postqueue";


     

       
693

       
693

       
 

       
        source = "${pkgs.postfix}/bin/postqueue";


     

       
694

       

       
-

       
        owner = "nobody";


     

       

       
694

       
+

       
        owner = "root";


     

       
695

       
695

       
 

       
        group = setgidGroup;


     

       
696

       
696

       
 

       
        setuid = false;


     

       
697

       
697

       
 

       
        setgid = true;


     
···

       
700

       
700

       
 

       
      security.wrappers.postdrop = {


     

       
701

       
701

       
 

       
        program = "postdrop";


     

       
702

       
702

       
 

       
        source = "${pkgs.postfix}/bin/postdrop";


     

       
703

       

       
-

       
        owner = "nobody";


     

       

       
703

       
+

       
        owner = "root";


     

       
704

       
704

       
 

       
        group = setgidGroup;


     

       
705

       
705

       
 

       
        setuid = false;


     

       
706

       
706

       
 

       
        setgid = true;
+1 -1
nixos/modules/services/x11/desktop-managers/cde.nix 
···

       
50

       
50

       
 

       
    security.wrappers = {


     

       
51

       
51

       
 

       
      dtmail = {


     

       
52

       
52

       
 

       
        setgid = true;


     

       
53

       

       
-

       
        owner = "nobody";


     

       

       
53

       
+

       
        owner = "root";


     

       
54

       
54

       
 

       
        group = "mail";


     

       
55

       
55

       
 

       
        source = "${pkgs.cdesktopenv}/bin/dtmail";


     

       
56

       
56

       
 

       
      };