commit 4aa0923009dac4d2307b5fe018b944180bfad6a2 · pyrox.dev/nixpkgs

+2 -2

nixos/modules/installer/tools/nixos-install.sh

···

       259
       259
        
       

     

       260
       260
        
       

     

       261
       261
        
       # Ask the user to set a root password.

     

       262
       262
       -
       if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then

     

       262
       262
       +
       if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then

     

       263
       263
        
           echo "setting root password..."

     

       264
       264
       -
           chroot $mountPoint /run/wrappers/passwd

     

       264
       264
       +
           chroot $mountPoint /run/wrappers/bin/passwd

     

       265
       265
        
       fi

     

       266
       266
        
       

     

       267
       267

+1 -2

nixos/modules/security/apparmor-suid.nix

···

       19
       19
        
         config = mkIf (cfg.confineSUIDApplications) {

     

       20
       20
        
           security.apparmor.profiles = [ (pkgs.writeText "ping" ''

     

       21
       21
        
             #include <tunables/global>

     

       22
       22
       -
             /run/wrappers/ping {

     

       22
       22
       +
             /run/wrappers/bin/ping {

     

       23
       23
        
               #include <abstractions/base>

     

       24
       24
        
               #include <abstractions/consoles>

     

       25
       25
        
               #include <abstractions/nameservice>

     
···

       33
       33
        
               ${pkgs.attr.out}/lib/libattr.so* mr,

     

       34
       34
        
       

     

       35
       35
        
               ${pkgs.iputils}/bin/ping mixr,

     

       36
       36
       -
               /run/wrappers/ping.real r,

     

       37
       36
        
       

     

       38
       37
        
               #/etc/modules.conf r,

     

       39
       38

+30 -3

nixos/modules/security/wrappers/default.nix

···

       17
       17
        
               source=/nix/var/nix/profiles/default/bin/${program}

     

       18
       18
        
           fi

     

       19
       19
        
       

     

       20
       20
       -
           gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.wrapperDir}\" \

     

       20
       20
       +
           parentWrapperDir=$(dirname ${wrapperDir})

     

       21
       21
       +
       

     

       22
       22
       +
           gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \

     

       21
       23
        
               -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \

     

       22
       24
        
               -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include

     

       23
       25
        
         '';

     
···

       155
       157
        
       

     

       156
       158
        
           security.wrapperDir = lib.mkOption {

     

       157
       159
        
             type        = lib.types.path;

     

       158
       158
       -
             default     = "/run/wrappers";

     

       160
       160
       +
             default     = "/run/wrappers/bin";

     

       159
       161
        
             internal    = true;

     

       160
       162
        
             description = ''

     

       161
       163
        
               This option defines the path to the wrapper programs. It

     
···

       181
       183
        
                 # programs to be wrapped.

     

       182
       184
        
                 WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin

     

       183
       185
        
       

     

       186
       186
       +
                 if [ -d ${config.security.old-wrapperDir} ]; then

     

       187
       187
       +
                   rm -rf ${config.security.old-wrapperDir}

     

       188
       188
       +
                 fi

     

       189
       189
       +
       

     

       190
       190
       +
                 parentWrapperDir="$(dirname ${wrapperDir})"

     

       191
       191
       +
       

     

       184
       192
        
                 mkdir -p ${wrapperDir}

     

       185
       185
       -
                 wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX)

     

       193
       193
       +
                 wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX)

     

       186
       194
        
                 chmod a+rx $wrapperDir

     

       187
       195
        
       

     

       188
       196
        
                 ${lib.concatStringsSep "\n" mkWrappedPrograms}

     

       197
       197
       +
       

     

       198
       198
       +
                 if [ -L ${wrapperDir} ]; then

     

       199
       199
       +
                   # Atomically replace the symlink

     

       200
       200
       +
                   # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/

     

       201
       201
       +
                   old=$(readlink ${wrapperDir})

     

       202
       202
       +
                   ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp

     

       203
       203
       +
                   mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}

     

       204
       204
       +
                   rm --force --recursive $old

     

       205
       205
       +
                 elif [ -d ${wrapperDir} ]; then

     

       206
       206
       +
                   # Compatibility with old state, just remove the folder and symlink

     

       207
       207
       +
                   rm -f ${wrapperDir}/*

     

       208
       208
       +
                   # if it happens to be a tmpfs

     

       209
       209
       +
                   ${pkgs.utillinux}/bin/umount ${wrapperDir} || true

     

       210
       210
       +
                   rm -d ${wrapperDir}

     

       211
       211
       +
                   ln -d --symbolic $wrapperDir ${wrapperDir}

     

       212
       212
       +
                 else

     

       213
       213
       +
                   # For initial setup

     

       214
       214
       +
                   ln --symbolic $wrapperDir ${wrapperDir}

     

       215
       215
       +
                 fi

     

       189
       216
        
               '';

     

       190
       217
        
         };

     

       191
       218
        
       }

+2 -2

nixos/modules/services/logging/logcheck.nix

···

       29
       29
        
           };

     

       30
       30
        
       

     

       31
       31
        
         cronJob = ''

     

       32
       32
       -
           @reboot   logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}

     

       33
       33
       -
           2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}

     

       32
       32
       +
           @reboot   logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}

     

       33
       33
       +
           2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}

     

       34
       34
        
         '';

     

       35
       35
        
       

     

       36
       36
        
         writeIgnoreRule = name: {level, regex, ...}:

+1 -1

nixos/modules/services/mail/dovecot.nix

···

       13
       13
        
           ''

     

       14
       14
        
             base_dir = ${baseDir}

     

       15
       15
        
             protocols = ${concatStringsSep " " cfg.protocols}

     

       16
       16
       -
             sendmail_path = /run/wrappers/sendmail

     

       16
       16
       +
             sendmail_path = /run/wrappers/bin/sendmail

     

       17
       17
        
           ''

     

       18
       18
        
       

     

       19
       19
        
           (if isNull cfg.sslServerCert then ''

+1 -1

nixos/modules/services/mail/exim.nix

···

       70
       70
        
             etc."exim.conf".text = ''

     

       71
       71
        
               exim_user = ${cfg.user}

     

       72
       72
        
               exim_group = ${cfg.group}

     

       73
       73
       -
               exim_path = /run/wrappers/exim

     

       73
       73
       +
               exim_path = /run/wrappers/bin/exim

     

       74
       74
        
               spool_directory = ${cfg.spoolDir}

     

       75
       75
        
               ${cfg.config}

     

       76
       76
        
             '';

+2 -2

nixos/modules/services/monitoring/munin.nix

···

       34
       34
        
               cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)

     

       35
       35
        
       

     

       36
       36
        
               wrapProgram $file \

     

       37
       37
       -
                 --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \

     

       37
       37
       +
                 --set PATH "/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" \

     

       38
       38
        
                 --set MUNIN_LIBDIR "${pkgs.munin}/lib" \

     

       39
       39
        
                 --set MUNIN_PLUGSTATE "/var/run/munin"

     

       40
       40
        
       

     
···

       183
       183
        
       

     

       184
       184
        
               mkdir -p /etc/munin/plugins

     

       185
       185
        
               rm -rf /etc/munin/plugins/*

     

       186
       186
       -
               PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash

     

       186
       186
       +
               PATH="/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash

     

       187
       187
        
             '';

     

       188
       188
        
             serviceConfig = {

     

       189
       189
        
               ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";

+1 -1

nixos/modules/services/monitoring/smartd.nix

···

       124
       124
        
                 };

     

       125
       125
        
       

     

       126
       126
        
                 mailer = mkOption {

     

       127
       127
       -
                   default = "/run/wrappers/sendmail";

     

       127
       127
       +
                   default = "/run/wrappers/bin/sendmail";

     

       128
       128
        
                   type = types.path;

     

       129
       129
        
                   description = ''

     

       130
       130
        
                     Sendmail-compatible binary to be used to send the messages.

+1 -1

nixos/modules/services/network-filesystems/samba.nix

···

       30
       30
        
           ''

     

       31
       31
        
             [ global ]

     

       32
       32
        
             security = ${cfg.securityType}

     

       33
       33
       -
             passwd program = /run/wrappers/passwd %u

     

       33
       33
       +
             passwd program = /run/wrappers/bin/passwd %u

     

       34
       34
        
             pam password change = ${smbToString cfg.syncPasswordsByPam}

     

       35
       35
        
             invalid users = ${smbToString cfg.invalidUsers}

     

       36
       36

+1 -1

nixos/modules/services/networking/prayer.nix

···

       18
       18
        
           var_prefix = "${stateDir}"

     

       19
       19
        
           prayer_user = "${prayerUser}"

     

       20
       20
        
           prayer_group = "${prayerGroup}"

     

       21
       21
       -
           sendmail_path = "/run/wrappers/sendmail"

     

       21
       21
       +
           sendmail_path = "/run/wrappers/bin/sendmail"

     

       22
       22
        
       

     

       23
       23
        
           use_http_port ${cfg.port}

     

       24
       24

+1 -1

nixos/modules/services/networking/smokeping.nix

···

       226
       226
        
             sendmail = mkOption {

     

       227
       227
        
               type = types.nullOr types.path;

     

       228
       228
        
               default = null;

     

       229
       229
       -
               example = "/run/wrappers/sendmail";

     

       229
       229
       +
               example = "/run/wrappers/bin/sendmail";

     

       230
       230
        
               description = "Use this sendmail compatible script to deliver alerts";

     

       231
       231
        
             };

     

       232
       232
        
             smokeMailTemplate = mkOption {

+2 -2

nixos/modules/services/scheduling/atd.nix

···

       42
       42
        
       

     

       43
       43
        
         config = mkIf cfg.enable {

     

       44
       44
        
       

     

       45
       45
       -
           security.wrappers.setuid = map (program: "${program}" = {

     

       45
       45
       +
           security.wrappers = map (program: {"${program}" = {

     

       46
       46
        
             source = "${pkgs.atd}/bin/${program}";

     

       47
       47
        
             owner = "atd";

     

       48
       48
        
             group = "atd";

     

       49
       49
        
             setuid = true;

     

       50
       50
        
             setgid = true;

     

       51
       51
       -
           }) [ "at" "atq" "atrm" "batch" ];

     

       51
       51
       +
           };}) [ "at" "atq" "atrm" "batch" ];

     

       52
       52
        
       

     

       53
       53
        
           environment.systemPackages = [ at ];

     

       54
       54

+1 -1

nixos/modules/services/scheduling/cron.nix

···

       20
       20
        
         cronNixosPkg = pkgs.cron.override {

     

       21
       21
        
           # The mail.nix nixos module, if there is any local mail system enabled,

     

       22
       22
        
           # should have sendmail in this path.

     

       23
       23
       -
           sendmailPath = "/run/wrappers/sendmail";

     

       23
       23
       +
           sendmailPath = "/run/wrappers/bin/sendmail";

     

       24
       24
        
         };

     

       25
       25
        
       

     

       26
       26
        
         allFiles =

+1 -1

nixos/modules/services/scheduling/fcron.nix

···

       96
       96
        
                   fcronallow  =       /etc/fcron.allow

     

       97
       97
        
                   fcrondeny   =       /etc/fcron.deny

     

       98
       98
        
                   shell       =       /bin/sh

     

       99
       99
       -
                   sendmail    =       /run/wrappers/sendmail

     

       99
       99
       +
                   sendmail    =       /run/wrappers/bin/sendmail

     

       100
       100
        
                   editor      =       /run/current-system/sw/bin/vi

     

       101
       101
        
                 '';

     

       102
       102
        
                 target = "fcron.conf";

-5

nixos/modules/system/boot/stage-2-init.sh

···

       131
       131
        
           cat /etc/resolv.conf | resolvconf -m 1000 -a host

     

       132
       132
        
       fi

     

       133
       133
        
       

     

       134
       134
       -
       # Create /run/wrappers as a tmpfs.

     

       135
       135
       -
       rm -rf /run/wrappers

     

       136
       136
       -
       mkdir -m 0755 -p /run/wrappers

     

       137
       137
       -
       mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers

     

       138
       138
       -
       

     

       139
       134
        
       # Log the script output to /dev/kmsg or /run/log/stage-2-init.log.

     

       140
       135
        
       # Only at this point are all the necessary prerequisites ready for these commands.

     

       141
       136
        
       exec {logOutFd}>&1 {logErrFd}>&2

+2 -2

nixos/modules/virtualisation/virtualbox-host.nix

···

       69
       69
        
           environment.systemPackages = [ virtualbox ];

     

       70
       70
        
       

     

       71
       71
        
           security.wrappers = let

     

       72
       72
       -
             mkSuid = program: "${program}" = {

     

       72
       72
       +
             mkSuid = program: {"${program}" = {

     

       73
       73
        
               source = "${virtualbox}/libexec/virtualbox/${program}";

     

       74
       74
        
               owner = "root";

     

       75
       75
        
               group = "vboxusers";

     

       76
       76
        
               setuid = true;

     

       77
       77
       -
             };

     

       77
       77
       +
             };};

     

       78
       78
        
           in mkIf cfg.enableHardening (map mkSuid [

     

       79
       79
        
             "VBoxHeadless"

     

       80
       80
        
             "VBoxNetAdpCtl"

+1 -1

nixos/tests/smokeping.nix

···

       14
       14
        
                 mailHost = "127.0.0.2";

     

       15
       15
        
                 probeConfig = ''

     

       16
       16
        
                   + FPing

     

       17
       17
       -
                   binary = /run/wrappers/fping

     

       17
       17
       +
                   binary = /run/wrappers/bin/fping

     

       18
       18
        
                   offset = 0%

     

       19
       19
        
                 '';

     

       20
       20
        
               };

+1 -1

pkgs/applications/editors/sublime3/default.nix

···

       1
       1
        
       { fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2,

     

       2
       2
       -
         pkexecPath ? "/run/wrappers/pkexec", libredirect,

     

       2
       2
       +
         pkexecPath ? "/run/wrappers/bin/pkexec", libredirect,

     

       3
       3
        
         gksuSupport ? false, gksu}:

     

       4
       4
        
       

     

       5
       5
        
       assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";

+2 -2

pkgs/applications/networking/browsers/chromium/default.nix

···

       83
       83
        
           ed -v -s "$out/bin/chromium" << EOF

     

       84
       84
        
           2i

     

       85
       85
        
       

     

       86
       86
       -
           if [ -x "/run/wrappers/${sandboxExecutableName}" ]

     

       86
       86
       +
           if [ -x "/run/wrappers/bin/${sandboxExecutableName}" ]

     

       87
       87
        
           then

     

       88
       88
       -
             export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}"

     

       88
       88
       +
             export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${sandboxExecutableName}"

     

       89
       89
        
           else

     

       90
       90
        
             export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"

     

       91
       91
        
           fi

+1 -1

pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch

···

       26
       26
        
       +	is_nixos=no

     

       27
       27
        
       +fi

     

       28
       28
        
       +

     

       29
       29
       -
       +if [ -u /run/wrappers/gksign ]; then

     

       29
       29
       +
       +if [ -u /run/wrappers/bin/gksign ]; then

     

       30
       30
        
       +	cat <<EOM

     

       31
       31
        
       +

     

       32
       32
        
       +Gale appears to have already been set up via the NixOS module system (check

+1 -1

pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch

···

       11
       11
        
       -  # #   arguments: '-i -t'

     

       12
       12
        
       -  # # }

     

       13
       13
        
       +  config.action_mailer.sendmail_settings = {

     

       14
       14
       -
       +    location: '/run/wrappers/sendmail',

     

       14
       14
       +
       +    location: '/run/wrappers/bin/sendmail',

     

       15
       15
        
       +    arguments: '-i -t'

     

       16
       16
        
       +  }

     

       17
       17
        
          config.action_mailer.perform_deliveries = true

+3 -3

pkgs/applications/virtualization/virtualbox/hardened.patch

···

       96
       96
        
            /* get the path to the executable */

     

       97
       97
        
            char szPath[RTPATH_MAX];

     

       98
       98
        
       -    RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);

     

       99
       99
       -
       +    RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers");

     

       99
       99
       +
       +    RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers/bin");

     

       100
       100
        
            size_t cchBufLeft = strlen(szPath);

     

       101
       101
        
            szPath[cchBufLeft++] = RTPATH_DELIMITER;

     

       102
       102
        
            szPath[cchBufLeft] = 0;

     
···

       154
       154
        
        

     

       155
       155
        
       +RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)

     

       156
       156
        
       +{

     

       157
       157
       -
       +    return RTStrCopy(pszPath, cchPath, "/run/wrappers");

     

       157
       157
       +
       +    return RTStrCopy(pszPath, cchPath, "/run/wrappers/bin");

     

       158
       158
        
       +}

     

       159
       159
        
       +

     

       160
       160
        
       +

     
···

       174
       174
        
       + * will cut off everything after the rightmost / as this function is analogous

     

       175
       175
        
       + * to RTProcGetExecutablePath().

     

       176
       176
        
       + */

     

       177
       177
       -
       +#define SUIDDIR "/run/wrappers/"

     

       177
       177
       +
       +#define SUIDDIR "/run/wrappers/bin/"

     

       178
       178
        
       +

     

       179
       179
        
       +RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)

     

       180
       180
        
       +{

+1 -1

pkgs/build-support/build-fhs-userenv/env.nix

···

       51
       51
        
           export PS1='${name}-chrootenv:\u@\h:\w\$ '

     

       52
       52
        
           export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'

     

       53
       53
        
           export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'

     

       54
       54
       -
           export PATH='/run/wrappers:/usr/bin:/usr/sbin'

     

       54
       54
       +
           export PATH='/run/wrappers/bin:/usr/bin:/usr/sbin'

     

       55
       55
        
           export PKG_CONFIG_PATH=/usr/lib/pkgconfig

     

       56
       56
        
       

     

       57
       57
        
           # Force compilers to look in default search paths

+3 -3

pkgs/desktops/enlightenment/enlightenment.nix

···

       42
       42
        
         # this is a hack and without this cpufreq module is not working. does the following:

     

       43
       43
        
         #   1. moves the "freqset" binary to "e_freqset",

     

       44
       44
        
         #   2. linkes "e_freqset" to enlightenment/bin so that,

     

       45
       45
       -
         #   3. wrappers.setuid detects it and places wrappers in /run/wrappers/e_freqset,

     

       46
       46
       -
         #   4. and finally, links /run/wrappers/e_freqset to original destination where enlightenment wants it

     

       45
       45
       +
         #   3. wrappers.setuid detects it and places wrappers in /run/wrappers/bin/e_freqset,

     

       46
       46
       +
         #   4. and finally, links /run/wrappers/bin/e_freqset to original destination where enlightenment wants it

     

       47
       47
        
         postInstall = ''

     

       48
       48
        
           export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`;

     

       49
       49
        
           mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset

     

       50
       50
        
           ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset

     

       51
       51
       -
           ln -sv /run/wrappers/e_freqset $CPUFREQ_DIRPATH/freqset

     

       51
       51
       +
           ln -sv /run/wrappers/bin/e_freqset $CPUFREQ_DIRPATH/freqset

     

       52
       52
        
         '';

     

       53
       53
        
       

     

       54
       54
        
         meta = with stdenv.lib; {

+1 -1

pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch

···

       7
       7
        
        #include <unistd.h>

     

       8
       8
        
        

     

       9
       9
        
       -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"

     

       10
       10
       -
       +#define EXECUTE "/run/wrappers/start_kdeinit"

     

       10
       10
       +
       +#define EXECUTE "/run/wrappers/bin/start_kdeinit"

     

       11
       11
        
        

     

       12
       12
        
        #if KDEINIT_OOM_PROTECT

     

       13
       13

+2 -2

pkgs/development/libraries/libgksu/default.nix

···

       57
       57
        
       

     

       58
       58
        
           # Fix some binary paths

     

       59
       59
        
           sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c

     

       60
       60
       -
           sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c

     

       61
       61
       -
           sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/su\1|g' libgksu/libgksu.c

     

       60
       60
       +
           sed -i -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|g' libgksu/libgksu.c

     

       61
       61
       +
           sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/bin/su\1|g' libgksu/libgksu.c

     

       62
       62
        
       

     

       63
       63
        
           touch NEWS README

     

       64
       64
        
         '';

+1 -1

pkgs/development/libraries/polkit/default.nix

···

       5
       5
        
       let

     

       6
       6
        
       

     

       7
       7
        
         system = "/var/run/current-system/sw";

     

       8
       8
       -
         setuid = "/run/wrappers"; #TODO: from <nixos> config.security.wrapperDir;

     

       8
       8
       +
         setuid = "/run/wrappers/bin"; #TODO: from <nixos> config.security.wrapperDir;

     

       9
       9
        
       

     

       10
       10
        
         foolVars = {

     

       11
       11
        
           SYSCONF = "/etc";

+1 -1

pkgs/development/tools/unity3d/default.nix

···

       94
       94
        
           unitydir="$out/opt/Unity/Editor"

     

       95
       95
        
           mkdir -p $unitydir

     

       96
       96
        
           mv Editor/* $unitydir

     

       97
       97
       -
           ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox

     

       97
       97
       +
           ln -sf /run/wrappers/bin/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox

     

       98
       98
        
       

     

       99
       99
        
           mkdir -p $out/share/applications

     

       100
       100
        
           sed "/^Exec=/c\Exec=$out/bin/unity-editor" \

+1 -1

pkgs/os-specific/linux/fuse/default.nix

···

       23
       23
        
             # Ensure that FUSE calls the setuid wrapper, not

     

       24
       24
        
             # $out/bin/fusermount. It falls back to calling fusermount in

     

       25
       25
        
             # $PATH, so it should also work on non-NixOS systems.

     

       26
       26
       -
             export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\""

     

       26
       26
       +
             export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\""

     

       27
       27
        
       

     

       28
       28
        
             sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c

     

       29
       29
        
             sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh

+1 -1

pkgs/os-specific/linux/mdadm/4.nix

···

       31
       31
        
         preConfigure = ''

     

       32
       32
        
           sed -e 's@/lib/udev@''${out}/lib/udev@' \

     

       33
       33
        
               -e 's@ -Werror @ @' \

     

       34
       34
       -
               -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile

     

       34
       34
       +
               -e 's@/usr/sbin/sendmail@/run/wrappers/bin/sendmail@' -i Makefile

     

       35
       35
        
         '';

     

       36
       36
        
       

     

       37
       37
        
         meta = {

+1 -1

pkgs/os-specific/linux/mdadm/default.nix

···

       31
       31
        
         preConfigure = ''

     

       32
       32
        
           sed -e 's@/lib/udev@''${out}/lib/udev@' \

     

       33
       33
        
               -e 's@ -Werror @ @' \

     

       34
       34
       -
               -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile

     

       34
       34
       +
               -e 's@/usr/sbin/sendmail@/run/wrappers/bin/sendmail@' -i Makefile

     

       35
       35
        
         '';

     

       36
       36
        
       

     

       37
       37
        
         meta = {

+1 -1

pkgs/os-specific/linux/pam/default.nix

···

       34
       34
        
       

     

       35
       35
        
         postInstall = ''

     

       36
       36
        
           mv -v $out/sbin/unix_chkpwd{,.orig}

     

       37
       37
       -
           ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd

     

       37
       37
       +
           ln -sv /run/wrappers/bin/unix_chkpwd $out/sbin/unix_chkpwd

     

       38
       38
        
         ''; /*

     

       39
       39
        
           rm -rf $out/etc

     

       40
       40
        
           mkdir -p $modules/lib

+1 -1

pkgs/os-specific/linux/util-linux/default.nix

···

       36
       36
        
           --enable-last

     

       37
       37
        
           --enable-mesg

     

       38
       38
        
           --disable-use-tty-group

     

       39
       39
       -
           --enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin

     

       39
       39
       +
           --enable-fs-paths-default=/run/wrappers/bin:/var/run/current-system/sw/bin:/sbin

     

       40
       40
        
           ${if ncurses == null then "--without-ncurses" else ""}

     

       41
       41
        
           ${if systemd == null then "" else ''

     

       42
       42
        
             --with-systemd

+1 -1

pkgs/servers/interlock/default.nix

···

       30
       30
        
             -e 's|/bin/chown|${coreutils}/bin/chown|' \

     

       31
       31
        
             -e 's|/bin/date|${coreutils}/bin/date|' \

     

       32
       32
        
             -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \

     

       33
       33
       -
             -e 's|/usr/bin/sudo|/run/wrappers/sudo|' \

     

       33
       33
       +
             -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|' \

     

       34
       34
        
             -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|'

     

       35
       35
        
         '';

     

       36
       36
        
       }

+1 -1

pkgs/servers/mail/petidomo/default.nix

···

       1
       1
       -
       { stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }:

     

       1
       1
       +
       { stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/bin/sendmail" }:

     

       2
       2
        
       

     

       3
       3
        
       stdenv.mkDerivation rec {

     

       4
       4
        
         name = "petidomo-4.3";

+2 -2

pkgs/servers/monitoring/nagios/plugins/official-2.x.nix

···

       16
       16
        
         # configured on the build machine).

     

       17
       17
        
         preConfigure= "

     

       18
       18
        
           configureFlagsArray=(

     

       19
       19
       -
             --with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s'

     

       20
       20
       -
             --with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s'

     

       19
       19
       +
             --with-ping-command='/run/wrappers/bin/ping -n -U -w %d -c %d %s'

     

       20
       20
       +
             --with-ping6-command='/run/wrappers/bin/ping6 -n -U -w %d -c %d %s'

     

       21
       21
        
           )

     

       22
       22
        
         ";

     

       23
       23

+2 -2

pkgs/tools/X11/x11vnc/default.nix

···

       20
       20
        
           configureFlags="--mandir=$out/share/man"

     

       21
       21
        
       

     

       22
       22
        
           substituteInPlace x11vnc/unixpw.c \

     

       23
       23
       -
               --replace '"/bin/su"' '"/run/wrappers/su"' \

     

       23
       23
       +
               --replace '"/bin/su"' '"/run/wrappers/bin/su"' \

     

       24
       24
        
               --replace '"/bin/true"' '"${coreutils}/bin/true"'

     

       25
       25
        
       

     

       26
       26
       -
           sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h

     

       26
       26
       +
           sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/bin/su|g' x11vnc/ssltools.h

     

       27
       27
        
         '';

     

       28
       28
        
       

     

       29
       29
        
         meta = {

+1 -1

pkgs/tools/admin/certbot/default.nix

···

       31
       31
        
         buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]);

     

       32
       32
        
       

     

       33
       33
        
         patchPhase = ''

     

       34
       34
       -
           substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail"

     

       34
       34
       +
           substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/bin/sendmail"

     

       35
       35
        
           substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers"

     

       36
       36
        
         '';

     

       37
       37

+1 -1

pkgs/tools/misc/debian-devscripts/default.nix

···

       2
       2
        
       , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper

     

       3
       3
        
       , python3Packages

     

       4
       4
        
       , perlPackages, curl, gnupg, diffutils

     

       5
       5
       -
       , sendmailPath ? "/run/wrappers/sendmail"

     

       5
       5
       +
       , sendmailPath ? "/run/wrappers/bin/sendmail"

     

       6
       6
        
       }:

     

       7
       7
        
       

     

       8
       8
        
       let

+1 -1

pkgs/tools/security/ecryptfs/default.nix

···

       11
       11
        
         };

     

       12
       12
        
       

     

       13
       13
        
         # TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir;

     

       14
       14
       -
         wrapperDir = "/run/wrappers";

     

       14
       14
       +
         wrapperDir = "/run/wrappers/bin";

     

       15
       15
        
       

     

       16
       16
        
         postPatch = ''

     

       17
       17
        
           FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"

+1 -1

pkgs/tools/security/ecryptfs/helper.nix

···

       18
       18
        
       

     

       19
       19
        
         buildInputs = [ makeWrapper ];

     

       20
       20
        
       

     

       21
       21
       -
         # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers

     

       21
       21
       +
         # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers/bin

     

       22
       22
        
         installPhase = ''

     

       23
       23
        
           mkdir -p $out/bin $out/libexec

     

       24
       24
        
           cp $src $out/libexec/ecryptfs-helper.py

+1 -1

pkgs/tools/security/sudo/default.nix

···

       1
       1
        
       { stdenv, fetchurl, coreutils, pam, groff

     

       2
       2
       -
       , sendmailPath ? "/run/wrappers/sendmail"

     

       2
       2
       +
       , sendmailPath ? "/run/wrappers/bin/sendmail"

     

       3
       3
        
       , withInsults ? false

     

       4
       4
        
       }:

     

       5
       5

+1 -1

pkgs/tools/system/at/default.nix

···

       1
       1
       -
       { fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }:

     

       1
       1
       +
       { fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/bin/sendmail" }:

     

       2
       2
        
       

     

       3
       3
        
       stdenv.mkDerivation {

     

       4
       4
        
         name = "at-3.1.16";

+1 -1

pkgs/tools/system/cron/default.nix

···

       23
       23
        
           #define _PATH_SENDMAIL "${sendmailPath}"

     

       24
       24
        
       

     

       25
       25
        
           #undef _PATH_DEFPATH

     

       26
       26
       -
           #define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"

     

       26
       26
       +
           #define _PATH_DEFPATH "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"

     

       27
       27
        
           __EOT__

     

       28
       28
        
       

     

       29
       29
        
           # Implicit saved uids do not work here due to way NixOS uses setuid wrappers

+1 -1

pkgs/tools/system/ts/default.nix

···

       1
       1
        
       {stdenv, fetchurl,

     

       2
       2
       -
       sendmailPath ? "/run/wrappers/sendmail" }:

     

       2
       2
       +
       sendmailPath ? "/run/wrappers/bin/sendmail" }:

     

       3
       3
        
       

     

       4
       4
        
       stdenv.mkDerivation rec {

     

       5
       5