···

       
27
       
 
       


     

       
28
       
 
       
  config = mkIf cfg.enable {

     

       
29
       
 
       
    environment.systemPackages = [ sandbox ];

     

       
30
       
-
       
    security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];

     

       
31
       
 
       
  };

     

       
32
       
 
       
}

     

···

       
27
       
 
       


     

       
28
       
 
       
  config = mkIf cfg.enable {

     

       
29
       
 
       
    environment.systemPackages = [ sandbox ];

     

       
30
       
+
       
    security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";

     

       
31
       
 
       
  };

     

       
32
       
 
       
}

     

···

       
188
       
 
       


     

       
189
       
 
       
     environment.systemPackages = [ pkgs.duo-unix ];

     

       
190
       
 
       


     

       
191
       
-
       
     security.setuidPrograms = [ "login_duo" ];

     

       
192
       
 
       
     environment.etc = loginCfgFile ++ pamCfgFile;

     

       
193
       
 
       


     

       
194
       
 
       
     /* If PAM *and* SSH are enabled, then don't do anything special.

     

···

       
188
       
 
       


     

       
189
       
 
       
     environment.systemPackages = [ pkgs.duo-unix ];

     

       
190
       
 
       


     

       
191
       
+
       
     security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";

     

       
192
       
 
       
     environment.etc = loginCfgFile ++ pamCfgFile;

     

       
193
       
 
       


     

       
194
       
 
       
     /* If PAM *and* SSH are enabled, then don't do anything special.

     

···

       
472
       
 
       
      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]

     

       
473
       
 
       
      ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];

     

       
474
       
 
       


     

       
475
       
-
       
    security.setuidPrograms =

     

       
476
       
 
       
      optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];

     

       
477
       
 
       


     

       
478
       
-
       
    security.wrappers.unix_chkpwd = {

     

       
479
       
-
       
      source = "${pkgs.pam}/sbin/unix_chkpwd.orig";

     

       
480
       
-
       
      owner = "root";

     

       
481
       
-
       
      setuid = true;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
482
       
 
       
    };

     

       
483
       
 
       


     

       
484
       
 
       
    environment.etc =

     

···

       
472
       
 
       
      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]

     

       
473
       
 
       
      ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];

     

       
474
       
 
       


     

       
475
       
+
       
    security.wrapperssetuidPrograms =

     

       
476
       
 
       
      optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];

     

       
477
       
 
       


     

       
478
       
+
       
    security.wrappers = {

     

       
479
       
+
       
      unix_chkpwd = {

     

       
480
       
+
       
        source = "${pkgs.pam}/sbin/unix_chkpwd.orig";

     

       
481
       
+
       
        owner = "root";

     

       
482
       
+
       
        setuid = true;

     

       
483
       
+
       
      };

     

       
484
       
+
       
    } // (mkIf config.security.pam.enableEcryptfs {

     

       
485
       
+
       
      "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";

     

       
486
       
+
       
       "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";

     

       
487
       
 
       
    };

     

       
488
       
 
       


     

       
489
       
 
       
    environment.etc =

     

···

       
33
       
 
       
  config = mkIf (cfg.enable || anyUsbAuth) {

     

       
34
       
 
       


     

       
35
       
 
       
    # Make sure pmount and pumount are setuid wrapped.

     

       
36
       
-
       
    security.setuidPrograms = [ "pmount" "pumount" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
37
       
 
       


     

       
38
       
 
       
    environment.systemPackages = [ pkgs.pmount ];

     

       
39
       
 
       


     

···

       
33
       
 
       
  config = mkIf (cfg.enable || anyUsbAuth) {

     

       
34
       
 
       


     

       
35
       
 
       
    # Make sure pmount and pumount are setuid wrapped.

     

       
36
       
+
       
    security.wrappers = {

     

       
37
       
+
       
      pmount.source = "${pkgs.pmount.out}/bin/pmount";

     

       
38
       
+
       
      pumount.source = "${pkgs.pmount.out}/bin/pumount";

     

       
39
       
+
       
    };

     

       
40
       
 
       


     

       
41
       
 
       
    environment.systemPackages = [ pkgs.pmount ];

     

       
42
       
 
       


     

···

       
83
       
 
       


     

       
84
       
 
       
    security.pam.services.polkit-1 = {};

     

       
85
       
 
       


     

       
86
       
-
       
    security.setuidPrograms = [ "pkexec" ];

     

       
87
       
-
       
    security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";

     

       
0
       
 
       

     

       
0
       
 
       

     

       
88
       
 
       


     

       
89
       
 
       
    system.activationScripts.polkit =

     

       
90
       
 
       
      ''

     

···

       
83
       
 
       


     

       
84
       
 
       
    security.pam.services.polkit-1 = {};

     

       
85
       
 
       


     

       
86
       
+
       
    security.wrappers = {

     

       
87
       
+
       
      pkexec.source = "${pkgs.polkit.out}/bin/pkexec";

     

       
88
       
+
       
      "polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";

     

       
89
       
+
       
    };

     

       
90
       
 
       


     

       
91
       
 
       
    system.activationScripts.polkit =

     

       
92
       
 
       
      ''

     

···

       
81
       
 
       
        ${cfg.extraConfig}

     

       
82
       
 
       
      '';

     

       
83
       
 
       


     

       
84
       
-
       
    security.setuidPrograms = [ "sudo" "sudoedit" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
85
       
 
       


     

       
86
       
 
       
    environment.systemPackages = [ sudo ];

     

       
87
       
 
       


     

···

       
81
       
 
       
        ${cfg.extraConfig}

     

       
82
       
 
       
      '';

     

       
83
       
 
       


     

       
84
       
+
       
    security.wrappers = {

     

       
85
       
+
       
      sudo.source = "${pkgs.sudo.out}/bin/sudo";

     

       
86
       
+
       
      sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit";

     

       
87
       
+
       
    };

     

       
88
       
 
       


     

       
89
       
 
       
    environment.systemPackages = [ sudo ];

     

       
90
       
 
       


     

···

       
4
       
 
       
  inherit (config.security) wrapperDir wrappers setuidPrograms;

     

       
5
       
 
       


     

       
6
       
 
       
  programs =

     

       
7
       
-
       
    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) setuidPrograms)

     

       
8
       
-
       
    ++

     

       
9
       
 
       
    (lib.mapAttrsToList

     

       
10
       
 
       
      (n: v: (if v ? "program" then v else v // {program=n;}))

     

       
11
       
 
       
      wrappers);

     

       
12
       
 
       


     

       
13
       
 
       
  mkWrapper = { program, source ? null, ...}: ''

     

       
14
       
-
       
    if ! source=${if source != null || source != "" then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then

     

       
15
       
-
       
        # If we can't find the program, fall back to the

     

       
16
       
-
       
        # system profile.

     

       
17
       
-
       
        source=/nix/var/nix/profiles/default/bin/${program}

     

       
18
       
-
       
    fi

     

       
19
       
-
       


     

       
20
       
 
       
    parentWrapperDir=$(dirname ${wrapperDir})

     

       
21
       
-
       


     

       
22
       
-
       
    gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \

     

       
23
       
 
       
        -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \

     

       
24
       
 
       
        -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include

     

       
25
       
 
       
  '';

     
···

       
96
       
 
       
  ###### interface

     

       
97
       
 
       


     

       
98
       
 
       
  options = {

     

       
99
       
-
       
    security.setuidPrograms = lib.mkOption {

     

       
100
       
-
       
      type = lib.types.listOf lib.types.str;

     

       
101
       
-
       
      default = [];

     

       
102
       
-
       
      example = ["passwd"];

     

       
103
       
-
       
      description = ''

     

       
104
       
-
       
        The Nix store cannot contain setuid/setgid programs directly.

     

       
105
       
-
       
        For this reason, NixOS can automatically generate wrapper

     

       
106
       
-
       
        programs that have the necessary privileges.  This option

     

       
107
       
-
       
        lists the names of programs in the system environment for

     

       
108
       
-
       
        which setuid root wrappers should be created.

     

       
109
       
-
       
      '';

     

       
110
       
-
       
    };

     

       
111
       
-
       


     

       
112
       
 
       
    security.wrappers = lib.mkOption {

     

       
113
       
 
       
      type = lib.types.attrs;

     

       
114
       
 
       
      default = {};

     

···

       
4
       
 
       
  inherit (config.security) wrapperDir wrappers setuidPrograms;

     

       
5
       
 
       


     

       
6
       
 
       
  programs =

     

       
0
       
 
       

     

       
0
       
 
       

     

       
7
       
 
       
    (lib.mapAttrsToList

     

       
8
       
 
       
      (n: v: (if v ? "program" then v else v // {program=n;}))

     

       
9
       
 
       
      wrappers);

     

       
10
       
 
       


     

       
11
       
 
       
  mkWrapper = { program, source ? null, ...}: ''

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
12
       
 
       
    parentWrapperDir=$(dirname ${wrapperDir})

     

       
13
       
+
       
    gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \

     

       
0
       
 
       

     

       
14
       
 
       
        -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \

     

       
15
       
 
       
        -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include

     

       
16
       
 
       
  '';

     
···

       
87
       
 
       
  ###### interface

     

       
88
       
 
       


     

       
89
       
 
       
  options = {

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
90
       
 
       
    security.wrappers = lib.mkOption {

     

       
91
       
 
       
      type = lib.types.attrs;

     

       
92
       
 
       
      default = {};

     

···

       
89
       
 
       
      gid = config.ids.gids.exim;

     

       
90
       
 
       
    };

     

       
91
       
 
       


     

       
92
       
-
       
    security.setuidPrograms = [ "exim" ];

     

       
93
       
 
       


     

       
94
       
 
       
    systemd.services.exim = {

     

       
95
       
 
       
      description = "Exim Mail Daemon";

     

···

       
89
       
 
       
      gid = config.ids.gids.exim;

     

       
90
       
 
       
    };

     

       
91
       
 
       


     

       
92
       
+
       
    security.wrappers.exim.source = "${exim}/bin/exim";

     

       
93
       
 
       


     

       
94
       
 
       
    systemd.services.exim = {

     

       
95
       
 
       
      description = "Exim Mail Daemon";

     

···

       
273
       
 
       
        message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";

     

       
274
       
 
       
      }

     

       
275
       
 
       
    ];

     

       
276
       
-
       
    security.setuidPrograms = [ "fping" "fping6" ];

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
277
       
 
       
    environment.systemPackages = [ pkgs.fping ];

     

       
278
       
 
       
    users.extraUsers = singleton {

     

       
279
       
 
       
      name = cfg.user;

     

···

       
273
       
 
       
        message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";

     

       
274
       
 
       
      }

     

       
275
       
 
       
    ];

     

       
276
       
+
       
    security.wrappers = {

     

       
277
       
+
       
      fping.source = "${pkgs.fping}/bin/fping";

     

       
278
       
+
       
      "fping6".source = "${pkgs.fping}/bin/fping6";

     

       
279
       
+
       
    };

     

       
280
       
 
       
    environment.systemPackages = [ pkgs.fping ];

     

       
281
       
 
       
    users.extraUsers = singleton {

     

       
282
       
 
       
      name = cfg.user;

     

···

       
93
       
 
       


     

       
94
       
 
       
    { services.cron.enable = mkDefault (allFiles != []); }

     

       
95
       
 
       
    (mkIf (config.services.cron.enable) {

     

       
96
       
-
       
      security.setuidPrograms = [ "crontab" ];

     

       
97
       
 
       
      environment.systemPackages = [ cronNixosPkg ];

     

       
98
       
 
       
      environment.etc.crontab =

     

       
99
       
 
       
        { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

     

···

       
93
       
 
       


     

       
94
       
 
       
    { services.cron.enable = mkDefault (allFiles != []); }

     

       
95
       
 
       
    (mkIf (config.services.cron.enable) {

     

       
96
       
+
       
      security.wrappers.crontab.source = "${pkgs.cronNixosPkg.out}/bin/crontab";

     

       
97
       
 
       
      environment.systemPackages = [ cronNixosPkg ];

     

       
98
       
 
       
      environment.etc.crontab =

     

       
99
       
 
       
        { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

     

···

       
106
       
 
       


     

       
107
       
 
       
    environment.systemPackages = [ pkgs.fcron ];

     

       
108
       
 
       


     

       
109
       
-
       
    security.setuidPrograms = [ "fcrontab" ];

     

       
110
       
 
       
    systemd.services.fcron = {

     

       
111
       
 
       
      description = "fcron daemon";

     

       
112
       
 
       
      after = [ "local-fs.target" ];

     

···

       
106
       
 
       


     

       
107
       
 
       
    environment.systemPackages = [ pkgs.fcron ];

     

       
108
       
 
       


     

       
109
       
+
       
    security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab";

     

       
110
       
 
       
    systemd.services.fcron = {

     

       
111
       
 
       
      description = "fcron daemon";

     

       
112
       
 
       
      after = [ "local-fs.target" ];

     

···

       
62
       
 
       
      '';

     

       
63
       
 
       
    }];

     

       
64
       
 
       


     

       
65
       
-
       
    security.setuidPrograms = [ "e_freqset" ];

     

       
0
       
 
       

     

       
66
       
 
       
    environment.etc = singleton

     

       
67
       
 
       
      { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";

     

       
68
       
 
       
        target = "X11/xkb";

     

···

       
62
       
 
       
      '';

     

       
63
       
 
       
    }];

     

       
64
       
 
       


     

       
65
       
+
       
    security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";

     

       
66
       
+
       
    

     

       
67
       
 
       
    environment.etc = singleton

     

       
68
       
 
       
      { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";

     

       
69
       
 
       
        target = "X11/xkb";

     

···

       
912
       
 
       


     

       
913
       
 
       
    # If the linux kernel IS older than 4.3, create setuid wrappers

     

       
914
       
 
       
    # for ping and ping6

     

       
915
       
-
       
    security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [

     

       
916
       
-
       
      "ping" "ping6"

     

       
917
       
-
       
    ];

     

       
0
       
 
       

     

       
918
       
 
       


     

       
919
       
 
       
    # Set the host and domain names in the activation script.  Don't

     

       
920
       
 
       
    # clear it if it's not configured in the NixOS configuration,

     

···

       
912
       
 
       


     

       
913
       
 
       
    # If the linux kernel IS older than 4.3, create setuid wrappers

     

       
914
       
 
       
    # for ping and ping6

     

       
915
       
+
       
    security.wrappers = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") {

     

       
916
       
+
       
      ping.source = "${pkgs.iputils.out}/bin/ping";

     

       
917
       
+
       
      "ping6".source = "${pkgs.iputils.out}/bin/ping6";

     

       
918
       
+
       
    };

     

       
919
       
 
       


     

       
920
       
 
       
    # Set the host and domain names in the activation script.  Don't

     

       
921
       
 
       
    # clear it if it's not configured in the NixOS configuration,