commit ceb2e6667b064ce5130f751d7b6625a81e191dec · pyrox.dev/nixpkgs

+10

nixos/doc/manual/from_md/release-notes/rl-2111.section.xml

···

       280
        
           <itemizedlist>

     

       281
        
             <listitem>

     

       282
        
               <para>

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       283
        
                 The <literal>paperless</literal> module and package have been

     

       284
        
                 removed. All users should migrate to the successor

     

       285
        
                 <literal>paperless-ng</literal> instead. The Paperless project

···

       280
        
           <itemizedlist>

     

       281
        
             <listitem>

     

       282
        
               <para>

     

       283
       +
                 The <literal>security.wrappers</literal> option now requires

     

       284
       +
                 to always specify an owner, group and whether the

     

       285
       +
                 setuid/setgid bit should be set. This is motivated by the fact

     

       286
       +
                 that before NixOS 21.11, specifying either setuid or setgid

     

       287
       +
                 but not owner/group resulted in wrappers owned by

     

       288
       +
                 nobody/nogroup, which is unsafe.

     

       289
       +
               </para>

     

       290
       +
             </listitem>

     

       291
       +
             <listitem>

     

       292
       +
               <para>

     

       293
        
                 The <literal>paperless</literal> module and package have been

     

       294
        
                 removed. All users should migrate to the successor

     

       295
        
                 <literal>paperless-ng</literal> instead. The Paperless project

+2

nixos/doc/manual/release-notes/rl-2111.section.md

···

       88
        
       

     

       89
        
       ## Backward Incompatibilities {#sec-release-21.11-incompatibilities}

     

       90
        
       

     

       0
        
       
     

       0
        
       
     

       91
        
       

     

       92
        
       - The `paperless` module and package have been removed. All users should migrate to the

     

       93
        
         successor `paperless-ng` instead. The Paperless project [has been

···

       88
        
       

     

       89
        
       ## Backward Incompatibilities {#sec-release-21.11-incompatibilities}

     

       90
        
       

     

       91
       +
       - The `security.wrappers` option now requires to always specify an owner, group and whether the setuid/setgid bit should be set.

     

       92
       +
         This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe.

     

       93
        
       

     

       94
        
       - The `paperless` module and package have been removed. All users should migrate to the

     

       95
        
         successor `paperless-ng` instead. The Paperless project [has been

+3 -1

nixos/modules/programs/bandwhich.nix

···

       22
        
         config = mkIf cfg.enable {

     

       23
        
           environment.systemPackages = with pkgs; [ bandwhich ];

     

       24
        
           security.wrappers.bandwhich = {

     

       25
       -
             source = "${pkgs.bandwhich}/bin/bandwhich";

     

       0
        
       
     

       26
        
             capabilities = "cap_net_raw,cap_net_admin+ep";

     

       0
        
       
     

       27
        
           };

     

       28
        
         };

     

       29
        
       }

···

       22
        
         config = mkIf cfg.enable {

     

       23
        
           environment.systemPackages = with pkgs; [ bandwhich ];

     

       24
        
           security.wrappers.bandwhich = {

     

       25
       +
             owner = "root";

     

       26
       +
             group = "root";

     

       27
        
             capabilities = "cap_net_raw,cap_net_admin+ep";

     

       28
       +
             source = "${pkgs.bandwhich}/bin/bandwhich";

     

       29
        
           };

     

       30
        
         };

     

       31
        
       }

+4

nixos/modules/programs/captive-browser.nix

···

       105
        
             );

     

       106
        
       

     

       107
        
           security.wrappers.udhcpc = {

     

       0
        
       
     

       0
        
       
     

       108
        
             capabilities = "cap_net_raw+p";

     

       109
        
             source = "${pkgs.busybox}/bin/udhcpc";

     

       110
        
           };

     

       111
        
       

     

       112
        
           security.wrappers.captive-browser = {

     

       0
        
       
     

       0
        
       
     

       113
        
             capabilities = "cap_net_raw+p";

     

       114
        
             source = pkgs.writeShellScript "captive-browser" ''

     

       115
        
               export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"

···

       105
        
             );

     

       106
        
       

     

       107
        
           security.wrappers.udhcpc = {

     

       108
       +
             owner = "root";

     

       109
       +
             group = "root";

     

       110
        
             capabilities = "cap_net_raw+p";

     

       111
        
             source = "${pkgs.busybox}/bin/udhcpc";

     

       112
        
           };

     

       113
        
       

     

       114
        
           security.wrappers.captive-browser = {

     

       115
       +
             owner = "root";

     

       116
       +
             group = "root";

     

       117
        
             capabilities = "cap_net_raw+p";

     

       118
        
             source = pkgs.writeShellScript "captive-browser" ''

     

       119
        
               export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"

+2

nixos/modules/programs/ccache.nix

···

       28
        
       

     

       29
        
             # "nix-ccache --show-stats" and "nix-ccache --clear"

     

       30
        
             security.wrappers.nix-ccache = {

     

       0
        
       
     

       31
        
               group = "nixbld";

     

       0
        
       
     

       32
        
               setgid = true;

     

       33
        
               source = pkgs.writeScript "nix-ccache.pl" ''

     

       34
        
                 #!${pkgs.perl}/bin/perl

···

       28
        
       

     

       29
        
             # "nix-ccache --show-stats" and "nix-ccache --clear"

     

       30
        
             security.wrappers.nix-ccache = {

     

       31
       +
               owner = "nobody";

     

       32
        
               group = "nixbld";

     

       33
       +
               setuid = false;

     

       34
        
               setgid = true;

     

       35
        
               source = pkgs.writeScript "nix-ccache.pl" ''

     

       36
        
                 #!${pkgs.perl}/bin/perl

+6 -1

nixos/modules/programs/firejail.nix

···

       81
        
         };

     

       82
        
       

     

       83
        
         config = mkIf cfg.enable {

     

       84
       -
           security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       85
        
       

     

       86
        
           environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];

     

       87
        
         };

···

       81
        
         };

     

       82
        
       

     

       83
        
         config = mkIf cfg.enable {

     

       84
       +
           security.wrappers.firejail =

     

       85
       +
             { setuid = true;

     

       86
       +
               owner = "root";

     

       87
       +
               group = "root";

     

       88
       +
               source = "${lib.getBin pkgs.firejail}/bin/firejail";

     

       89
       +
             };

     

       90
        
       

     

       91
        
           environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];

     

       92
        
         };

+2

nixos/modules/programs/gamemode.nix

···

       56
        
             polkit.enable = true;

     

       57
        
             wrappers = mkIf cfg.enableRenice {

     

       58
        
               gamemoded = {

     

       0
        
       
     

       0
        
       
     

       59
        
                 source = "${pkgs.gamemode}/bin/gamemoded";

     

       60
        
                 capabilities = "cap_sys_nice+ep";

     

       61
        
               };

···

       56
        
             polkit.enable = true;

     

       57
        
             wrappers = mkIf cfg.enableRenice {

     

       58
        
               gamemoded = {

     

       59
       +
                 owner = "root";

     

       60
       +
                 group = "root";

     

       61
        
                 source = "${pkgs.gamemode}/bin/gamemoded";

     

       62
        
                 capabilities = "cap_sys_nice+ep";

     

       63
        
               };

+3 -1

nixos/modules/programs/iftop.nix

···

       11
        
         config = mkIf cfg.enable {

     

       12
        
           environment.systemPackages = [ pkgs.iftop ];

     

       13
        
           security.wrappers.iftop = {

     

       14
       -
             source = "${pkgs.iftop}/bin/iftop";

     

       0
        
       
     

       15
        
             capabilities = "cap_net_raw+p";

     

       0
        
       
     

       16
        
           };

     

       17
        
         };

     

       18
        
       }

···

       11
        
         config = mkIf cfg.enable {

     

       12
        
           environment.systemPackages = [ pkgs.iftop ];

     

       13
        
           security.wrappers.iftop = {

     

       14
       +
             owner = "root";

     

       15
       +
             group = "root";

     

       16
        
             capabilities = "cap_net_raw+p";

     

       17
       +
             source = "${pkgs.iftop}/bin/iftop";

     

       18
        
           };

     

       19
        
         };

     

       20
        
       }

+3 -1

nixos/modules/programs/iotop.nix

···

       10
        
         };

     

       11
        
         config = mkIf cfg.enable {

     

       12
        
           security.wrappers.iotop = {

     

       13
       -
             source = "${pkgs.iotop}/bin/iotop";

     

       0
        
       
     

       14
        
             capabilities = "cap_net_admin+p";

     

       0
        
       
     

       15
        
           };

     

       16
        
         };

     

       17
        
       }

···

       10
        
         };

     

       11
        
         config = mkIf cfg.enable {

     

       12
        
           security.wrappers.iotop = {

     

       13
       +
             owner = "root";

     

       14
       +
             group = "root";

     

       15
        
             capabilities = "cap_net_admin+p";

     

       16
       +
             source = "${pkgs.iotop}/bin/iotop";

     

       17
        
           };

     

       18
        
         };

     

       19
        
       }

+6 -1

nixos/modules/programs/kbdlight.nix

···

       11
        
       

     

       12
        
         config = mkIf cfg.enable {

     

       13
        
           environment.systemPackages = [ pkgs.kbdlight ];

     

       14
       -
           security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
         };

     

       16
        
       }

···

       11
        
       

     

       12
        
         config = mkIf cfg.enable {

     

       13
        
           environment.systemPackages = [ pkgs.kbdlight ];

     

       14
       +
           security.wrappers.kbdlight =

     

       15
       +
             { setuid = true;

     

       16
       +
               owner = "root";

     

       17
       +
               group = "root";

     

       18
       +
               source = "${pkgs.kbdlight.out}/bin/kbdlight";

     

       19
       +
             };

     

       20
        
         };

     

       21
        
       }

+3 -1

nixos/modules/programs/liboping.nix

···

       13
        
           security.wrappers = mkMerge (map (

     

       14
        
             exec: {

     

       15
        
               "${exec}" = {

     

       16
       -
                 source = "${pkgs.liboping}/bin/${exec}";

     

       0
        
       
     

       17
        
                 capabilities = "cap_net_raw+p";

     

       0
        
       
     

       18
        
               };

     

       19
        
             }

     

       20
        
           ) [ "oping" "noping" ]);

···

       13
        
           security.wrappers = mkMerge (map (

     

       14
        
             exec: {

     

       15
        
               "${exec}" = {

     

       16
       +
                 owner = "root";

     

       17
       +
                 group = "root";

     

       18
        
                 capabilities = "cap_net_raw+p";

     

       19
       +
                 source = "${pkgs.liboping}/bin/${exec}";

     

       20
        
               };

     

       21
        
             }

     

       22
        
           ) [ "oping" "noping" ]);

+2

nixos/modules/programs/msmtp.nix

···

       78
        
             source = "${pkgs.msmtp}/bin/sendmail";

     

       79
        
             setuid = false;

     

       80
        
             setgid = false;

     

       0
        
       
     

       0
        
       
     

       81
        
           };

     

       82
        
       

     

       83
        
           environment.etc."msmtprc".text = let

···

       78
        
             source = "${pkgs.msmtp}/bin/sendmail";

     

       79
        
             setuid = false;

     

       80
        
             setgid = false;

     

       81
       +
             owner = "root";

     

       82
       +
             group = "root";

     

       83
        
           };

     

       84
        
       

     

       85
        
           environment.etc."msmtprc".text = let

+3 -1

nixos/modules/programs/mtr.nix

···

       31
        
           environment.systemPackages = with pkgs; [ cfg.package ];

     

       32
        
       

     

       33
        
           security.wrappers.mtr-packet = {

     

       34
       -
             source = "${cfg.package}/bin/mtr-packet";

     

       0
        
       
     

       35
        
             capabilities = "cap_net_raw+p";

     

       0
        
       
     

       36
        
           };

     

       37
        
         };

     

       38
        
       }

···

       31
        
           environment.systemPackages = with pkgs; [ cfg.package ];

     

       32
        
       

     

       33
        
           security.wrappers.mtr-packet = {

     

       34
       +
             owner = "root";

     

       35
       +
             group = "root";

     

       36
        
             capabilities = "cap_net_raw+p";

     

       37
       +
             source = "${cfg.package}/bin/mtr-packet";

     

       38
        
           };

     

       39
        
         };

     

       40
        
       }

+3 -1

nixos/modules/programs/noisetorch.nix

···

       18
        
       

     

       19
        
         config = mkIf cfg.enable {

     

       20
        
           security.wrappers.noisetorch = {

     

       21
       -
             source = "${cfg.package}/bin/noisetorch";

     

       0
        
       
     

       22
        
             capabilities = "cap_sys_resource=+ep";

     

       0
        
       
     

       23
        
           };

     

       24
        
         };

     

       25
        
       }

···

       18
        
       

     

       19
        
         config = mkIf cfg.enable {

     

       20
        
           security.wrappers.noisetorch = {

     

       21
       +
             owner = "root";

     

       22
       +
             group = "root";

     

       23
        
             capabilities = "cap_sys_resource=+ep";

     

       24
       +
             source = "${cfg.package}/bin/noisetorch";

     

       25
        
           };

     

       26
        
         };

     

       27
        
       }

+14 -7

nixos/modules/programs/shadow.nix

···

       43
        
       

     

       44
        
           '';

     

       45
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       46
        
       in

     

       47
        
       

     

       48
        
       {

     
···

       109
        
             };

     

       110
        
       

     

       111
        
           security.wrappers = {

     

       112
       -
             su.source        = "${pkgs.shadow.su}/bin/su";

     

       113
       -
             sg.source        = "${pkgs.shadow.out}/bin/sg";

     

       114
       -
             newgrp.source    = "${pkgs.shadow.out}/bin/newgrp";

     

       115
       -
             newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";

     

       116
       -
             newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";

     

       117
        
           } // lib.optionalAttrs config.users.mutableUsers {

     

       118
       -
             chsh.source      = "${pkgs.shadow.out}/bin/chsh";

     

       119
       -
             passwd.source    = "${pkgs.shadow.out}/bin/passwd";

     

       120
        
           };

     

       121
        
         };

     

       122
        
       }

···

       43
        
       

     

       44
        
           '';

     

       45
        
       

     

       46
       +
         mkSetuidRoot = source:

     

       47
       +
           { setuid = true;

     

       48
       +
             owner = "root";

     

       49
       +
             group = "root";

     

       50
       +
             inherit source;

     

       51
       +
           };

     

       52
       +
       

     

       53
        
       in

     

       54
        
       

     

       55
        
       {

     
···

       116
        
             };

     

       117
        
       

     

       118
        
           security.wrappers = {

     

       119
       +
             su        = mkSetuidRoot "${pkgs.shadow.su}/bin/su";

     

       120
       +
             sg        = mkSetuidRoot "${pkgs.shadow.out}/bin/sg";

     

       121
       +
             newgrp    = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp";

     

       122
       +
             newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap";

     

       123
       +
             newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap";

     

       124
        
           } // lib.optionalAttrs config.users.mutableUsers {

     

       125
       +
             chsh   = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh";

     

       126
       +
             passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd";

     

       127
        
           };

     

       128
        
         };

     

       129
        
       }

+6 -1

nixos/modules/programs/singularity.nix

···

       16
        
       

     

       17
        
         config = mkIf cfg.enable {

     

       18
        
             environment.systemPackages = [ singularity ];

     

       19
       -
             security.wrappers.singularity-suid.source = "${singularity}/libexec/singularity/bin/starter-suid.orig";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       20
        
             systemd.tmpfiles.rules = [

     

       21
        
               "d /var/singularity/mnt/session 0770 root root -"

     

       22
        
               "d /var/singularity/mnt/final 0770 root root -"

···

       16
        
       

     

       17
        
         config = mkIf cfg.enable {

     

       18
        
             environment.systemPackages = [ singularity ];

     

       19
       +
             security.wrappers.singularity-suid =

     

       20
       +
             { setuid = true;

     

       21
       +
               owner = "root";

     

       22
       +
               group = "root";

     

       23
       +
               source = "${singularity}/libexec/singularity/bin/starter-suid.orig";

     

       24
       +
             };

     

       25
        
             systemd.tmpfiles.rules = [

     

       26
        
               "d /var/singularity/mnt/session 0770 root root -"

     

       27
        
               "d /var/singularity/mnt/final 0770 root root -"

+6 -1

nixos/modules/programs/slock.nix

···

       21
        
       

     

       22
        
         config = mkIf cfg.enable {

     

       23
        
           environment.systemPackages = [ pkgs.slock ];

     

       24
       -
           security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       25
        
         };

     

       26
        
       }

···

       21
        
       

     

       22
        
         config = mkIf cfg.enable {

     

       23
        
           environment.systemPackages = [ pkgs.slock ];

     

       24
       +
           security.wrappers.slock =

     

       25
       +
             { setuid = true;

     

       26
       +
               owner = "root";

     

       27
       +
               group = "root";

     

       28
       +
               source = "${pkgs.slock.out}/bin/slock";

     

       29
       +
             };

     

       30
        
         };

     

       31
        
       }

+2

nixos/modules/programs/ssmtp.nix

···

       181
        
             source = "${pkgs.ssmtp}/bin/sendmail";

     

       182
        
             setuid = false;

     

       183
        
             setgid = false;

     

       0
        
       
     

       0
        
       
     

       184
        
           };

     

       185
        
       

     

       186
        
         };

···

       181
        
             source = "${pkgs.ssmtp}/bin/sendmail";

     

       182
        
             setuid = false;

     

       183
        
             setgid = false;

     

       184
       +
             owner = "root";

     

       185
       +
             group = "root";

     

       186
        
           };

     

       187
        
       

     

       188
        
         };

+3 -1

nixos/modules/programs/traceroute.nix

···

       19
        
       

     

       20
        
         config = mkIf cfg.enable {

     

       21
        
           security.wrappers.traceroute = {

     

       22
       -
             source = "${pkgs.traceroute}/bin/traceroute";

     

       0
        
       
     

       23
        
             capabilities = "cap_net_raw+p";

     

       0
        
       
     

       24
        
           };

     

       25
        
         };

     

       26
        
       }

···

       19
        
       

     

       20
        
         config = mkIf cfg.enable {

     

       21
        
           security.wrappers.traceroute = {

     

       22
       +
             owner = "root";

     

       23
       +
             group = "root";

     

       24
        
             capabilities = "cap_net_raw+p";

     

       25
       +
             source = "${pkgs.traceroute}/bin/traceroute";

     

       26
        
           };

     

       27
        
         };

     

       28
        
       }

+6 -1

nixos/modules/programs/udevil.nix

···

       9
        
         options.programs.udevil.enable = mkEnableOption "udevil";

     

       10
        
       

     

       11
        
         config = mkIf cfg.enable {

     

       12
       -
           security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       13
        
         };

     

       14
        
       }

···

       9
        
         options.programs.udevil.enable = mkEnableOption "udevil";

     

       10
        
       

     

       11
        
         config = mkIf cfg.enable {

     

       12
       +
           security.wrappers.udevil =

     

       13
       +
             { setuid = true;

     

       14
       +
               owner = "root";

     

       15
       +
               group = "root";

     

       16
       +
               source = "${lib.getBin pkgs.udevil}/bin/udevil";

     

       17
       +
             };

     

       18
        
         };

     

       19
        
       }

+3 -1

nixos/modules/programs/wavemon.nix

···

       21
        
         config = mkIf cfg.enable {

     

       22
        
           environment.systemPackages = with pkgs; [ wavemon ];

     

       23
        
           security.wrappers.wavemon = {

     

       24
       -
             source = "${pkgs.wavemon}/bin/wavemon";

     

       0
        
       
     

       25
        
             capabilities = "cap_net_admin+ep";

     

       0
        
       
     

       26
        
           };

     

       27
        
         };

     

       28
        
       }

···

       21
        
         config = mkIf cfg.enable {

     

       22
        
           environment.systemPackages = with pkgs; [ wavemon ];

     

       23
        
           security.wrappers.wavemon = {

     

       24
       +
             owner = "root";

     

       25
       +
             group = "root";

     

       26
        
             capabilities = "cap_net_admin+ep";

     

       27
       +
             source = "${pkgs.wavemon}/bin/wavemon";

     

       28
        
           };

     

       29
        
         };

     

       30
        
       }

+6 -1

nixos/modules/programs/wshowkeys.nix

···

       17
        
         };

     

       18
        
       

     

       19
        
         config = mkIf cfg.enable {

     

       20
       -
           security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       21
        
         };

     

       22
        
       }

···

       17
        
         };

     

       18
        
       

     

       19
        
         config = mkIf cfg.enable {

     

       20
       +
           security.wrappers.wshowkeys =

     

       21
       +
             { setuid = true;

     

       22
       +
               owner = "root";

     

       23
       +
               group = "root";

     

       24
       +
               source = "${pkgs.wshowkeys}/bin/wshowkeys";

     

       25
       +
             };

     

       26
        
         };

     

       27
        
       }

+6 -1

nixos/modules/security/chromium-suid-sandbox.nix

···

       28
        
       

     

       29
        
         config = mkIf cfg.enable {

     

       30
        
           environment.systemPackages = [ sandbox ];

     

       31
       -
           security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       32
        
         };

     

       33
        
       }

···

       28
        
       

     

       29
        
         config = mkIf cfg.enable {

     

       30
        
           environment.systemPackages = [ sandbox ];

     

       31
       +
           security.wrappers.${sandbox.passthru.sandboxExecutableName} =

     

       32
       +
             { setuid = true;

     

       33
       +
               owner = "root";

     

       34
       +
               group = "root";

     

       35
       +
               source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";

     

       36
       +
             };

     

       37
        
         };

     

       38
        
       }

+6 -3

nixos/modules/security/doas.nix

···

       241
        
             }

     

       242
        
           ];

     

       243
        
       

     

       244
       -
           security.wrappers = {

     

       245
       -
             doas.source = "${doas}/bin/doas";

     

       246
       -
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       247
        
       

     

       248
        
           environment.systemPackages = [

     

       249
        
             doas

···

       241
        
             }

     

       242
        
           ];

     

       243
        
       

     

       244
       +
           security.wrappers.doas =

     

       245
       +
             { setuid = true;

     

       246
       +
               owner = "root";

     

       247
       +
               group = "root";

     

       248
       +
               source = "${doas}/bin/doas";

     

       249
       +
             };

     

       250
        
       

     

       251
        
           environment.systemPackages = [

     

       252
        
             doas

+6 -1

nixos/modules/security/duosec.nix

···

       186
        
         config = mkIf (cfg.ssh.enable || cfg.pam.enable) {

     

       187
        
           environment.systemPackages = [ pkgs.duo-unix ];

     

       188
        
       

     

       189
       -
           security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       190
        
       

     

       191
        
           system.activationScripts = {

     

       192
        
             login_duo = mkIf cfg.ssh.enable ''

···

       186
        
         config = mkIf (cfg.ssh.enable || cfg.pam.enable) {

     

       187
        
           environment.systemPackages = [ pkgs.duo-unix ];

     

       188
        
       

     

       189
       +
           security.wrappers.login_duo =

     

       190
       +
             { setuid = true;

     

       191
       +
               owner = "root";

     

       192
       +
               group = "root";

     

       193
       +
               source = "${pkgs.duo-unix.out}/bin/login_duo";

     

       194
       +
             };

     

       195
        
       

     

       196
        
           system.activationScripts = {

     

       197
        
             login_duo = mkIf cfg.ssh.enable ''

+3 -2

nixos/modules/security/pam.nix

···

       869
        
       

     

       870
        
           security.wrappers = {

     

       871
        
             unix_chkpwd = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       872
        
               source = "${pkgs.pam}/sbin/unix_chkpwd.orig";

     

       873
       -
               owner = "root";

     

       874
       -
               setuid = true;

     

       875
        
             };

     

       876
        
           };

     

       877

···

       869
        
       

     

       870
        
           security.wrappers = {

     

       871
        
             unix_chkpwd = {

     

       872
       +
               setuid = true;

     

       873
       +
               owner = "root";

     

       874
       +
               group = "root";

     

       875
        
               source = "${pkgs.pam}/sbin/unix_chkpwd.orig";

     

       0
        
       
     

       0
        
       
     

       876
        
             };

     

       877
        
           };

     

       878

+12 -2

nixos/modules/security/pam_usb.nix

···

       32
        
       

     

       33
        
           # Make sure pmount and pumount are setuid wrapped.

     

       34
        
           security.wrappers = {

     

       35
       -
             pmount.source = "${pkgs.pmount.out}/bin/pmount";

     

       36
       -
             pumount.source = "${pkgs.pmount.out}/bin/pumount";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       37
        
           };

     

       38
        
       

     

       39
        
           environment.systemPackages = [ pkgs.pmount ];

···

       32
        
       

     

       33
        
           # Make sure pmount and pumount are setuid wrapped.

     

       34
        
           security.wrappers = {

     

       35
       +
             pmount =

     

       36
       +
               { setuid = true;

     

       37
       +
                 owner = "root";

     

       38
       +
                 group = "root";

     

       39
       +
                 source = "${pkgs.pmount.out}/bin/pmount";

     

       40
       +
               };

     

       41
       +
             pumount =

     

       42
       +
               { setuid = true;

     

       43
       +
                 owner = "root";

     

       44
       +
                 group = "root";

     

       45
       +
                 source = "${pkgs.pmount.out}/bin/pumount";

     

       46
       +
               };

     

       47
        
           };

     

       48
        
       

     

       49
        
           environment.systemPackages = [ pkgs.pmount ];

+12 -2

nixos/modules/security/polkit.nix

···

       83
        
           security.pam.services.polkit-1 = {};

     

       84
        
       

     

       85
        
           security.wrappers = {

     

       86
       -
             pkexec.source = "${pkgs.polkit.bin}/bin/pkexec";

     

       87
       -
             polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       88
        
           };

     

       89
        
       

     

       90
        
           systemd.tmpfiles.rules = [

···

       83
        
           security.pam.services.polkit-1 = {};

     

       84
        
       

     

       85
        
           security.wrappers = {

     

       86
       +
             pkexec =

     

       87
       +
               { setuid = true;

     

       88
       +
                 owner = "root";

     

       89
       +
                 group = "root";

     

       90
       +
                 source = "${pkgs.polkit.bin}/bin/pkexec";

     

       91
       +
               };

     

       92
       +
             polkit-agent-helper-1 =

     

       93
       +
               { setuid = true;

     

       94
       +
                 owner = "root";

     

       95
       +
                 group = "root";

     

       96
       +
                 source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";

     

       97
       +
               };

     

       98
        
           };

     

       99
        
       

     

       100
        
           systemd.tmpfiles.rules = [

+188 -94

nixos/modules/security/wrappers/default.nix

···

       5
        
       

     

       6
        
         parentWrapperDir = dirOf wrapperDir;

     

       7
        
       

     

       8
       -
         programs =

     

       9
       -
           (lib.mapAttrsToList

     

       10
       -
             (n: v: (if v ? program then v else v // {program=n;}))

     

       11
       -
             wrappers);

     

       12
       -
       

     

       13
        
         securityWrapper = pkgs.callPackage ./wrapper.nix {

     

       14
        
           inherit parentWrapperDir;

     

       15
        
         };

     

       16
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       17
        
         ###### Activation script for the setcap wrappers

     

       18
        
         mkSetcapProgram =

     

       19
        
           { program

     

       20
        
           , capabilities

     

       21
        
           , source

     

       22
       -
           , owner  ? "nobody"

     

       23
       -
           , group  ? "nogroup"

     

       24
       -
           , permissions ? "u+rx,g+x,o+x"

     

       25
        
           , ...

     

       26
        
           }:

     

       27
        
           assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");

     

       28
        
           ''

     

       29
       -
             cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}

     

       30
       -
             echo -n "${source}" > $wrapperDir/${program}.real

     

       31
        
       

     

       32
        
             # Prevent races

     

       33
       -
             chmod 0000 $wrapperDir/${program}

     

       34
       -
             chown ${owner}.${group} $wrapperDir/${program}

     

       35
        
       

     

       36
        
             # Set desired capabilities on the file plus cap_setpcap so

     

       37
        
             # the wrapper program can elevate the capabilities set on

     

       38
        
             # its file into the Ambient set.

     

       39
       -
             ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}

     

       40
        
       

     

       41
        
             # Set the executable bit

     

       42
       -
             chmod ${permissions} $wrapperDir/${program}

     

       43
        
           '';

     

       44
        
       

     

       45
        
         ###### Activation script for the setuid wrappers

     

       46
        
         mkSetuidProgram =

     

       47
        
           { program

     

       48
        
           , source

     

       49
       -
           , owner  ? "nobody"

     

       50
       -
           , group  ? "nogroup"

     

       51
       -
           , setuid ? false

     

       52
       -
           , setgid ? false

     

       53
       -
           , permissions ? "u+rx,g+x,o+x"

     

       54
        
           , ...

     

       55
        
           }:

     

       56
        
           ''

     

       57
       -
             cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}

     

       58
       -
             echo -n "${source}" > $wrapperDir/${program}.real

     

       59
        
       

     

       60
        
             # Prevent races

     

       61
       -
             chmod 0000 $wrapperDir/${program}

     

       62
       -
             chown ${owner}.${group} $wrapperDir/${program}

     

       63
        
       

     

       64
       -
             chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}

     

       65
        
           '';

     

       66
        
       

     

       67
        
         mkWrappedPrograms =

     

       68
        
           builtins.map

     

       69
       -
             (s: if (s ? capabilities)

     

       70
       -
                 then mkSetcapProgram

     

       71
       -
                        ({ owner = "root";

     

       72
       -
                           group = "root";

     

       73
       -
                         } // s)

     

       74
       -
                 else if

     

       75
       -
                    (s ? setuid && s.setuid) ||

     

       76
       -
                    (s ? setgid && s.setgid) ||

     

       77
       -
                    (s ? permissions)

     

       78
       -
                 then mkSetuidProgram s

     

       79
       -
                 else mkSetuidProgram

     

       80
       -
                        ({ owner  = "root";

     

       81
       -
                           group  = "root";

     

       82
       -
                           setuid = true;

     

       83
       -
                           setgid = false;

     

       84
       -
                           permissions = "u+rx,g+x,o+x";

     

       85
       -
                         } // s)

     

       86
       -
             ) programs;

     

       87
        
       in

     

       88
        
       {

     

       89
        
         imports = [

     
···

       95
        
       

     

       96
        
         options = {

     

       97
        
           security.wrappers = lib.mkOption {

     

       98
       -
             type = lib.types.attrs;

     

       99
        
             default = {};

     

       100
        
             example = lib.literalExample

     

       101
        
               ''

     

       102
       -
                 { sendmail.source = "/nix/store/.../bin/sendmail";

     

       103
       -
                   ping = {

     

       104
       -
                     source  = "${pkgs.iputils.out}/bin/ping";

     

       105
       -
                     owner   = "nobody";

     

       106
       -
                     group   = "nogroup";

     

       107
       -
                     capabilities = "cap_net_raw+ep";

     

       108
       -
                   };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       109
        
                 }

     

       110
        
               '';

     

       111
        
             description = ''

     

       112
       -
               This option allows the ownership and permissions on the setuid

     

       113
       -
               wrappers for specific programs to be overridden from the

     

       114
       -
               default (setuid root, but not setgid root).

     

       115
       -
       

     

       116
       -
               <note>

     

       117
       -
                 <para>The sub-attribute <literal>source</literal> is mandatory,

     

       118
       -
                 it must be the absolute path to the program to be wrapped.

     

       119
       -
                 </para>

     

       120
       -
       

     

       121
       -
                 <para>The sub-attribute <literal>program</literal> is optional and

     

       122
       -
                 can give the wrapper program a new name. The default name is the same

     

       123
       -
                 as the attribute name itself.</para>

     

       124
       -
       

     

       125
       -
                 <para>Additionally, this option can set capabilities on a

     

       126
       -
                 wrapper program that propagates those capabilities down to the

     

       127
       -
                 wrapped, real program.</para>

     

       128
       -
       

     

       129
       -
                 <para>NOTE: cap_setpcap, which is required for the wrapper

     

       130
       -
                 program to be able to raise caps into the Ambient set is NOT

     

       131
       -
                 raised to the Ambient set so that the real program cannot

     

       132
       -
                 modify its own capabilities!! This may be too restrictive for

     

       133
       -
                 cases in which the real program needs cap_setpcap but it at

     

       134
       -
                 least leans on the side security paranoid vs. too

     

       135
       -
                 relaxed.</para>

     

       136
       -
               </note>

     

       137
        
             '';

     

       138
        
           };

     

       139
        
       

     
···

       151
        
         ###### implementation

     

       152
        
         config = {

     

       153
        
       

     

       154
       -
           security.wrappers = {

     

       155
       -
             # These are mount related wrappers that require the +s permission.

     

       156
       -
             fusermount.source = "${pkgs.fuse}/bin/fusermount";

     

       157
       -
             fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";

     

       158
       -
             mount.source = "${lib.getBin pkgs.util-linux}/bin/mount";

     

       159
       -
             umount.source = "${lib.getBin pkgs.util-linux}/bin/umount";

     

       160
       -
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       161
        
       

     

       162
        
           boot.specialFileSystems.${parentWrapperDir} = {

     

       163
        
             fsType = "tmpfs";

     
···

       179
        
             ]}"

     

       180
        
           '';

     

       181
        
       

     

       182
       -
           ###### setcap activation script

     

       183
        
           system.activationScripts.wrappers =

     

       184
        
             lib.stringAfter [ "specialfs" "users" ]

     

       185
        
               ''

     

       186
       -
                 # Look in the system path and in the default profile for

     

       187
       -
                 # programs to be wrapped.

     

       188
       -
                 WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin

     

       189
       -
       

     

       190
        
                 chmod 755 "${parentWrapperDir}"

     

       191
        
       

     

       192
        
                 # We want to place the tmpdirs for the wrappers to the parent dir.

     

       193
        
                 wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)

     

       194
       -
                 chmod a+rx $wrapperDir

     

       195
        
       

     

       196
        
                 ${lib.concatStringsSep "\n" mkWrappedPrograms}

     

       197
        
       

     
···

       199
        
                   # Atomically replace the symlink

     

       200
        
                   # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/

     

       201
        
                   old=$(readlink -f ${wrapperDir})

     

       202
       -
                   if [ -e ${wrapperDir}-tmp ]; then

     

       203
       -
                     rm --force --recursive ${wrapperDir}-tmp

     

       204
        
                   fi

     

       205
       -
                   ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp

     

       206
       -
                   mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}

     

       207
       -
                   rm --force --recursive $old

     

       208
        
                 else

     

       209
        
                   # For initial setup

     

       210
       -
                   ln --symbolic $wrapperDir ${wrapperDir}

     

       211
        
                 fi

     

       212
        
               '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       213
        
         };

     

       214
        
       }

···

       5
        
       

     

       6
        
         parentWrapperDir = dirOf wrapperDir;

     

       7
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       8
        
         securityWrapper = pkgs.callPackage ./wrapper.nix {

     

       9
        
           inherit parentWrapperDir;

     

       10
        
         };

     

       11
        
       

     

       12
       +
         fileModeType =

     

       13
       +
           let

     

       14
       +
             # taken from the chmod(1) man page

     

       15
       +
             symbolic = "[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+";

     

       16
       +
             numeric = "[-+=]?[0-7]{0,4}";

     

       17
       +
             mode = "((${symbolic})(,${symbolic})*)|(${numeric})";

     

       18
       +
           in

     

       19
       +
            lib.types.strMatching mode

     

       20
       +
            // { description = "file mode string"; };

     

       21
       +
       

     

       22
       +
         wrapperType = lib.types.submodule ({ name, config, ... }: {

     

       23
       +
           options.source = lib.mkOption

     

       24
       +
             { type = lib.types.path;

     

       25
       +
               description = "The absolute path to the program to be wrapped.";

     

       26
       +
             };

     

       27
       +
           options.program = lib.mkOption

     

       28
       +
             { type = with lib.types; nullOr str;

     

       29
       +
               default = name;

     

       30
       +
               description = ''

     

       31
       +
                 The name of the wrapper program. Defaults to the attribute name.

     

       32
       +
               '';

     

       33
       +
             };

     

       34
       +
           options.owner = lib.mkOption

     

       35
       +
             { type = lib.types.str;

     

       36
       +
               description = "The owner of the wrapper program.";

     

       37
       +
             };

     

       38
       +
           options.group = lib.mkOption

     

       39
       +
             { type = lib.types.str;

     

       40
       +
               description = "The group of the wrapper program.";

     

       41
       +
             };

     

       42
       +
           options.permissions = lib.mkOption

     

       43
       +
             { type = fileModeType;

     

       44
       +
               default  = "u+rx,g+x,o+x";

     

       45
       +
               example = "a+rx";

     

       46
       +
               description = ''

     

       47
       +
                 The permissions of the wrapper program. The format is that of a

     

       48
       +
                 symbolic or numeric file mode understood by <command>chmod</command>.

     

       49
       +
               '';

     

       50
       +
             };

     

       51
       +
           options.capabilities = lib.mkOption

     

       52
       +
             { type = lib.types.commas;

     

       53
       +
               default = "";

     

       54
       +
               description = ''

     

       55
       +
                 A comma-separated list of capabilities to be given to the wrapper

     

       56
       +
                 program. For capabilities supported by the system check the

     

       57
       +
                 <citerefentry>

     

       58
       +
                   <refentrytitle>capabilities</refentrytitle>

     

       59
       +
                   <manvolnum>7</manvolnum>

     

       60
       +
                 </citerefentry>

     

       61
       +
                 manual page.

     

       62
       +
       

     

       63
       +
                 <note><para>

     

       64
       +
                   <literal>cap_setpcap</literal>, which is required for the wrapper

     

       65
       +
                   program to be able to raise caps into the Ambient set is NOT raised

     

       66
       +
                   to the Ambient set so that the real program cannot modify its own

     

       67
       +
                   capabilities!! This may be too restrictive for cases in which the

     

       68
       +
                   real program needs cap_setpcap but it at least leans on the side

     

       69
       +
                   security paranoid vs. too relaxed.

     

       70
       +
                 </para></note>

     

       71
       +
               '';

     

       72
       +
             };

     

       73
       +
           options.setuid = lib.mkOption

     

       74
       +
             { type = lib.types.bool;

     

       75
       +
               default = false;

     

       76
       +
               description = "Whether to add the setuid bit the wrapper program.";

     

       77
       +
             };

     

       78
       +
           options.setgid = lib.mkOption

     

       79
       +
             { type = lib.types.bool;

     

       80
       +
               default = false;

     

       81
       +
               description = "Whether to add the setgid bit the wrapper program.";

     

       82
       +
             };

     

       83
       +
         });

     

       84
       +
       

     

       85
        
         ###### Activation script for the setcap wrappers

     

       86
        
         mkSetcapProgram =

     

       87
        
           { program

     

       88
        
           , capabilities

     

       89
        
           , source

     

       90
       +
           , owner

     

       91
       +
           , group

     

       92
       +
           , permissions

     

       93
        
           , ...

     

       94
        
           }:

     

       95
        
           assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");

     

       96
        
           ''

     

       97
       +
             cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}"

     

       98
       +
             echo -n "${source}" > "$wrapperDir/${program}.real"

     

       99
        
       

     

       100
        
             # Prevent races

     

       101
       +
             chmod 0000 "$wrapperDir/${program}"

     

       102
       +
             chown ${owner}.${group} "$wrapperDir/${program}"

     

       103
        
       

     

       104
        
             # Set desired capabilities on the file plus cap_setpcap so

     

       105
        
             # the wrapper program can elevate the capabilities set on

     

       106
        
             # its file into the Ambient set.

     

       107
       +
             ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" "$wrapperDir/${program}"

     

       108
        
       

     

       109
        
             # Set the executable bit

     

       110
       +
             chmod ${permissions} "$wrapperDir/${program}"

     

       111
        
           '';

     

       112
        
       

     

       113
        
         ###### Activation script for the setuid wrappers

     

       114
        
         mkSetuidProgram =

     

       115
        
           { program

     

       116
        
           , source

     

       117
       +
           , owner

     

       118
       +
           , group

     

       119
       +
           , setuid

     

       120
       +
           , setgid

     

       121
       +
           , permissions

     

       122
        
           , ...

     

       123
        
           }:

     

       124
        
           ''

     

       125
       +
             cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}"

     

       126
       +
             echo -n "${source}" > "$wrapperDir/${program}.real"

     

       127
        
       

     

       128
        
             # Prevent races

     

       129
       +
             chmod 0000 "$wrapperDir/${program}"

     

       130
       +
             chown ${owner}.${group} "$wrapperDir/${program}"

     

       131
        
       

     

       132
       +
             chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" "$wrapperDir/${program}"

     

       133
        
           '';

     

       134
        
       

     

       135
        
         mkWrappedPrograms =

     

       136
        
           builtins.map

     

       137
       +
             (opts:

     

       138
       +
               if opts.capabilities != ""

     

       139
       +
               then mkSetcapProgram opts

     

       140
       +
               else mkSetuidProgram opts

     

       141
       +
             ) (lib.attrValues wrappers);

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       142
        
       in

     

       143
        
       {

     

       144
        
         imports = [

     
···

       150
        
       

     

       151
        
         options = {

     

       152
        
           security.wrappers = lib.mkOption {

     

       153
       +
             type = lib.types.attrsOf wrapperType;

     

       154
        
             default = {};

     

       155
        
             example = lib.literalExample

     

       156
        
               ''

     

       157
       +
                 {

     

       158
       +
                   # a setuid root program

     

       159
       +
                   doas =

     

       160
       +
                     { setuid = true;

     

       161
       +
                       owner = "root";

     

       162
       +
                       group = "root";

     

       163
       +
                       source = "''${pkgs.doas}/bin/doas";

     

       164
       +
                     };

     

       165
       +
       

     

       166
       +
                   # a setgid program

     

       167
       +
                   locate =

     

       168
       +
                     { setgid = true;

     

       169
       +
                       owner = "root";

     

       170
       +
                       group = "mlocate";

     

       171
       +
                       source = "''${pkgs.locate}/bin/locate";

     

       172
       +
                     };

     

       173
       +
       

     

       174
       +
                   # a program with the CAP_NET_RAW capability

     

       175
       +
                   ping =

     

       176
       +
                     { owner = "root";

     

       177
       +
                       group = "root";

     

       178
       +
                       capabilities = "cap_net_raw+ep";

     

       179
       +
                       source = "''${pkgs.iputils.out}/bin/ping";

     

       180
       +
                     };

     

       181
        
                 }

     

       182
        
               '';

     

       183
        
             description = ''

     

       184
       +
               This option effectively allows adding setuid/setgid bits, capabilities,

     

       185
       +
               changing file ownership and permissions of a program without directly

     

       186
       +
               modifying it. This works by creating a wrapper program under the

     

       187
       +
               <option>security.wrapperDir</option> directory, which is then added to

     

       188
       +
               the shell <literal>PATH</literal>.

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       189
        
             '';

     

       190
        
           };

     

       191
        
       

     
···

       203
        
         ###### implementation

     

       204
        
         config = {

     

       205
        
       

     

       206
       +
           assertions = lib.mapAttrsToList

     

       207
       +
             (name: opts:

     

       208
       +
               { assertion = opts.setuid || opts.setgid -> opts.capabilities == "";

     

       209
       +
                 message = ''

     

       210
       +
                   The security.wrappers.${name} wrapper is not valid:

     

       211
       +
                       setuid/setgid and capabilities are mutually exclusive.

     

       212
       +
                 '';

     

       213
       +
               }

     

       214
       +
             ) wrappers;

     

       215
       +
       

     

       216
       +
           security.wrappers =

     

       217
       +
             let

     

       218
       +
               mkSetuidRoot = source:

     

       219
       +
                 { setuid = true;

     

       220
       +
                   owner = "root";

     

       221
       +
                   group = "root";

     

       222
       +
                   inherit source;

     

       223
       +
                 };

     

       224
       +
             in

     

       225
       +
             { # These are mount related wrappers that require the +s permission.

     

       226
       +
               fusermount  = mkSetuidRoot "${pkgs.fuse}/bin/fusermount";

     

       227
       +
               fusermount3 = mkSetuidRoot "${pkgs.fuse3}/bin/fusermount3";

     

       228
       +
               mount  = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";

     

       229
       +
               umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";

     

       230
       +
             };

     

       231
        
       

     

       232
        
           boot.specialFileSystems.${parentWrapperDir} = {

     

       233
        
             fsType = "tmpfs";

     
···

       249
        
             ]}"

     

       250
        
           '';

     

       251
        
       

     

       252
       +
           ###### wrappers activation script

     

       253
        
           system.activationScripts.wrappers =

     

       254
        
             lib.stringAfter [ "specialfs" "users" ]

     

       255
        
               ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       256
        
                 chmod 755 "${parentWrapperDir}"

     

       257
        
       

     

       258
        
                 # We want to place the tmpdirs for the wrappers to the parent dir.

     

       259
        
                 wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)

     

       260
       +
                 chmod a+rx "$wrapperDir"

     

       261
        
       

     

       262
        
                 ${lib.concatStringsSep "\n" mkWrappedPrograms}

     

       263
        
       

     
···

       265
        
                   # Atomically replace the symlink

     

       266
        
                   # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/

     

       267
        
                   old=$(readlink -f ${wrapperDir})

     

       268
       +
                   if [ -e "${wrapperDir}-tmp" ]; then

     

       269
       +
                     rm --force --recursive "${wrapperDir}-tmp"

     

       270
        
                   fi

     

       271
       +
                   ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp"

     

       272
       +
                   mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}"

     

       273
       +
                   rm --force --recursive "$old"

     

       274
        
                 else

     

       275
        
                   # For initial setup

     

       276
       +
                   ln --symbolic "$wrapperDir" "${wrapperDir}"

     

       277
        
                 fi

     

       278
        
               '';

     

       279
       +
       

     

       280
       +
           ###### wrappers consistency checks

     

       281
       +
           system.extraDependencies = lib.singleton (pkgs.runCommandLocal

     

       282
       +
             "ensure-all-wrappers-paths-exist" { }

     

       283
       +
             ''

     

       284
       +
               # make sure we produce output

     

       285
       +
               mkdir -p $out

     

       286
       +
       

     

       287
       +
               echo -n "Checking that Nix store paths of all wrapped programs exist... "

     

       288
       +
       

     

       289
       +
               declare -A wrappers

     

       290
       +
               ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v:

     

       291
       +
                 "wrappers['${n}']='${v.source}'") wrappers)}

     

       292
       +
       

     

       293
       +
               for name in "''${!wrappers[@]}"; do

     

       294
       +
                 path="''${wrappers[$name]}"

     

       295
       +
                 if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then

     

       296
       +
                   test -t 1 && echo -ne '\033[1;31m'

     

       297
       +
                   echo "FAIL"

     

       298
       +
                   echo "The path $path does not exist!"

     

       299
       +
                   echo 'Please, check the value of `security.wrappers."'$name'".source`.'

     

       300
       +
                   test -t 1 && echo -ne '\033[0m'

     

       301
       +
                   exit 1

     

       302
       +
                 fi

     

       303
       +
               done

     

       304
       +
       

     

       305
       +
               echo "OK"

     

       306
       +
             '');

     

       307
        
         };

     

       308
        
       }

+3 -1

nixos/modules/services/desktops/gnome/gnome-keyring.nix

···

       52
        
           security.pam.services.login.enableGnomeKeyring = true;

     

       53
        
       

     

       54
        
           security.wrappers.gnome-keyring-daemon = {

     

       55
       -
             source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";

     

       0
        
       
     

       56
        
             capabilities = "cap_ipc_lock=ep";

     

       0
        
       
     

       57
        
           };

     

       58
        
       

     

       59
        
         };

···

       52
        
           security.pam.services.login.enableGnomeKeyring = true;

     

       53
        
       

     

       54
        
           security.wrappers.gnome-keyring-daemon = {

     

       55
       +
             owner = "root";

     

       56
       +
             group = "root";

     

       57
        
             capabilities = "cap_ipc_lock=ep";

     

       58
       +
             source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";

     

       59
        
           };

     

       60
        
       

     

       61
        
         };

+6 -1

nixos/modules/services/mail/exim.nix

···

       104
        
             gid = config.ids.gids.exim;

     

       105
        
           };

     

       106
        
       

     

       107
       -
           security.wrappers.exim.source = "${cfg.package}/bin/exim";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       108
        
       

     

       109
        
           systemd.services.exim = {

     

       110
        
             description = "Exim Mail Daemon";

···

       104
        
             gid = config.ids.gids.exim;

     

       105
        
           };

     

       106
        
       

     

       107
       +
           security.wrappers.exim =

     

       108
       +
             { setuid = true;

     

       109
       +
               owner = "root";

     

       110
       +
               group = "root";

     

       111
       +
               source = "${cfg.package}/bin/exim";

     

       112
       +
             };

     

       113
        
       

     

       114
        
           systemd.services.exim = {

     

       115
        
             description = "Exim Mail Daemon";

+2 -1

nixos/modules/services/mail/mail.nix

···

       1
       -
       { config, lib, ... }:

     

       2
        
       

     

       3
        
       with lib;

     

       4
        
       

     
···

       11
        
           services.mail = {

     

       12
        
       

     

       13
        
             sendmailSetuidWrapper = mkOption {

     

       0
        
       
     

       14
        
               default = null;

     

       15
        
               internal = true;

     

       16
        
               description = ''

···

       1
       +
       { config, options, lib, ... }:

     

       2
        
       

     

       3
        
       with lib;

     

       4
        
       

     
···

       11
        
           services.mail = {

     

       12
        
       

     

       13
        
             sendmailSetuidWrapper = mkOption {

     

       14
       +
               type = types.nullOr options.security.wrappers.type.nestedTypes.elemType;

     

       15
        
               default = null;

     

       16
        
               internal = true;

     

       17
        
               description = ''

+4 -1

nixos/modules/services/mail/opensmtpd.nix

···

       103
        
           };

     

       104
        
       

     

       105
        
           security.wrappers.smtpctl = {

     

       0
        
       
     

       106
        
             group = "smtpq";

     

       0
        
       
     

       107
        
             setgid = true;

     

       108
        
             source = "${cfg.package}/bin/smtpctl";

     

       109
        
           };

     

       110
        
       

     

       111
       -
           services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail security.wrappers.smtpctl;

     

       0
        
       
     

       112
        
       

     

       113
        
           systemd.tmpfiles.rules = [

     

       114
        
             "d /var/spool/smtpd 711 root - - -"

···

       103
        
           };

     

       104
        
       

     

       105
        
           security.wrappers.smtpctl = {

     

       106
       +
             owner = "nobody";

     

       107
        
             group = "smtpq";

     

       108
       +
             setuid = false;

     

       109
        
             setgid = true;

     

       110
        
             source = "${cfg.package}/bin/smtpctl";

     

       111
        
           };

     

       112
        
       

     

       113
       +
           services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail

     

       114
       +
             security.wrappers.smtpctl // { program = "sendmail"; };

     

       115
        
       

     

       116
        
           systemd.tmpfiles.rules = [

     

       117
        
             "d /var/spool/smtpd 711 root - - -"

+4

nixos/modules/services/mail/postfix.nix

···

       673
        
             services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {

     

       674
        
               program = "sendmail";

     

       675
        
               source = "${pkgs.postfix}/bin/sendmail";

     

       0
        
       
     

       676
        
               group = setgidGroup;

     

       677
        
               setuid = false;

     

       678
        
               setgid = true;

     
···

       681
        
             security.wrappers.mailq = {

     

       682
        
               program = "mailq";

     

       683
        
               source = "${pkgs.postfix}/bin/mailq";

     

       0
        
       
     

       684
        
               group = setgidGroup;

     

       685
        
               setuid = false;

     

       686
        
               setgid = true;

     
···

       689
        
             security.wrappers.postqueue = {

     

       690
        
               program = "postqueue";

     

       691
        
               source = "${pkgs.postfix}/bin/postqueue";

     

       0
        
       
     

       692
        
               group = setgidGroup;

     

       693
        
               setuid = false;

     

       694
        
               setgid = true;

     
···

       697
        
             security.wrappers.postdrop = {

     

       698
        
               program = "postdrop";

     

       699
        
               source = "${pkgs.postfix}/bin/postdrop";

     

       0
        
       
     

       700
        
               group = setgidGroup;

     

       701
        
               setuid = false;

     

       702
        
               setgid = true;

···

       673
        
             services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {

     

       674
        
               program = "sendmail";

     

       675
        
               source = "${pkgs.postfix}/bin/sendmail";

     

       676
       +
               owner = "nobody";

     

       677
        
               group = setgidGroup;

     

       678
        
               setuid = false;

     

       679
        
               setgid = true;

     
···

       682
        
             security.wrappers.mailq = {

     

       683
        
               program = "mailq";

     

       684
        
               source = "${pkgs.postfix}/bin/mailq";

     

       685
       +
               owner = "nobody";

     

       686
        
               group = setgidGroup;

     

       687
        
               setuid = false;

     

       688
        
               setgid = true;

     
···

       691
        
             security.wrappers.postqueue = {

     

       692
        
               program = "postqueue";

     

       693
        
               source = "${pkgs.postfix}/bin/postqueue";

     

       694
       +
               owner = "nobody";

     

       695
        
               group = setgidGroup;

     

       696
        
               setuid = false;

     

       697
        
               setgid = true;

     
···

       700
        
             security.wrappers.postdrop = {

     

       701
        
               program = "postdrop";

     

       702
        
               source = "${pkgs.postfix}/bin/postdrop";

     

       703
       +
               owner = "nobody";

     

       704
        
               group = setgidGroup;

     

       705
        
               setuid = false;

     

       706
        
               setgid = true;

+3 -1

nixos/modules/services/misc/mame.nix

···

       45
        
           environment.systemPackages = [ pkgs.mame ];

     

       46
        
       

     

       47
        
           security.wrappers."${mame}" = {

     

       48
       -
             source = "${pkgs.mame}/bin/${mame}";

     

       0
        
       
     

       49
        
             capabilities = "cap_net_admin,cap_net_raw+eip";

     

       0
        
       
     

       50
        
           };

     

       51
        
       

     

       52
        
           systemd.services.mame = {

···

       45
        
           environment.systemPackages = [ pkgs.mame ];

     

       46
        
       

     

       47
        
           security.wrappers."${mame}" = {

     

       48
       +
             owner = "root";

     

       49
       +
             group = "root";

     

       50
        
             capabilities = "cap_net_admin,cap_net_raw+eip";

     

       51
       +
             source = "${pkgs.mame}/bin/${mame}";

     

       52
        
           };

     

       53
        
       

     

       54
        
           systemd.services.mame = {

+6 -1

nixos/modules/services/misc/weechat.nix

···

       52
        
             wants = [ "network.target" ];

     

       53
        
           };

     

       54
        
       

     

       55
       -
           security.wrappers.screen.source = "${pkgs.screen}/bin/screen";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       56
        
         };

     

       57
        
       

     

       58
        
         meta.doc = ./weechat.xml;

···

       52
        
             wants = [ "network.target" ];

     

       53
        
           };

     

       54
        
       

     

       55
       +
           security.wrappers.screen =

     

       56
       +
             { setuid = true;

     

       57
       +
               owner = "root";

     

       58
       +
               group = "root";

     

       59
       +
               source = "${pkgs.screen}/bin/screen";

     

       60
       +
             };

     

       61
        
         };

     

       62
        
       

     

       63
        
         meta.doc = ./weechat.xml;

+6 -1

nixos/modules/services/monitoring/incron.nix

···

       71
        
       

     

       72
        
           environment.systemPackages = [ pkgs.incron ];

     

       73
        
       

     

       74
       -
           security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       75
        
       

     

       76
        
           # incron won't read symlinks

     

       77
        
           environment.etc."incron.d/system" = {

···

       71
        
       

     

       72
        
           environment.systemPackages = [ pkgs.incron ];

     

       73
        
       

     

       74
       +
           security.wrappers.incrontab =

     

       75
       +
           { setuid = true;

     

       76
       +
             owner = "root";

     

       77
       +
             group = "root";

     

       78
       +
             source = "${pkgs.incron}/bin/incrontab";

     

       79
       +
           };

     

       80
        
       

     

       81
        
           # incron won't read symlinks

     

       82
        
           environment.etc."incron.d/system" = {

+6 -1

nixos/modules/services/monitoring/zabbix-proxy.nix

···

       262
        
           };

     

       263
        
       

     

       264
        
           security.wrappers = {

     

       265
       -
             fping.source = "${pkgs.fping}/bin/fping";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       266
        
           };

     

       267
        
       

     

       268
        
           systemd.services.zabbix-proxy = {

···

       262
        
           };

     

       263
        
       

     

       264
        
           security.wrappers = {

     

       265
       +
             fping =

     

       266
       +
               { setuid = true;

     

       267
       +
                 owner = "root";

     

       268
       +
                 group = "root";

     

       269
       +
                 source = "${pkgs.fping}/bin/fping";

     

       270
       +
               };

     

       271
        
           };

     

       272
        
       

     

       273
        
           systemd.services.zabbix-proxy = {

+12 -2

nixos/modules/services/networking/smokeping.nix

···

       278
        
             }

     

       279
        
           ];

     

       280
        
           security.wrappers = {

     

       281
       -
             fping.source = "${pkgs.fping}/bin/fping";

     

       282
       -
             fping6.source = "${pkgs.fping}/bin/fping6";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       283
        
           };

     

       284
        
           environment.systemPackages = [ pkgs.fping ];

     

       285
        
           users.users.${cfg.user} = {

···

       278
        
             }

     

       279
        
           ];

     

       280
        
           security.wrappers = {

     

       281
       +
             fping =

     

       282
       +
               { setuid = true;

     

       283
       +
                 owner = "root";

     

       284
       +
                 group = "root";

     

       285
       +
                 source = "${pkgs.fping}/bin/fping";

     

       286
       +
               };

     

       287
       +
             fping6 =

     

       288
       +
               { setuid = true;

     

       289
       +
                 owner = "root";

     

       290
       +
                 group = "root";

     

       291
       +
                 source = "${pkgs.fping}/bin/fping6";

     

       292
       +
               };

     

       293
        
           };

     

       294
        
           environment.systemPackages = [ pkgs.fping ];

     

       295
        
           users.users.${cfg.user} = {

+2

nixos/modules/services/networking/x2goserver.nix

···

       88
        
             source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl";

     

       89
        
             owner = "x2go";

     

       90
        
             group = "x2go";

     

       0
        
       
     

       91
        
             setgid = true;

     

       92
        
           };

     

       93
        
           security.wrappers.x2goprintWrapper = {

     

       94
        
             source = "${pkgs.x2goserver}/bin/x2goprint";

     

       95
        
             owner = "x2go";

     

       96
        
             group = "x2go";

     

       0
        
       
     

       97
        
             setgid = true;

     

       98
        
           };

     

       99

···

       88
        
             source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl";

     

       89
        
             owner = "x2go";

     

       90
        
             group = "x2go";

     

       91
       +
             setuid = false;

     

       92
        
             setgid = true;

     

       93
        
           };

     

       94
        
           security.wrappers.x2goprintWrapper = {

     

       95
        
             source = "${pkgs.x2goserver}/bin/x2goprint";

     

       96
        
             owner = "x2go";

     

       97
        
             group = "x2go";

     

       98
       +
             setuid = false;

     

       99
        
             setgid = true;

     

       100
        
           };

     

       101

+6 -1

nixos/modules/services/scheduling/cron.nix

···

       93
        
       

     

       94
        
           { services.cron.enable = mkDefault (allFiles != []); }

     

       95
        
           (mkIf (config.services.cron.enable) {

     

       96
       -
             security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       97
        
             environment.systemPackages = [ cronNixosPkg ];

     

       98
        
             environment.etc.crontab =

     

       99
        
               { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

···

       93
        
       

     

       94
        
           { services.cron.enable = mkDefault (allFiles != []); }

     

       95
        
           (mkIf (config.services.cron.enable) {

     

       96
       +
             security.wrappers.crontab =

     

       97
       +
               { setuid = true;

     

       98
       +
                 owner = "root";

     

       99
       +
                 group = "root";

     

       100
       +
                 source = "${cronNixosPkg}/bin/crontab";

     

       101
       +
               };

     

       102
        
             environment.systemPackages = [ cronNixosPkg ];

     

       103
        
             environment.etc.crontab =

     

       104
        
               { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

+3

nixos/modules/services/scheduling/fcron.nix

···

       136
        
               owner = "fcron";

     

       137
        
               group = "fcron";

     

       138
        
               setgid = true;

     

       0
        
       
     

       139
        
             };

     

       140
        
             fcronsighup = {

     

       141
        
               source = "${pkgs.fcron}/bin/fcronsighup";

     

       0
        
       
     

       142
        
               group = "fcron";

     

       0
        
       
     

       143
        
             };

     

       144
        
           };

     

       145
        
           systemd.services.fcron = {

···

       136
        
               owner = "fcron";

     

       137
        
               group = "fcron";

     

       138
        
               setgid = true;

     

       139
       +
               setuid = false;

     

       140
        
             };

     

       141
        
             fcronsighup = {

     

       142
        
               source = "${pkgs.fcron}/bin/fcronsighup";

     

       143
       +
               owner = "root";

     

       144
        
               group = "fcron";

     

       145
       +
               setuid = true;

     

       146
        
             };

     

       147
        
           };

     

       148
        
           systemd.services.fcron = {

+3 -1

nixos/modules/services/video/replay-sorcery.nix

···

       44
        
       

     

       45
        
           security.wrappers = mkIf cfg.enableSysAdminCapability {

     

       46
        
             replay-sorcery = {

     

       47
       -
               source = "${pkgs.replay-sorcery}/bin/replay-sorcery";

     

       0
        
       
     

       48
        
               capabilities = "cap_sys_admin+ep";

     

       0
        
       
     

       49
        
             };

     

       50
        
           };

     

       51

···

       44
        
       

     

       45
        
           security.wrappers = mkIf cfg.enableSysAdminCapability {

     

       46
        
             replay-sorcery = {

     

       47
       +
               owner = "root";

     

       48
       +
               group = "root";

     

       49
        
               capabilities = "cap_sys_admin+ep";

     

       50
       +
               source = "${pkgs.replay-sorcery}/bin/replay-sorcery";

     

       51
        
             };

     

       52
        
           };

     

       53

+3 -2

nixos/modules/services/x11/desktop-managers/cde.nix

···

       49
        
           users.groups.mail = {};

     

       50
        
           security.wrappers = {

     

       51
        
             dtmail = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       52
        
               source = "${pkgs.cdesktopenv}/bin/dtmail";

     

       53
       -
               group = "mail";

     

       54
       -
               setgid = true;

     

       55
        
             };

     

       56
        
           };

     

       57

···

       49
        
           users.groups.mail = {};

     

       50
        
           security.wrappers = {

     

       51
        
             dtmail = {

     

       52
       +
               setgid = true;

     

       53
       +
               owner = "nobody";

     

       54
       +
               group = "mail";

     

       55
        
               source = "${pkgs.cdesktopenv}/bin/dtmail";

     

       0
        
       
     

       0
        
       
     

       56
        
             };

     

       57
        
           };

     

       58

+18 -3

nixos/modules/services/x11/desktop-managers/enlightenment.nix

···

       65
        
       

     

       66
        
           # Wrappers for programs installed by enlightenment that should be setuid

     

       67
        
           security.wrappers = {

     

       68
       -
             enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";

     

       69
       -
             enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";

     

       70
       -
             enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       71
        
           };

     

       72
        
       

     

       73
        
           environment.etc."X11/xkb".source = xcfg.xkbDir;

···

       65
        
       

     

       66
        
           # Wrappers for programs installed by enlightenment that should be setuid

     

       67
        
           security.wrappers = {

     

       68
       +
             enlightenment_ckpasswd =

     

       69
       +
               { setuid = true;

     

       70
       +
                 owner = "root";

     

       71
       +
                 group = "root";

     

       72
       +
                 source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";

     

       73
       +
               };

     

       74
       +
             enlightenment_sys =

     

       75
       +
               { setuid = true;

     

       76
       +
                 owner = "root";

     

       77
       +
                 group = "root";

     

       78
       +
                 source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";

     

       79
       +
               };

     

       80
       +
             enlightenment_system =

     

       81
       +
               { setuid = true;

     

       82
       +
                 owner = "root";

     

       83
       +
                 group = "root";

     

       84
       +
                 source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";

     

       85
       +
               };

     

       86
        
           };

     

       87
        
       

     

       88
        
           environment.etc."X11/xkb".source = xcfg.xkbDir;

+18 -6

nixos/modules/services/x11/desktop-managers/plasma5.nix

···

       197
        
             };

     

       198
        
       

     

       199
        
             security.wrappers = {

     

       200
       -
               kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";

     

       201
       -
               start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";

     

       202
       -
               kwin_wayland = {

     

       203
       -
                 source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";

     

       204
       -
                 capabilities = "cap_sys_nice+ep";

     

       205
       -
               };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       206
        
             };

     

       207
        
       

     

       208
        
             # DDC support

···

       197
        
             };

     

       198
        
       

     

       199
        
             security.wrappers = {

     

       200
       +
               kcheckpass =

     

       201
       +
                 { setuid = true;

     

       202
       +
                   owner = "root";

     

       203
       +
                   group = "root";

     

       204
       +
                   source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";

     

       205
       +
                 };

     

       206
       +
               start_kdeinit =

     

       207
       +
                 { setuid = true;

     

       208
       +
                   owner = "root";

     

       209
       +
                   group = "root";

     

       210
       +
                   source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";

     

       211
       +
                 };

     

       212
       +
               kwin_wayland =

     

       213
       +
                 { owner = "root";

     

       214
       +
                   group = "root";

     

       215
       +
                   capabilities = "cap_sys_nice+ep";

     

       216
       +
                   source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";

     

       217
       +
                 };

     

       218
        
             };

     

       219
        
       

     

       220
        
             # DDC support

+12 -2

nixos/modules/tasks/filesystems/ecryptfs.nix

···

       7
        
         config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {

     

       8
        
           system.fsPackages = [ pkgs.ecryptfs ];

     

       9
        
           security.wrappers = {

     

       10
       -
             "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";

     

       11
       -
             "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       12
        
           };

     

       13
        
         };

     

       14
        
       }

···

       7
        
         config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {

     

       8
        
           system.fsPackages = [ pkgs.ecryptfs ];

     

       9
        
           security.wrappers = {

     

       10
       +
             "mount.ecryptfs_private" =

     

       11
       +
               { setuid = true;

     

       12
       +
                 owner = "root";

     

       13
       +
                 group = "root";

     

       14
       +
                 source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";

     

       15
       +
               };

     

       16
       +
             "umount.ecryptfs_private" =

     

       17
       +
               { setuid = true;

     

       18
       +
                 owner = "root";

     

       19
       +
                 group = "root";

     

       20
       +
                 source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";

     

       21
       +
               };

     

       22
        
           };

     

       23
        
         };

     

       24
        
       }

+7 -2

nixos/modules/tasks/network-interfaces.nix

···

       1133
        
           # kernel because we need the ambient capability

     

       1134
        
           security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then {

     

       1135
        
             ping = {

     

       1136
       -
               source  = "${pkgs.iputils.out}/bin/ping";

     

       0
        
       
     

       1137
        
               capabilities = "cap_net_raw+p";

     

       0
        
       
     

       1138
        
             };

     

       1139
        
           } else {

     

       1140
       -
             ping.source = "${pkgs.iputils.out}/bin/ping";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       1141
        
           };

     

       1142
        
           security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''

     

       1143
        
             /run/wrappers/bin/ping {

···

       1133
        
           # kernel because we need the ambient capability

     

       1134
        
           security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then {

     

       1135
        
             ping = {

     

       1136
       +
               owner = "root";

     

       1137
       +
               group = "root";

     

       1138
        
               capabilities = "cap_net_raw+p";

     

       1139
       +
               source = "${pkgs.iputils.out}/bin/ping";

     

       1140
        
             };

     

       1141
        
           } else {

     

       1142
       +
             setuid = true;

     

       1143
       +
             owner = "root";

     

       1144
       +
             group = "root";

     

       1145
       +
             source = "${pkgs.iputils.out}/bin/ping";

     

       1146
        
           };

     

       1147
        
           security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''

     

       1148
        
             /run/wrappers/bin/ping {

+3

nixos/modules/virtualisation/libvirtd.nix

···

       183
        
           };

     

       184
        
       

     

       185
        
           security.wrappers.qemu-bridge-helper = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       186
        
             source = "/run/${dirName}/nix-helpers/qemu-bridge-helper";

     

       187
        
           };

     

       188

···

       183
        
           };

     

       184
        
       

     

       185
        
           security.wrappers.qemu-bridge-helper = {

     

       186
       +
             setuid = true;

     

       187
       +
             owner = "root";

     

       188
       +
             group = "root";

     

       189
        
             source = "/run/${dirName}/nix-helpers/qemu-bridge-helper";

     

       190
        
           };

     

       191

+4 -2

nixos/modules/virtualisation/spice-usb-redirection.nix

···

       14
        
       

     

       15
        
         config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {

     

       16
        
           environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions

     

       17
       -
           security.wrappers.spice-client-glib-usb-acl-helper ={

     

       18
       -
             source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";

     

       0
        
       
     

       19
        
             capabilities = "cap_fowner+ep";

     

       0
        
       
     

       20
        
           };

     

       21
        
         };

     

       22

···

       14
        
       

     

       15
        
         config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {

     

       16
        
           environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions

     

       17
       +
           security.wrappers.spice-client-glib-usb-acl-helper = {

     

       18
       +
             owner = "root";

     

       19
       +
             group = "root";

     

       20
        
             capabilities = "cap_fowner+ep";

     

       21
       +
             source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";

     

       22
        
           };

     

       23
        
         };

     

       24