commit fedd7cd6901646cb7e2a94a148d300f7b632d7e0 · pyrox.dev/nixpkgs

+3 -1

nixos/modules/programs/bandwhich.nix

···

       22
       22
        
         config = mkIf cfg.enable {

     

       23
       23
        
           environment.systemPackages = with pkgs; [ bandwhich ];

     

       24
       24
        
           security.wrappers.bandwhich = {

     

       25
       25
       -
             source = "${pkgs.bandwhich}/bin/bandwhich";

     

       25
       25
       +
             owner = "root";

     

       26
       26
       +
             group = "root";

     

       26
       27
        
             capabilities = "cap_net_raw,cap_net_admin+ep";

     

       28
       28
       +
             source = "${pkgs.bandwhich}/bin/bandwhich";

     

       27
       29
        
           };

     

       28
       30
        
         };

     

       29
       31
        
       }

+4

nixos/modules/programs/captive-browser.nix

···

       105
       105
        
             );

     

       106
       106
        
       

     

       107
       107
        
           security.wrappers.udhcpc = {

     

       108
       108
       +
             owner = "root";

     

       109
       109
       +
             group = "root";

     

       108
       110
        
             capabilities = "cap_net_raw+p";

     

       109
       111
        
             source = "${pkgs.busybox}/bin/udhcpc";

     

       110
       112
        
           };

     

       111
       113
        
       

     

       112
       114
        
           security.wrappers.captive-browser = {

     

       115
       115
       +
             owner = "root";

     

       116
       116
       +
             group = "root";

     

       113
       117
        
             capabilities = "cap_net_raw+p";

     

       114
       118
        
             source = pkgs.writeShellScript "captive-browser" ''

     

       115
       119
        
               export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"

+6 -1

nixos/modules/programs/firejail.nix

···

       81
       81
        
         };

     

       82
       82
        
       

     

       83
       83
        
         config = mkIf cfg.enable {

     

       84
       84
       -
           security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";

     

       84
       84
       +
           security.wrappers.firejail =

     

       85
       85
       +
             { setuid = true;

     

       86
       86
       +
               owner = "root";

     

       87
       87
       +
               group = "root";

     

       88
       88
       +
               source = "${lib.getBin pkgs.firejail}/bin/firejail";

     

       89
       89
       +
             };

     

       85
       90
        
       

     

       86
       91
        
           environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];

     

       87
       92
        
         };

+2

nixos/modules/programs/gamemode.nix

···

       56
       56
        
             polkit.enable = true;

     

       57
       57
        
             wrappers = mkIf cfg.enableRenice {

     

       58
       58
        
               gamemoded = {

     

       59
       59
       +
                 owner = "root";

     

       60
       60
       +
                 group = "root";

     

       59
       61
        
                 source = "${pkgs.gamemode}/bin/gamemoded";

     

       60
       62
        
                 capabilities = "cap_sys_nice+ep";

     

       61
       63
        
               };

+3 -1

nixos/modules/programs/iftop.nix

···

       11
       11
        
         config = mkIf cfg.enable {

     

       12
       12
        
           environment.systemPackages = [ pkgs.iftop ];

     

       13
       13
        
           security.wrappers.iftop = {

     

       14
       14
       -
             source = "${pkgs.iftop}/bin/iftop";

     

       14
       14
       +
             owner = "root";

     

       15
       15
       +
             group = "root";

     

       15
       16
        
             capabilities = "cap_net_raw+p";

     

       17
       17
       +
             source = "${pkgs.iftop}/bin/iftop";

     

       16
       18
        
           };

     

       17
       19
        
         };

     

       18
       20
        
       }

+3 -1

nixos/modules/programs/iotop.nix

···

       10
       10
        
         };

     

       11
       11
        
         config = mkIf cfg.enable {

     

       12
       12
        
           security.wrappers.iotop = {

     

       13
       13
       -
             source = "${pkgs.iotop}/bin/iotop";

     

       13
       13
       +
             owner = "root";

     

       14
       14
       +
             group = "root";

     

       14
       15
        
             capabilities = "cap_net_admin+p";

     

       16
       16
       +
             source = "${pkgs.iotop}/bin/iotop";

     

       15
       17
        
           };

     

       16
       18
        
         };

     

       17
       19
        
       }

+6 -1

nixos/modules/programs/kbdlight.nix

···

       11
       11
        
       

     

       12
       12
        
         config = mkIf cfg.enable {

     

       13
       13
        
           environment.systemPackages = [ pkgs.kbdlight ];

     

       14
       14
       -
           security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";

     

       14
       14
       +
           security.wrappers.kbdlight =

     

       15
       15
       +
             { setuid = true;

     

       16
       16
       +
               owner = "root";

     

       17
       17
       +
               group = "root";

     

       18
       18
       +
               source = "${pkgs.kbdlight.out}/bin/kbdlight";

     

       19
       19
       +
             };

     

       15
       20
        
         };

     

       16
       21
        
       }

+3 -1

nixos/modules/programs/liboping.nix

···

       13
       13
        
           security.wrappers = mkMerge (map (

     

       14
       14
        
             exec: {

     

       15
       15
        
               "${exec}" = {

     

       16
       16
       -
                 source = "${pkgs.liboping}/bin/${exec}";

     

       16
       16
       +
                 owner = "root";

     

       17
       17
       +
                 group = "root";

     

       17
       18
        
                 capabilities = "cap_net_raw+p";

     

       19
       19
       +
                 source = "${pkgs.liboping}/bin/${exec}";

     

       18
       20
        
               };

     

       19
       21
        
             }

     

       20
       22
        
           ) [ "oping" "noping" ]);

+3 -1

nixos/modules/programs/mtr.nix

···

       31
       31
        
           environment.systemPackages = with pkgs; [ cfg.package ];

     

       32
       32
        
       

     

       33
       33
        
           security.wrappers.mtr-packet = {

     

       34
       34
       -
             source = "${cfg.package}/bin/mtr-packet";

     

       34
       34
       +
             owner = "root";

     

       35
       35
       +
             group = "root";

     

       35
       36
        
             capabilities = "cap_net_raw+p";

     

       37
       37
       +
             source = "${cfg.package}/bin/mtr-packet";

     

       36
       38
        
           };

     

       37
       39
        
         };

     

       38
       40
        
       }

+3 -1

nixos/modules/programs/noisetorch.nix

···

       18
       18
        
       

     

       19
       19
        
         config = mkIf cfg.enable {

     

       20
       20
        
           security.wrappers.noisetorch = {

     

       21
       21
       -
             source = "${cfg.package}/bin/noisetorch";

     

       21
       21
       +
             owner = "root";

     

       22
       22
       +
             group = "root";

     

       22
       23
        
             capabilities = "cap_sys_resource=+ep";

     

       24
       24
       +
             source = "${cfg.package}/bin/noisetorch";

     

       23
       25
        
           };

     

       24
       26
        
         };

     

       25
       27
        
       }

+14 -7

nixos/modules/programs/shadow.nix

···

       43
       43
        
       

     

       44
       44
        
           '';

     

       45
       45
        
       

     

       46
       46
       +
         mkSetuidRoot = source:

     

       47
       47
       +
           { setuid = true;

     

       48
       48
       +
             owner = "root";

     

       49
       49
       +
             group = "root";

     

       50
       50
       +
             inherit source;

     

       51
       51
       +
           };

     

       52
       52
       +
       

     

       46
       53
        
       in

     

       47
       54
        
       

     

       48
       55
        
       {

     
···

       109
       116
        
             };

     

       110
       117
        
       

     

       111
       118
        
           security.wrappers = {

     

       112
       112
       -
             su.source        = "${pkgs.shadow.su}/bin/su";

     

       113
       113
       -
             sg.source        = "${pkgs.shadow.out}/bin/sg";

     

       114
       114
       -
             newgrp.source    = "${pkgs.shadow.out}/bin/newgrp";

     

       115
       115
       -
             newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";

     

       116
       116
       -
             newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";

     

       119
       119
       +
             su        = mkSetuidRoot "${pkgs.shadow.su}/bin/su";

     

       120
       120
       +
             sg        = mkSetuidRoot "${pkgs.shadow.out}/bin/sg";

     

       121
       121
       +
             newgrp    = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp";

     

       122
       122
       +
             newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap";

     

       123
       123
       +
             newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap";

     

       117
       124
        
           } // lib.optionalAttrs config.users.mutableUsers {

     

       118
       118
       -
             chsh.source      = "${pkgs.shadow.out}/bin/chsh";

     

       119
       119
       -
             passwd.source    = "${pkgs.shadow.out}/bin/passwd";

     

       125
       125
       +
             chsh   = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh";

     

       126
       126
       +
             passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd";

     

       120
       127
        
           };

     

       121
       128
        
         };

     

       122
       129
        
       }

+6 -1

nixos/modules/programs/singularity.nix

···

       16
       16
        
       

     

       17
       17
        
         config = mkIf cfg.enable {

     

       18
       18
        
             environment.systemPackages = [ singularity ];

     

       19
       19
       -
             security.wrappers.singularity-suid.source = "${singularity}/libexec/singularity/bin/starter-suid.orig";

     

       19
       19
       +
             security.wrappers.singularity-suid =

     

       20
       20
       +
             { setuid = true;

     

       21
       21
       +
               owner = "root";

     

       22
       22
       +
               group = "root";

     

       23
       23
       +
               source = "${singularity}/libexec/singularity/bin/starter-suid.orig";

     

       24
       24
       +
             };

     

       20
       25
        
             systemd.tmpfiles.rules = [

     

       21
       26
        
               "d /var/singularity/mnt/session 0770 root root -"

     

       22
       27
        
               "d /var/singularity/mnt/final 0770 root root -"

+6 -1

nixos/modules/programs/slock.nix

···

       21
       21
        
       

     

       22
       22
        
         config = mkIf cfg.enable {

     

       23
       23
        
           environment.systemPackages = [ pkgs.slock ];

     

       24
       24
       -
           security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock";

     

       24
       24
       +
           security.wrappers.slock =

     

       25
       25
       +
             { setuid = true;

     

       26
       26
       +
               owner = "root";

     

       27
       27
       +
               group = "root";

     

       28
       28
       +
               source = "${pkgs.slock.out}/bin/slock";

     

       29
       29
       +
             };

     

       25
       30
        
         };

     

       26
       31
        
       }

+3 -1

nixos/modules/programs/traceroute.nix

···

       19
       19
        
       

     

       20
       20
        
         config = mkIf cfg.enable {

     

       21
       21
        
           security.wrappers.traceroute = {

     

       22
       22
       -
             source = "${pkgs.traceroute}/bin/traceroute";

     

       22
       22
       +
             owner = "root";

     

       23
       23
       +
             group = "root";

     

       23
       24
        
             capabilities = "cap_net_raw+p";

     

       25
       25
       +
             source = "${pkgs.traceroute}/bin/traceroute";

     

       24
       26
        
           };

     

       25
       27
        
         };

     

       26
       28
        
       }

+6 -1

nixos/modules/programs/udevil.nix

···

       9
       9
        
         options.programs.udevil.enable = mkEnableOption "udevil";

     

       10
       10
        
       

     

       11
       11
        
         config = mkIf cfg.enable {

     

       12
       12
       -
           security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil";

     

       12
       12
       +
           security.wrappers.udevil =

     

       13
       13
       +
             { setuid = true;

     

       14
       14
       +
               owner = "root";

     

       15
       15
       +
               group = "root";

     

       16
       16
       +
               source = "${lib.getBin pkgs.udevil}/bin/udevil";

     

       17
       17
       +
             };

     

       13
       18
        
         };

     

       14
       19
        
       }

+3 -1

nixos/modules/programs/wavemon.nix

···

       21
       21
        
         config = mkIf cfg.enable {

     

       22
       22
        
           environment.systemPackages = with pkgs; [ wavemon ];

     

       23
       23
        
           security.wrappers.wavemon = {

     

       24
       24
       -
             source = "${pkgs.wavemon}/bin/wavemon";

     

       24
       24
       +
             owner = "root";

     

       25
       25
       +
             group = "root";

     

       25
       26
        
             capabilities = "cap_net_admin+ep";

     

       27
       27
       +
             source = "${pkgs.wavemon}/bin/wavemon";

     

       26
       28
        
           };

     

       27
       29
        
         };

     

       28
       30
        
       }

+6 -1

nixos/modules/programs/wshowkeys.nix

···

       17
       17
        
         };

     

       18
       18
        
       

     

       19
       19
        
         config = mkIf cfg.enable {

     

       20
       20
       -
           security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys";

     

       20
       20
       +
           security.wrappers.wshowkeys =

     

       21
       21
       +
             { setuid = true;

     

       22
       22
       +
               owner = "root";

     

       23
       23
       +
               group = "root";

     

       24
       24
       +
               source = "${pkgs.wshowkeys}/bin/wshowkeys";

     

       25
       25
       +
             };

     

       21
       26
        
         };

     

       22
       27
        
       }

+6 -1

nixos/modules/security/chromium-suid-sandbox.nix

···

       28
       28
        
       

     

       29
       29
        
         config = mkIf cfg.enable {

     

       30
       30
        
           environment.systemPackages = [ sandbox ];

     

       31
       31
       -
           security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";

     

       31
       31
       +
           security.wrappers.${sandbox.passthru.sandboxExecutableName} =

     

       32
       32
       +
             { setuid = true;

     

       33
       33
       +
               owner = "root";

     

       34
       34
       +
               group = "root";

     

       35
       35
       +
               source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";

     

       36
       36
       +
             };

     

       32
       37
        
         };

     

       33
       38
        
       }

+6 -3

nixos/modules/security/doas.nix

···

       241
       241
        
             }

     

       242
       242
        
           ];

     

       243
       243
        
       

     

       244
       244
       -
           security.wrappers = {

     

       245
       245
       -
             doas.source = "${doas}/bin/doas";

     

       246
       246
       -
           };

     

       244
       244
       +
           security.wrappers.doas =

     

       245
       245
       +
             { setuid = true;

     

       246
       246
       +
               owner = "root";

     

       247
       247
       +
               group = "root";

     

       248
       248
       +
               source = "${doas}/bin/doas";

     

       249
       249
       +
             };

     

       247
       250
        
       

     

       248
       251
        
           environment.systemPackages = [

     

       249
       252
        
             doas

+6 -1

nixos/modules/security/duosec.nix

···

       186
       186
        
         config = mkIf (cfg.ssh.enable || cfg.pam.enable) {

     

       187
       187
        
           environment.systemPackages = [ pkgs.duo-unix ];

     

       188
       188
        
       

     

       189
       189
       -
           security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";

     

       189
       189
       +
           security.wrappers.login_duo =

     

       190
       190
       +
             { setuid = true;

     

       191
       191
       +
               owner = "root";

     

       192
       192
       +
               group = "root";

     

       193
       193
       +
               source = "${pkgs.duo-unix.out}/bin/login_duo";

     

       194
       194
       +
             };

     

       190
       195
        
       

     

       191
       196
        
           system.activationScripts = {

     

       192
       197
        
             login_duo = mkIf cfg.ssh.enable ''

+12 -2

nixos/modules/security/pam_usb.nix

···

       32
       32
        
       

     

       33
       33
        
           # Make sure pmount and pumount are setuid wrapped.

     

       34
       34
        
           security.wrappers = {

     

       35
       35
       -
             pmount.source = "${pkgs.pmount.out}/bin/pmount";

     

       36
       36
       -
             pumount.source = "${pkgs.pmount.out}/bin/pumount";

     

       35
       35
       +
             pmount =

     

       36
       36
       +
               { setuid = true;

     

       37
       37
       +
                 owner = "root";

     

       38
       38
       +
                 group = "root";

     

       39
       39
       +
                 source = "${pkgs.pmount.out}/bin/pmount";

     

       40
       40
       +
               };

     

       41
       41
       +
             pumount =

     

       42
       42
       +
               { setuid = true;

     

       43
       43
       +
                 owner = "root";

     

       44
       44
       +
                 group = "root";

     

       45
       45
       +
                 source = "${pkgs.pmount.out}/bin/pumount";

     

       46
       46
       +
               };

     

       37
       47
        
           };

     

       38
       48
        
       

     

       39
       49
        
           environment.systemPackages = [ pkgs.pmount ];

+12 -2

nixos/modules/security/polkit.nix

···

       83
       83
        
           security.pam.services.polkit-1 = {};

     

       84
       84
        
       

     

       85
       85
        
           security.wrappers = {

     

       86
       86
       -
             pkexec.source = "${pkgs.polkit.bin}/bin/pkexec";

     

       87
       87
       -
             polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";

     

       86
       86
       +
             pkexec =

     

       87
       87
       +
               { setuid = true;

     

       88
       88
       +
                 owner = "root";

     

       89
       89
       +
                 group = "root";

     

       90
       90
       +
                 source = "${pkgs.polkit.bin}/bin/pkexec";

     

       91
       91
       +
               };

     

       92
       92
       +
             polkit-agent-helper-1 =

     

       93
       93
       +
               { setuid = true;

     

       94
       94
       +
                 owner = "root";

     

       95
       95
       +
                 group = "root";

     

       96
       96
       +
                 source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";

     

       97
       97
       +
               };

     

       88
       98
        
           };

     

       89
       99
        
       

     

       90
       100
        
           systemd.tmpfiles.rules = [

+40 -17

nixos/modules/security/wrappers/default.nix

···

       33
       33
        
             };

     

       34
       34
        
           options.owner = lib.mkOption

     

       35
       35
        
             { type = lib.types.str;

     

       36
       36
       -
               default = "root";

     

       37
       36
        
               description = "The owner of the wrapper program.";

     

       38
       37
        
             };

     

       39
       38
        
           options.group = lib.mkOption

     

       40
       39
        
             { type = lib.types.str;

     

       41
       41
       -
               default = "root";

     

       42
       40
        
               description = "The group of the wrapper program.";

     

       43
       41
        
             };

     

       44
       42
        
           options.permissions = lib.mkOption

     
···

       74
       72
        
             };

     

       75
       73
        
           options.setuid = lib.mkOption

     

       76
       74
        
             { type = lib.types.bool;

     

       77
       77
       -
               default = true;

     

       75
       75
       +
               default = false;

     

       78
       76
        
               description = "Whether to add the setuid bit the wrapper program.";

     

       79
       77
        
             };

     

       80
       78
        
           options.setgid = lib.mkOption

     
···

       156
       154
        
             default = {};

     

       157
       155
        
             example = lib.literalExample

     

       158
       156
        
               ''

     

       159
       159
       -
                 { sendmail.source = "/nix/store/.../bin/sendmail";

     

       160
       160
       -
                   ping = {

     

       161
       161
       -
                     source  = "${pkgs.iputils.out}/bin/ping";

     

       162
       162
       -
                     owner   = "nobody";

     

       163
       163
       -
                     group   = "nogroup";

     

       164
       164
       -
                     capabilities = "cap_net_raw+ep";

     

       165
       165
       -
                   };

     

       157
       157
       +
                 {

     

       158
       158
       +
                   # a setuid root program

     

       159
       159
       +
                   doas =

     

       160
       160
       +
                     { setuid = true;

     

       161
       161
       +
                       owner = "root";

     

       162
       162
       +
                       group = "root";

     

       163
       163
       +
                       source = "''${pkgs.doas}/bin/doas";

     

       164
       164
       +
                     };

     

       165
       165
       +
       

     

       166
       166
       +
                   # a setgid program

     

       167
       167
       +
                   locate =

     

       168
       168
       +
                     { setgid = true;

     

       169
       169
       +
                       owner = "root";

     

       170
       170
       +
                       group = "mlocate";

     

       171
       171
       +
                       source = "''${pkgs.locate}/bin/locate";

     

       172
       172
       +
                     };

     

       173
       173
       +
       

     

       174
       174
       +
                   # a program with the CAP_NET_RAW capability

     

       175
       175
       +
                   ping =

     

       176
       176
       +
                     { owner = "root";

     

       177
       177
       +
                       group = "root";

     

       178
       178
       +
                       capabilities = "cap_net_raw+ep";

     

       179
       179
       +
                       source = "''${pkgs.iputils.out}/bin/ping";

     

       180
       180
       +
                     };

     

       166
       181
        
                 }

     

       167
       182
        
               '';

     

       168
       183
        
             description = ''

     
···

       198
       213
        
               }

     

       199
       214
        
             ) wrappers;

     

       200
       215
        
       

     

       201
       201
       -
           security.wrappers = {

     

       202
       202
       -
             # These are mount related wrappers that require the +s permission.

     

       203
       203
       -
             fusermount.source = "${pkgs.fuse}/bin/fusermount";

     

       204
       204
       -
             fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";

     

       205
       205
       -
             mount.source = "${lib.getBin pkgs.util-linux}/bin/mount";

     

       206
       206
       -
             umount.source = "${lib.getBin pkgs.util-linux}/bin/umount";

     

       207
       207
       -
           };

     

       216
       216
       +
           security.wrappers =

     

       217
       217
       +
             let

     

       218
       218
       +
               mkSetuidRoot = source:

     

       219
       219
       +
                 { setuid = true;

     

       220
       220
       +
                   owner = "root";

     

       221
       221
       +
                   group = "root";

     

       222
       222
       +
                   inherit source;

     

       223
       223
       +
                 };

     

       224
       224
       +
             in

     

       225
       225
       +
             { # These are mount related wrappers that require the +s permission.

     

       226
       226
       +
               fusermount  = mkSetuidRoot "${pkgs.fuse}/bin/fusermount";

     

       227
       227
       +
               fusermount3 = mkSetuidRoot "${pkgs.fuse3}/bin/fusermount3";

     

       228
       228
       +
               mount  = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";

     

       229
       229
       +
               umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";

     

       230
       230
       +
             };

     

       208
       231
        
       

     

       209
       232
        
           boot.specialFileSystems.${parentWrapperDir} = {

     

       210
       233
        
             fsType = "tmpfs";

+3 -1

nixos/modules/services/desktops/gnome/gnome-keyring.nix

···

       52
       52
        
           security.pam.services.login.enableGnomeKeyring = true;

     

       53
       53
        
       

     

       54
       54
        
           security.wrappers.gnome-keyring-daemon = {

     

       55
       55
       -
             source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";

     

       55
       55
       +
             owner = "root";

     

       56
       56
       +
             group = "root";

     

       56
       57
        
             capabilities = "cap_ipc_lock=ep";

     

       58
       58
       +
             source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";

     

       57
       59
        
           };

     

       58
       60
        
       

     

       59
       61
        
         };

+6 -1

nixos/modules/services/mail/exim.nix

···

       104
       104
        
             gid = config.ids.gids.exim;

     

       105
       105
        
           };

     

       106
       106
        
       

     

       107
       107
       -
           security.wrappers.exim.source = "${cfg.package}/bin/exim";

     

       107
       107
       +
           security.wrappers.exim =

     

       108
       108
       +
             { setuid = true;

     

       109
       109
       +
               owner = "root";

     

       110
       110
       +
               group = "root";

     

       111
       111
       +
               source = "${cfg.package}/bin/exim";

     

       112
       112
       +
             };

     

       108
       113
        
       

     

       109
       114
        
           systemd.services.exim = {

     

       110
       115
        
             description = "Exim Mail Daemon";

+3 -1

nixos/modules/services/misc/mame.nix

···

       45
       45
        
           environment.systemPackages = [ pkgs.mame ];

     

       46
       46
        
       

     

       47
       47
        
           security.wrappers."${mame}" = {

     

       48
       48
       -
             source = "${pkgs.mame}/bin/${mame}";

     

       48
       48
       +
             owner = "root";

     

       49
       49
       +
             group = "root";

     

       49
       50
        
             capabilities = "cap_net_admin,cap_net_raw+eip";

     

       51
       51
       +
             source = "${pkgs.mame}/bin/${mame}";

     

       50
       52
        
           };

     

       51
       53
        
       

     

       52
       54
        
           systemd.services.mame = {

+6 -1

nixos/modules/services/misc/weechat.nix

···

       52
       52
        
             wants = [ "network.target" ];

     

       53
       53
        
           };

     

       54
       54
        
       

     

       55
       55
       -
           security.wrappers.screen.source = "${pkgs.screen}/bin/screen";

     

       55
       55
       +
           security.wrappers.screen =

     

       56
       56
       +
             { setuid = true;

     

       57
       57
       +
               owner = "root";

     

       58
       58
       +
               group = "root";

     

       59
       59
       +
               source = "${pkgs.screen}/bin/screen";

     

       60
       60
       +
             };

     

       56
       61
        
         };

     

       57
       62
        
       

     

       58
       63
        
         meta.doc = ./weechat.xml;

+6 -1

nixos/modules/services/monitoring/incron.nix

···

       71
       71
        
       

     

       72
       72
        
           environment.systemPackages = [ pkgs.incron ];

     

       73
       73
        
       

     

       74
       74
       -
           security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab";

     

       74
       74
       +
           security.wrappers.incrontab =

     

       75
       75
       +
           { setuid = true;

     

       76
       76
       +
             owner = "root";

     

       77
       77
       +
             group = "root";

     

       78
       78
       +
             source = "${pkgs.incron}/bin/incrontab";

     

       79
       79
       +
           };

     

       75
       80
        
       

     

       76
       81
        
           # incron won't read symlinks

     

       77
       82
        
           environment.etc."incron.d/system" = {

+6 -1

nixos/modules/services/monitoring/zabbix-proxy.nix

···

       262
       262
        
           };

     

       263
       263
        
       

     

       264
       264
        
           security.wrappers = {

     

       265
       265
       -
             fping.source = "${pkgs.fping}/bin/fping";

     

       265
       265
       +
             fping =

     

       266
       266
       +
               { setuid = true;

     

       267
       267
       +
                 owner = "root";

     

       268
       268
       +
                 group = "root";

     

       269
       269
       +
                 source = "${pkgs.fping}/bin/fping";

     

       270
       270
       +
               };

     

       266
       271
        
           };

     

       267
       272
        
       

     

       268
       273
        
           systemd.services.zabbix-proxy = {

+12 -2

nixos/modules/services/networking/smokeping.nix

···

       278
       278
        
             }

     

       279
       279
        
           ];

     

       280
       280
        
           security.wrappers = {

     

       281
       281
       -
             fping.source = "${pkgs.fping}/bin/fping";

     

       282
       282
       -
             fping6.source = "${pkgs.fping}/bin/fping6";

     

       281
       281
       +
             fping =

     

       282
       282
       +
               { setuid = true;

     

       283
       283
       +
                 owner = "root";

     

       284
       284
       +
                 group = "root";

     

       285
       285
       +
                 source = "${pkgs.fping}/bin/fping";

     

       286
       286
       +
               };

     

       287
       287
       +
             fping6 =

     

       288
       288
       +
               { setuid = true;

     

       289
       289
       +
                 owner = "root";

     

       290
       290
       +
                 group = "root";

     

       291
       291
       +
                 source = "${pkgs.fping}/bin/fping6";

     

       292
       292
       +
               };

     

       283
       293
        
           };

     

       284
       294
        
           environment.systemPackages = [ pkgs.fping ];

     

       285
       295
        
           users.users.${cfg.user} = {

+6 -1

nixos/modules/services/scheduling/cron.nix

···

       93
       93
        
       

     

       94
       94
        
           { services.cron.enable = mkDefault (allFiles != []); }

     

       95
       95
        
           (mkIf (config.services.cron.enable) {

     

       96
       96
       -
             security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab";

     

       96
       96
       +
             security.wrappers.crontab =

     

       97
       97
       +
               { setuid = true;

     

       98
       98
       +
                 owner = "root";

     

       99
       99
       +
                 group = "root";

     

       100
       100
       +
                 source = "${cronNixosPkg}/bin/crontab";

     

       101
       101
       +
               };

     

       97
       102
        
             environment.systemPackages = [ cronNixosPkg ];

     

       98
       103
        
             environment.etc.crontab =

     

       99
       104
        
               { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

+1

nixos/modules/services/scheduling/fcron.nix

···

       142
       142
        
               source = "${pkgs.fcron}/bin/fcronsighup";

     

       143
       143
        
               owner = "root";

     

       144
       144
        
               group = "fcron";

     

       145
       145
       +
               setuid = true;

     

       145
       146
        
             };

     

       146
       147
        
           };

     

       147
       148
        
           systemd.services.fcron = {

+3 -1

nixos/modules/services/video/replay-sorcery.nix

···

       44
       44
        
       

     

       45
       45
        
           security.wrappers = mkIf cfg.enableSysAdminCapability {

     

       46
       46
        
             replay-sorcery = {

     

       47
       47
       -
               source = "${pkgs.replay-sorcery}/bin/replay-sorcery";

     

       47
       47
       +
               owner = "root";

     

       48
       48
       +
               group = "root";

     

       48
       49
        
               capabilities = "cap_sys_admin+ep";

     

       50
       50
       +
               source = "${pkgs.replay-sorcery}/bin/replay-sorcery";

     

       49
       51
        
             };

     

       50
       52
        
           };

     

       51
       53

+18 -3

nixos/modules/services/x11/desktop-managers/enlightenment.nix

···

       65
       65
        
       

     

       66
       66
        
           # Wrappers for programs installed by enlightenment that should be setuid

     

       67
       67
        
           security.wrappers = {

     

       68
       68
       -
             enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";

     

       69
       69
       -
             enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";

     

       70
       70
       -
             enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";

     

       68
       68
       +
             enlightenment_ckpasswd =

     

       69
       69
       +
               { setuid = true;

     

       70
       70
       +
                 owner = "root";

     

       71
       71
       +
                 group = "root";

     

       72
       72
       +
                 source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";

     

       73
       73
       +
               };

     

       74
       74
       +
             enlightenment_sys =

     

       75
       75
       +
               { setuid = true;

     

       76
       76
       +
                 owner = "root";

     

       77
       77
       +
                 group = "root";

     

       78
       78
       +
                 source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";

     

       79
       79
       +
               };

     

       80
       80
       +
             enlightenment_system =

     

       81
       81
       +
               { setuid = true;

     

       82
       82
       +
                 owner = "root";

     

       83
       83
       +
                 group = "root";

     

       84
       84
       +
                 source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";

     

       85
       85
       +
               };

     

       71
       86
        
           };

     

       72
       87
        
       

     

       73
       88
        
           environment.etc."X11/xkb".source = xcfg.xkbDir;

+18 -6

nixos/modules/services/x11/desktop-managers/plasma5.nix

···

       197
       197
        
             };

     

       198
       198
        
       

     

       199
       199
        
             security.wrappers = {

     

       200
       200
       -
               kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";

     

       201
       201
       -
               start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";

     

       202
       202
       -
               kwin_wayland = {

     

       203
       203
       -
                 source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";

     

       204
       204
       -
                 capabilities = "cap_sys_nice+ep";

     

       205
       205
       -
               };

     

       200
       200
       +
               kcheckpass =

     

       201
       201
       +
                 { setuid = true;

     

       202
       202
       +
                   owner = "root";

     

       203
       203
       +
                   group = "root";

     

       204
       204
       +
                   source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";

     

       205
       205
       +
                 };

     

       206
       206
       +
               start_kdeinit =

     

       207
       207
       +
                 { setuid = true;

     

       208
       208
       +
                   owner = "root";

     

       209
       209
       +
                   group = "root";

     

       210
       210
       +
                   source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";

     

       211
       211
       +
                 };

     

       212
       212
       +
               kwin_wayland =

     

       213
       213
       +
                 { owner = "root";

     

       214
       214
       +
                   group = "root";

     

       215
       215
       +
                   capabilities = "cap_sys_nice+ep";

     

       216
       216
       +
                   source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";

     

       217
       217
       +
                 };

     

       206
       218
        
             };

     

       207
       219
        
       

     

       208
       220
        
             # DDC support

+12 -2

nixos/modules/tasks/filesystems/ecryptfs.nix

···

       7
       7
        
         config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {

     

       8
       8
        
           system.fsPackages = [ pkgs.ecryptfs ];

     

       9
       9
        
           security.wrappers = {

     

       10
       10
       -
             "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";

     

       11
       11
       -
             "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";

     

       10
       10
       +
             "mount.ecryptfs_private" =

     

       11
       11
       +
               { setuid = true;

     

       12
       12
       +
                 owner = "root";

     

       13
       13
       +
                 group = "root";

     

       14
       14
       +
                 source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";

     

       15
       15
       +
               };

     

       16
       16
       +
             "umount.ecryptfs_private" =

     

       17
       17
       +
               { setuid = true;

     

       18
       18
       +
                 owner = "root";

     

       19
       19
       +
                 group = "root";

     

       20
       20
       +
                 source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";

     

       21
       21
       +
               };

     

       12
       22
        
           };

     

       13
       23
        
         };

     

       14
       24
        
       }

+7 -2

nixos/modules/tasks/network-interfaces.nix

···

       1133
       1133
        
           # kernel because we need the ambient capability

     

       1134
       1134
        
           security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then {

     

       1135
       1135
        
             ping = {

     

       1136
       1136
       -
               source  = "${pkgs.iputils.out}/bin/ping";

     

       1136
       1136
       +
               owner = "root";

     

       1137
       1137
       +
               group = "root";

     

       1137
       1138
        
               capabilities = "cap_net_raw+p";

     

       1139
       1139
       +
               source = "${pkgs.iputils.out}/bin/ping";

     

       1138
       1140
        
             };

     

       1139
       1141
        
           } else {

     

       1140
       1140
       -
             ping.source = "${pkgs.iputils.out}/bin/ping";

     

       1142
       1142
       +
             setuid = true;

     

       1143
       1143
       +
             owner = "root";

     

       1144
       1144
       +
             group = "root";

     

       1145
       1145
       +
             source = "${pkgs.iputils.out}/bin/ping";

     

       1141
       1146
        
           };

     

       1142
       1147
        
           security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''

     

       1143
       1148
        
             /run/wrappers/bin/ping {

+3

nixos/modules/virtualisation/libvirtd.nix

···

       183
       183
        
           };

     

       184
       184
        
       

     

       185
       185
        
           security.wrappers.qemu-bridge-helper = {

     

       186
       186
       +
             setuid = true;

     

       187
       187
       +
             owner = "root";

     

       188
       188
       +
             group = "root";

     

       186
       189
        
             source = "/run/${dirName}/nix-helpers/qemu-bridge-helper";

     

       187
       190
        
           };

     

       188
       191

+4 -2

nixos/modules/virtualisation/spice-usb-redirection.nix

···

       14
       14
        
       

     

       15
       15
        
         config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {

     

       16
       16
        
           environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions

     

       17
       17
       -
           security.wrappers.spice-client-glib-usb-acl-helper ={

     

       18
       18
       -
             source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";

     

       17
       17
       +
           security.wrappers.spice-client-glib-usb-acl-helper = {

     

       18
       18
       +
             owner = "root";

     

       19
       19
       +
             group = "root";

     

       19
       20
        
             capabilities = "cap_fowner+ep";

     

       21
       21
       +
             source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";

     

       20
       22
        
           };

     

       21
       23
        
         };

     

       22
       24