diff options
author | Parnell Springmeyer <parnell@awakenetworks.com> | 2016-07-15 19:10:48 -0500 |
---|---|---|
committer | Parnell Springmeyer <parnell@awakenetworks.com> | 2016-09-01 19:17:43 -0500 |
commit | 390ab0b3eff809052d5b9d9b5335413b36898481 (patch) | |
tree | 15700959b5c568cff51e2e8abafed931bff7e6dd /nixos | |
parent | 81b33eb46645b1bd3ab5029c0ca2012a24902bb0 (diff) |
everything?: Updating every package that depended on the old setuidPrograms configuration.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/programs/kbdlight.nix | 9 | ||||
-rw-r--r-- | nixos/modules/programs/light.nix | 9 | ||||
-rw-r--r-- | nixos/modules/programs/shadow.nix | 49 | ||||
-rw-r--r-- | nixos/modules/rename.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/duosec.nix | 12 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 21 | ||||
-rw-r--r-- | nixos/modules/security/pam_usb.nix | 23 | ||||
-rw-r--r-- | nixos/modules/security/permissions-wrappers/default.nix | 5 | ||||
-rw-r--r-- | nixos/modules/security/polkit.nix | 10 | ||||
-rw-r--r-- | nixos/modules/security/sudo.nix | 17 | ||||
-rw-r--r-- | nixos/modules/services/mail/exim.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/scheduling/cron.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/scheduling/fcron.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/enlightenment.nix | 10 |
14 files changed, 169 insertions, 27 deletions
diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix index 0172368e968fa..c3ea6b5e97388 100644 --- a/nixos/modules/programs/kbdlight.nix +++ b/nixos/modules/programs/kbdlight.nix @@ -11,6 +11,13 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kbdlight ]; - security.setuidPrograms = [ "kbdlight" ]; + + security.permissionsWrappers.setuid = + [ { program = "kbdlight"; + source = "${pkgs.kbdlight.out}/bin/kbdlight"; + user = "root"; + group = "root"; + setuid = true; + }]; }; } diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix index 09cd1113d9c7d..d141eaf66f76f 100644 --- a/nixos/modules/programs/light.nix +++ b/nixos/modules/programs/light.nix @@ -21,6 +21,13 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.light ]; - security.setuidPrograms = [ "light" ]; + + security.permissionsWrappers.setuid = + [ { program = "light"; + source = "${pkgs.light.out}/bin/light"; + user = "root"; + group = "root"; + setuid = true; + }]; }; } diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 878c9cc0cf098..8ee324eaf63f8 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -102,11 +102,48 @@ in chgpasswd = { rootOK = true; }; }; - security.setuidPrograms = [ "su" "chfn" ] - ++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x - ++ lib.optionals config.users.mutableUsers - [ "passwd" "sg" "newgrp" ]; - + security.setuidPrograms = + [ + { program = "su"; + source = "${pkgs.shadow.su}/bin/su"; + user = "root"; + group = "root"; + setuid = true; + } + + { program = "chfn"; + source = "${pkgs.shadow.out}/bin/chfn"; + user = "root"; + group = "root"; + setuid = true; + } + ] ++ + (lib.optionals config.users.mutableUsers + map (x: x // { user = "root"; + group = "root"; + setuid = true; + }) + [ + { program = "passwd"; + source = "${pkgs.shadow.out}/bin/passwd"; + } + + { program = "sg"; + source = "${pkgs.shadow.out}/bin/sg"; + } + + { program = "newgrp"; + source = "${pkgs.shadow.out}/bin/newgrp"; + } + + { program = "newuidmap"; + source = "${pkgs.shadow.out}/bin/newuidmap"; + } + + { program = "newgidmap"; + source = "${pkgs.shadow.out}/bin/newgidmap"; + } + ] + ); }; - } diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 412cccc20d589..e4584146d6f02 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -10,7 +10,6 @@ with lib; (mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ]) (mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ]) - (mkRenamedOptionModule [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ]) (mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ]) (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ]) diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 0e3a54325cadd..202218c915c97 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -193,7 +193,17 @@ in ]; environment.systemPackages = [ pkgs.duo-unix ]; - security.setuidPrograms = [ "login_duo" ]; + + security.permissionsWrappers.setuid = + [ + { program = "login_duo"; + source = "${pkgs.duo-unix.out}/bin/login_duo"; + user = "root"; + group = "root"; + setuid = true; + } + ]; + environment.etc = loginCfgFile ++ pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 77815cd6dcc16..4c6b54f02745e 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -442,8 +442,25 @@ in ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; - security.setuidPrograms = - optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ]; + security.permissionsWrappers.setuid = + [ + (optionals config.security.pam.enableEcryptfs + { program = "mount.ecryptfs_private" + source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + user = "root"; + group = "root"; + setuid = true; + }) + + (optionals config.security.pam.enableEcryptfs + { program = "umount.ecryptfs_private"; + source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + user = "root"; + group = "root"; + setuid = true; + }) + ] + environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 11708a1f01679..699cf6306e1d1 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -32,10 +32,25 @@ in config = mkIf (cfg.enable || anyUsbAuth) { - # pmount need to have a set-uid bit to make pam_usb works in user - # environment. (like su, sudo) - - security.setuidPrograms = [ "pmount" "pumount" ]; + # Make sure pmount and pumount are setuid wrapped. + security.permissionsWrappers.setuid = + [ + { program = "pmount"; + source = "${pkgs.pmount.out}/bin/pmount"; + user = "root"; + group = "root"; + setuid = true; + } + + { program = "pumount"; + source = "${pkgs.pmount.out}/bin/pumount"; + user = "root"; + group = "root"; + setuid = true; + } + ]; + +setuidPrograms = [ "pmount" "pumount" ]; environment.systemPackages = [ pkgs.pmount ]; }; diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix index a4491946df5dc..5d4634daf78be 100644 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ b/nixos/modules/security/permissions-wrappers/default.nix @@ -43,11 +43,6 @@ let ''; ###### Activation script for the setuid wrappers - setuidPrograms = - (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) - config.security.setuidPrograms) - ++ config.security.setuidOwners; - makeSetuidWrapper = { program , source ? null diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 507f81bbf0737..db078667acf00 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -83,7 +83,15 @@ in security.pam.services.polkit-1 = {}; - security.setuidPrograms = [ "pkexec" ]; + security.permissionsWrappers.setuid = + [ + { program = "pkexec"; + source = "${pkgs.polkit.out}/bin/pkexec"; + user = "root"; + group = "root"; + setuid = true; + } + ]; security.setuidOwners = [ { program = "polkit-agent-helper-1"; diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index bced2a6ed7573..06dde14cd1c1a 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -81,7 +81,22 @@ in ${cfg.extraConfig} ''; - security.setuidPrograms = [ "sudo" "sudoedit" ]; + security.permissionsWrappers.setuid = + [ + { program = "sudo"; + source = "${pkgs.sudo.out}/bin/sudo"; + user = "root"; + group = "root"; + setuid = true; + } + + { program = "sudoedit" + source = "${pkgs.sudo.out}/bin/sudo"; + user = "root"; + group = "root"; + setuid = true; + } + ]; environment.systemPackages = [ sudo ]; diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index e0890d96a88bb..aad497cbc7199 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -89,7 +89,15 @@ in gid = config.ids.gids.exim; }; - security.setuidPrograms = [ "exim" ]; + security.permissionsWrappers.setuid = + [ + { program = "exim"; + source = "${pkgs.exim.out}/bin/exim"; + user = "root"; + group = "root"; + setuid = true; + } + ] systemd.services.exim = { description = "Exim Mail Daemon"; diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index f5e132fd77d87..541fbb7ee6442 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -95,7 +95,15 @@ in (mkIf (config.services.cron.enable) { - security.setuidPrograms = [ "crontab" ]; + security.permissionsWrappers.setuid = + [ + { program = "crontab"; + source = "${pkgs.cronNixosPkg.out}/bin/crontab"; + user = "root"; + group = "root"; + setuid = true; + } + ]; environment.systemPackages = [ cronNixosPkg ]; diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index 7b4665a820467..6e8465ab08f43 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -106,7 +106,15 @@ in environment.systemPackages = [ pkgs.fcron ]; - security.setuidPrograms = [ "fcrontab" ]; + security.permissionsWrappers.setuid = + [ + { program = "fcrontab"; + source = "${pkgs.fcron.out}/bin/fcrontab"; + user = "root"; + group = "root"; + setuid = true; + } + ]; systemd.services.fcron = { description = "fcron daemon"; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 8a03dd65b3359..b55950c6373be 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -62,7 +62,15 @@ in ''; }]; - security.setuidPrograms = [ "e_freqset" ]; + security.permissionsWrappers.setuid = + [ + { program = "e_freqset"; + source = "${e.enlightenment.out}/bin/e_freqset"; + user = "root"; + group = "root"; + setuid = true; + } + ]; environment.etc = singleton { source = "${pkgs.xkeyboard_config}/etc/X11/xkb"; |