diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-12 18:53:48 +0200 |
---|---|---|
committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 13:48:13 +0200 |
commit | fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch) | |
tree | 14b7af8318d75536656849335e20c51cdfdf3447 /nixos | |
parent | 8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff) |
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you to think about what the wrapper ownership and permissions will be.
Diffstat (limited to 'nixos')
39 files changed, 276 insertions, 72 deletions
diff --git a/nixos/modules/programs/bandwhich.nix b/nixos/modules/programs/bandwhich.nix index 1cffb5fa2765c..610d602ad2cc9 100644 --- a/nixos/modules/programs/bandwhich.nix +++ b/nixos/modules/programs/bandwhich.nix @@ -22,8 +22,10 @@ in { config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ bandwhich ]; security.wrappers.bandwhich = { - source = "${pkgs.bandwhich}/bin/bandwhich"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw,cap_net_admin+ep"; + source = "${pkgs.bandwhich}/bin/bandwhich"; }; }; } diff --git a/nixos/modules/programs/captive-browser.nix b/nixos/modules/programs/captive-browser.nix index d7684d08c6c77..4e8abdeecf0b8 100644 --- a/nixos/modules/programs/captive-browser.nix +++ b/nixos/modules/programs/captive-browser.nix @@ -105,11 +105,15 @@ in ); security.wrappers.udhcpc = { + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; source = "${pkgs.busybox}/bin/udhcpc"; }; security.wrappers.captive-browser = { + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; source = pkgs.writeShellScript "captive-browser" '' export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index ad4ef1a39459d..9384b01b3674f 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -81,7 +81,12 @@ in { }; config = mkIf cfg.enable { - security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail"; + security.wrappers.firejail = + { setuid = true; + owner = "root"; + group = "root"; + source = "${lib.getBin pkgs.firejail}/bin/firejail"; + }; environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ]; }; diff --git a/nixos/modules/programs/gamemode.nix b/nixos/modules/programs/gamemode.nix index 03949bf98df6a..102788f5b0195 100644 --- a/nixos/modules/programs/gamemode.nix +++ b/nixos/modules/programs/gamemode.nix @@ -56,6 +56,8 @@ in polkit.enable = true; wrappers = mkIf cfg.enableRenice { gamemoded = { + owner = "root"; + group = "root"; source = "${pkgs.gamemode}/bin/gamemoded"; capabilities = "cap_sys_nice+ep"; }; diff --git a/nixos/modules/programs/iftop.nix b/nixos/modules/programs/iftop.nix index a98a9a8187d4b..c74714a9a6d64 100644 --- a/nixos/modules/programs/iftop.nix +++ b/nixos/modules/programs/iftop.nix @@ -11,8 +11,10 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ pkgs.iftop ]; security.wrappers.iftop = { - source = "${pkgs.iftop}/bin/iftop"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${pkgs.iftop}/bin/iftop"; }; }; } diff --git a/nixos/modules/programs/iotop.nix b/nixos/modules/programs/iotop.nix index 5512dbc62f72b..b7c1c69f9ddd0 100644 --- a/nixos/modules/programs/iotop.nix +++ b/nixos/modules/programs/iotop.nix @@ -10,8 +10,10 @@ in { }; config = mkIf cfg.enable { security.wrappers.iotop = { - source = "${pkgs.iotop}/bin/iotop"; + owner = "root"; + group = "root"; capabilities = "cap_net_admin+p"; + source = "${pkgs.iotop}/bin/iotop"; }; }; } diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix index 58e45872fac87..8a2a0057cf2da 100644 --- a/nixos/modules/programs/kbdlight.nix +++ b/nixos/modules/programs/kbdlight.nix @@ -11,6 +11,11 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kbdlight ]; - security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight"; + security.wrappers.kbdlight = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.kbdlight.out}/bin/kbdlight"; + }; }; } diff --git a/nixos/modules/programs/liboping.nix b/nixos/modules/programs/liboping.nix index 4e4c235ccde4a..4433f9767d6ee 100644 --- a/nixos/modules/programs/liboping.nix +++ b/nixos/modules/programs/liboping.nix @@ -13,8 +13,10 @@ in { security.wrappers = mkMerge (map ( exec: { "${exec}" = { - source = "${pkgs.liboping}/bin/${exec}"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${pkgs.liboping}/bin/${exec}"; }; } ) [ "oping" "noping" ]); diff --git a/nixos/modules/programs/mtr.nix b/nixos/modules/programs/mtr.nix index 75b710c1584fc..63516c58440ea 100644 --- a/nixos/modules/programs/mtr.nix +++ b/nixos/modules/programs/mtr.nix @@ -31,8 +31,10 @@ in { environment.systemPackages = with pkgs; [ cfg.package ]; security.wrappers.mtr-packet = { - source = "${cfg.package}/bin/mtr-packet"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${cfg.package}/bin/mtr-packet"; }; }; } diff --git a/nixos/modules/programs/noisetorch.nix b/nixos/modules/programs/noisetorch.nix index 5f3b0c8f5d1ee..bca68b0064c05 100644 --- a/nixos/modules/programs/noisetorch.nix +++ b/nixos/modules/programs/noisetorch.nix @@ -18,8 +18,10 @@ in { config = mkIf cfg.enable { security.wrappers.noisetorch = { - source = "${cfg.package}/bin/noisetorch"; + owner = "root"; + group = "root"; capabilities = "cap_sys_resource=+ep"; + source = "${cfg.package}/bin/noisetorch"; }; }; } diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 386ded9d98b61..e021f184179d7 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -43,6 +43,13 @@ let ''; + mkSetuidRoot = source: + { setuid = true; + owner = "root"; + group = "root"; + inherit source; + }; + in { @@ -109,14 +116,14 @@ in }; security.wrappers = { - su.source = "${pkgs.shadow.su}/bin/su"; - sg.source = "${pkgs.shadow.out}/bin/sg"; - newgrp.source = "${pkgs.shadow.out}/bin/newgrp"; - newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap"; - newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap"; + su = mkSetuidRoot "${pkgs.shadow.su}/bin/su"; + sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg"; + newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp"; + newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap"; + newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap"; } // lib.optionalAttrs config.users.mutableUsers { - chsh.source = "${pkgs.shadow.out}/bin/chsh"; - passwd.source = "${pkgs.shadow.out}/bin/passwd"; + chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh"; + passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd"; }; }; } diff --git a/nixos/modules/programs/singularity.nix b/nixos/modules/programs/singularity.nix index 6ac64a81fc244..db935abe4bb46 100644 --- a/nixos/modules/programs/singularity.nix +++ b/nixos/modules/programs/singularity.nix @@ -16,7 +16,12 @@ in { config = mkIf cfg.enable { environment.systemPackages = [ singularity ]; - security.wrappers.singularity-suid.source = "${singularity}/libexec/singularity/bin/starter-suid.orig"; + security.wrappers.singularity-suid = + { setuid = true; + owner = "root"; + group = "root"; + source = "${singularity}/libexec/singularity/bin/starter-suid.orig"; + }; systemd.tmpfiles.rules = [ "d /var/singularity/mnt/session 0770 root root -" "d /var/singularity/mnt/final 0770 root root -" diff --git a/nixos/modules/programs/slock.nix b/nixos/modules/programs/slock.nix index 0e1281e62cd77..ce80fcc5d4a8a 100644 --- a/nixos/modules/programs/slock.nix +++ b/nixos/modules/programs/slock.nix @@ -21,6 +21,11 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.slock ]; - security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock"; + security.wrappers.slock = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.slock.out}/bin/slock"; + }; }; } diff --git a/nixos/modules/programs/traceroute.nix b/nixos/modules/programs/traceroute.nix index 4eb0be3f0e0be..6e04057ac5034 100644 --- a/nixos/modules/programs/traceroute.nix +++ b/nixos/modules/programs/traceroute.nix @@ -19,8 +19,10 @@ in { config = mkIf cfg.enable { security.wrappers.traceroute = { - source = "${pkgs.traceroute}/bin/traceroute"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${pkgs.traceroute}/bin/traceroute"; }; }; } diff --git a/nixos/modules/programs/udevil.nix b/nixos/modules/programs/udevil.nix index ba5670f9dfe9d..0dc08c435df4a 100644 --- a/nixos/modules/programs/udevil.nix +++ b/nixos/modules/programs/udevil.nix @@ -9,6 +9,11 @@ in { options.programs.udevil.enable = mkEnableOption "udevil"; config = mkIf cfg.enable { - security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil"; + security.wrappers.udevil = + { setuid = true; + owner = "root"; + group = "root"; + source = "${lib.getBin pkgs.udevil}/bin/udevil"; + }; }; } diff --git a/nixos/modules/programs/wavemon.nix b/nixos/modules/programs/wavemon.nix index ac665fe4a0236..e5ccacba75d4a 100644 --- a/nixos/modules/programs/wavemon.nix +++ b/nixos/modules/programs/wavemon.nix @@ -21,8 +21,10 @@ in { config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ wavemon ]; security.wrappers.wavemon = { - source = "${pkgs.wavemon}/bin/wavemon"; + owner = "root"; + group = "root"; capabilities = "cap_net_admin+ep"; + source = "${pkgs.wavemon}/bin/wavemon"; }; }; } diff --git a/nixos/modules/programs/wshowkeys.nix b/nixos/modules/programs/wshowkeys.nix index 09b008af1d5db..f7b71d2bb0c89 100644 --- a/nixos/modules/programs/wshowkeys.nix +++ b/nixos/modules/programs/wshowkeys.nix @@ -17,6 +17,11 @@ in { }; config = mkIf cfg.enable { - security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys"; + security.wrappers.wshowkeys = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.wshowkeys}/bin/wshowkeys"; + }; }; } diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix index b83dbc4202a8d..bb99c053f7185 100644 --- a/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixos/modules/security/chromium-suid-sandbox.nix @@ -28,6 +28,11 @@ in config = mkIf cfg.enable { environment.systemPackages = [ sandbox ]; - security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; + security.wrappers.${sandbox.passthru.sandboxExecutableName} = + { setuid = true; + owner = "root"; + group = "root"; + source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; + }; }; } diff --git a/nixos/modules/security/doas.nix b/nixos/modules/security/doas.nix index 27f6870aaf374..35f618b03e8e4 100644 --- a/nixos/modules/security/doas.nix +++ b/nixos/modules/security/doas.nix @@ -241,9 +241,12 @@ in } ]; - security.wrappers = { - doas.source = "${doas}/bin/doas"; - }; + security.wrappers.doas = + { setuid = true; + owner = "root"; + group = "root"; + source = "${doas}/bin/doas"; + }; environment.systemPackages = [ doas diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index c47be80b9dc3c..bbe246fe229ec 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -186,7 +186,12 @@ in config = mkIf (cfg.ssh.enable || cfg.pam.enable) { environment.systemPackages = [ pkgs.duo-unix ]; - security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; + security.wrappers.login_duo = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.duo-unix.out}/bin/login_duo"; + }; system.activationScripts = { login_duo = mkIf cfg.ssh.enable '' diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index c695ba075ca94..51d81e823f867 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -32,8 +32,18 @@ in # Make sure pmount and pumount are setuid wrapped. security.wrappers = { - pmount.source = "${pkgs.pmount.out}/bin/pmount"; - pumount.source = "${pkgs.pmount.out}/bin/pumount"; + pmount = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.pmount.out}/bin/pmount"; + }; + pumount = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.pmount.out}/bin/pumount"; + }; }; environment.systemPackages = [ pkgs.pmount ]; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index f556cca23cdcf..d9c58152f1faa 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -83,8 +83,18 @@ in security.pam.services.polkit-1 = {}; security.wrappers = { - pkexec.source = "${pkgs.polkit.bin}/bin/pkexec"; - polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + pkexec = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.polkit.bin}/bin/pkexec"; + }; + polkit-agent-helper-1 = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + }; }; systemd.tmpfiles.rules = [ diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 8c9d0b487bbc7..2697ab0bde8f7 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -33,12 +33,10 @@ let }; options.owner = lib.mkOption { type = lib.types.str; - default = "root"; description = "The owner of the wrapper program."; }; options.group = lib.mkOption { type = lib.types.str; - default = "root"; description = "The group of the wrapper program."; }; options.permissions = lib.mkOption @@ -74,7 +72,7 @@ let }; options.setuid = lib.mkOption { type = lib.types.bool; - default = true; + default = false; description = "Whether to add the setuid bit the wrapper program."; }; options.setgid = lib.mkOption @@ -156,13 +154,30 @@ in default = {}; example = lib.literalExample '' - { sendmail.source = "/nix/store/.../bin/sendmail"; - ping = { - source = "${pkgs.iputils.out}/bin/ping"; - owner = "nobody"; - group = "nogroup"; - capabilities = "cap_net_raw+ep"; - }; + { + # a setuid root program + doas = + { setuid = true; + owner = "root"; + group = "root"; + source = "''${pkgs.doas}/bin/doas"; + }; + + # a setgid program + locate = + { setgid = true; + owner = "root"; + group = "mlocate"; + source = "''${pkgs.locate}/bin/locate"; + }; + + # a program with the CAP_NET_RAW capability + ping = + { owner = "root"; + group = "root"; + capabilities = "cap_net_raw+ep"; + source = "''${pkgs.iputils.out}/bin/ping"; + }; } ''; description = '' @@ -198,13 +213,21 @@ in } ) wrappers; - security.wrappers = { - # These are mount related wrappers that require the +s permission. - fusermount.source = "${pkgs.fuse}/bin/fusermount"; - fusermount3.source = "${pkgs.fuse3}/bin/fusermount3"; - mount.source = "${lib.getBin pkgs.util-linux}/bin/mount"; - umount.source = "${lib.getBin pkgs.util-linux}/bin/umount"; - }; + security.wrappers = + let + mkSetuidRoot = source: + { setuid = true; + owner = "root"; + group = "root"; + inherit source; + }; + in + { # These are mount related wrappers that require the +s permission. + fusermount = mkSetuidRoot "${pkgs.fuse}/bin/fusermount"; + fusermount3 = mkSetuidRoot "${pkgs.fuse3}/bin/fusermount3"; + mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount"; + umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount"; + }; boot.specialFileSystems.${parentWrapperDir} = { fsType = "tmpfs"; diff --git a/nixos/modules/services/desktops/gnome/gnome-keyring.nix b/nixos/modules/services/desktops/gnome/gnome-keyring.nix index cda44bab8bfaa..d821da164beb1 100644 --- a/nixos/modules/services/desktops/gnome/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome/gnome-keyring.nix @@ -52,8 +52,10 @@ with lib; security.pam.services.login.enableGnomeKeyring = true; security.wrappers.gnome-keyring-daemon = { - source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon"; + owner = "root"; + group = "root"; capabilities = "cap_ipc_lock=ep"; + source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon"; }; }; diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index 8927d84b478c6..25b533578c948 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -104,7 +104,12 @@ in gid = config.ids.gids.exim; }; - security.wrappers.exim.source = "${cfg.package}/bin/exim"; + security.wrappers.exim = + { setuid = true; + owner = "root"; + group = "root"; + source = "${cfg.package}/bin/exim"; + }; systemd.services.exim = { description = "Exim Mail Daemon"; diff --git a/nixos/modules/services/misc/mame.nix b/nixos/modules/services/misc/mame.nix index 4b9a04be7c297..dd6c5ef9aa005 100644 --- a/nixos/modules/services/misc/mame.nix +++ b/nixos/modules/services/misc/mame.nix @@ -45,8 +45,10 @@ in environment.systemPackages = [ pkgs.mame ]; security.wrappers."${mame}" = { - source = "${pkgs.mame}/bin/${mame}"; + owner = "root"; + group = "root"; capabilities = "cap_net_admin,cap_net_raw+eip"; + source = "${pkgs.mame}/bin/${mame}"; }; systemd.services.mame = { diff --git a/nixos/modules/services/misc/weechat.nix b/nixos/modules/services/misc/weechat.nix index b71250f62e0f3..9ac2b0ea490c8 100644 --- a/nixos/modules/services/misc/weechat.nix +++ b/nixos/modules/services/misc/weechat.nix @@ -52,7 +52,12 @@ in wants = [ "network.target" ]; }; - security.wrappers.screen.source = "${pkgs.screen}/bin/screen"; + security.wrappers.screen = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.screen}/bin/screen"; + }; }; meta.doc = ./weechat.xml; diff --git a/nixos/modules/services/monitoring/incron.nix b/nixos/modules/services/monitoring/incron.nix index dc97af58562e7..255e1d9e30ba3 100644 --- a/nixos/modules/services/monitoring/incron.nix +++ b/nixos/modules/services/monitoring/incron.nix @@ -71,7 +71,12 @@ in environment.systemPackages = [ pkgs.incron ]; - security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab"; + security.wrappers.incrontab = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.incron}/bin/incrontab"; + }; # incron won't read symlinks environment.etc."incron.d/system" = { diff --git a/nixos/modules/services/monitoring/zabbix-proxy.nix b/nixos/modules/services/monitoring/zabbix-proxy.nix index 2c8b8b92cb38b..8c7a2970e9b34 100644 --- a/nixos/modules/services/monitoring/zabbix-proxy.nix +++ b/nixos/modules/services/monitoring/zabbix-proxy.nix @@ -262,7 +262,12 @@ in }; security.wrappers = { - fping.source = "${pkgs.fping}/bin/fping"; + fping = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.fping}/bin/fping"; + }; }; systemd.services.zabbix-proxy = { diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index 4470c18fd5330..0a6477487369f 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -278,8 +278,18 @@ in } ]; security.wrappers = { - fping.source = "${pkgs.fping}/bin/fping"; - fping6.source = "${pkgs.fping}/bin/fping6"; + fping = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.fping}/bin/fping"; + }; + fping6 = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.fping}/bin/fping6"; + }; }; environment.systemPackages = [ pkgs.fping ]; users.users.${cfg.user} = { diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index 3bc31832946b9..c28956b3bfebe 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -93,7 +93,12 @@ in { services.cron.enable = mkDefault (allFiles != []); } (mkIf (config.services.cron.enable) { - security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab"; + security.wrappers.crontab = + { setuid = true; + owner = "root"; + group = "root"; + source = "${cronNixosPkg}/bin/crontab"; + }; environment.systemPackages = [ cronNixosPkg ]; environment.etc.crontab = { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; } diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index 4f5d99ddf38f5..acaa995f73950 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -142,6 +142,7 @@ in source = "${pkgs.fcron}/bin/fcronsighup"; owner = "root"; group = "fcron"; + setuid = true; }; }; systemd.services.fcron = { diff --git a/nixos/modules/services/video/replay-sorcery.nix b/nixos/modules/services/video/replay-sorcery.nix index d78e782c7968c..7ce5be8a5a1c6 100644 --- a/nixos/modules/services/video/replay-sorcery.nix +++ b/nixos/modules/services/video/replay-sorcery.nix @@ -44,8 +44,10 @@ in security.wrappers = mkIf cfg.enableSysAdminCapability { replay-sorcery = { - source = "${pkgs.replay-sorcery}/bin/replay-sorcery"; + owner = "root"; + group = "root"; capabilities = "cap_sys_admin+ep"; + source = "${pkgs.replay-sorcery}/bin/replay-sorcery"; }; }; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 3a7ab64510b5c..e3d876e82fddb 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -65,9 +65,24 @@ in # Wrappers for programs installed by enlightenment that should be setuid security.wrappers = { - enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd"; - enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys"; - enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system"; + enlightenment_ckpasswd = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd"; + }; + enlightenment_sys = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys"; + }; + enlightenment_system = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system"; + }; }; environment.etc."X11/xkb".source = xcfg.xkbDir; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index aac905fea4379..d8dc2675f068b 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -197,12 +197,24 @@ in }; security.wrappers = { - kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass"; - start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit"; - kwin_wayland = { - source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland"; - capabilities = "cap_sys_nice+ep"; - }; + kcheckpass = + { setuid = true; + owner = "root"; + group = "root"; + source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass"; + }; + start_kdeinit = + { setuid = true; + owner = "root"; + group = "root"; + source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit"; + }; + kwin_wayland = + { owner = "root"; + group = "root"; + capabilities = "cap_sys_nice+ep"; + source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland"; + }; }; # DDC support diff --git a/nixos/modules/tasks/filesystems/ecryptfs.nix b/nixos/modules/tasks/filesystems/ecryptfs.nix index 12a407cabbfb0..8138e65916109 100644 --- a/nixos/modules/tasks/filesystems/ecryptfs.nix +++ b/nixos/modules/tasks/filesystems/ecryptfs.nix @@ -7,8 +7,18 @@ with lib; config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) { system.fsPackages = [ pkgs.ecryptfs ]; security.wrappers = { - "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; - "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + "mount.ecryptfs_private" = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + }; + "umount.ecryptfs_private" = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + }; }; }; } diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 8f9c66b01572c..d934e3cf02248 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1133,11 +1133,16 @@ in # kernel because we need the ambient capability security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then { ping = { - source = "${pkgs.iputils.out}/bin/ping"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${pkgs.iputils.out}/bin/ping"; }; } else { - ping.source = "${pkgs.iputils.out}/bin/ping"; + setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.iputils.out}/bin/ping"; }; security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' /run/wrappers/bin/ping { diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index f45f1802d91cd..3c291397a998e 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -183,6 +183,9 @@ in { }; security.wrappers.qemu-bridge-helper = { + setuid = true; + owner = "root"; + group = "root"; source = "/run/${dirName}/nix-helpers/qemu-bridge-helper"; }; diff --git a/nixos/modules/virtualisation/spice-usb-redirection.nix b/nixos/modules/virtualisation/spice-usb-redirection.nix index 4168cebe79b18..255327f2622c9 100644 --- a/nixos/modules/virtualisation/spice-usb-redirection.nix +++ b/nixos/modules/virtualisation/spice-usb-redirection.nix @@ -14,9 +14,11 @@ config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable { environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions - security.wrappers.spice-client-glib-usb-acl-helper ={ - source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper"; + security.wrappers.spice-client-glib-usb-acl-helper = { + owner = "root"; + group = "root"; capabilities = "cap_fowner+ep"; + source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper"; }; }; |