nixpkgs/nixos/modules/security/wrappers/default.nix

{ config, lib, pkgs, ... }:
let

  inherit (config.security) wrapperDir wrappers;

  parentWrapperDir = dirOf wrapperDir;

  programs =
    (lib.mapAttrsToList
      (n: v: (if v ? program then v else v // {program=n;}))
      wrappers);

  securityWrapper = pkgs.stdenv.mkDerivation {
    name            = "security-wrapper";
    phases          = [ "installPhase" "fixupPhase" ];
    buildInputs     = [ pkgs.libcap pkgs.libcap_ng pkgs.linuxHeaders ];
    hardeningEnable = [ "pie" ];
    installPhase = ''
      mkdir -p $out/bin
      $CC -Wall -O2 -DWRAPPER_DIR=\"${parentWrapperDir}\" \
          -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper
    '';
  };

  ###### Activation script for the setcap wrappers
  mkSetcapProgram =
    { program
    , capabilities
    , source
    , owner  ? "nobody"
    , group  ? "nogroup"
    , permissions ? "u+rx,g+x,o+x"
    , ...
    }:
    assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
    ''
      cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
      echo -n "${source}" > $wrapperDir/${program}.real

      # Prevent races
      chmod 0000 $wrapperDir/${program}
      chown ${owner}.${group} $wrapperDir/${program}

      # Set desired capabilities on the file plus cap_setpcap so
      # the wrapper program can elevate the capabilities set on
      # its file into the Ambient set.
      ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}

      # Set the executable bit
      chmod ${permissions} $wrapperDir/${program}
    '';

  ###### Activation script for the setuid wrappers
  mkSetuidProgram =
    { program
    , source
    , owner  ? "nobody"
    , group  ? "nogroup"
    , setuid ? false
    , setgid ? false
    , permissions ? "u+rx,g+x,o+x"
    , ...
    }:
    ''
      cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
      echo -n "${source}" > $wrapperDir/${program}.real

      # Prevent races
      chmod 0000 $wrapperDir/${program}
      chown ${owner}.${group} $wrapperDir/${program}

      chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
    '';

  mkWrappedPrograms =
    builtins.map
      (s: if (s ? capabilities)
          then mkSetcapProgram
                 ({ owner = "root";
                    group = "root";
                  } // s)
          else if
             (s ? setuid && s.setuid) ||
             (s ? setgid && s.setgid) ||
             (s ? permissions)
          then mkSetuidProgram s
          else mkSetuidProgram
                 ({ owner  = "root";
                    group  = "root";
                    setuid = true;
                    setgid = false;
                    permissions = "u+rx,g+x,o+x";
                  } // s)
      ) programs;
in
{
  imports = [
    (lib.mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
    (lib.mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
  ];

  ###### interface

  options = {
    security.wrappers = lib.mkOption {
      type = lib.types.attrs;
      default = {};
      example = lib.literalExample
        ''
          { sendmail.source = "/nix/store/.../bin/sendmail";
            ping = {
              source  = "${pkgs.iputils.out}/bin/ping";
              owner   = "nobody";
              group   = "nogroup";
              capabilities = "cap_net_raw+ep";
            };
          }
        '';
      description = ''
        This option allows the ownership and permissions on the setuid
        wrappers for specific programs to be overridden from the
        default (setuid root, but not setgid root).

        <note>
          <para>The sub-attribute <literal>source</literal> is mandatory,
          it must be the absolute path to the program to be wrapped.
          </para>

          <para>The sub-attribute <literal>program</literal> is optional and
          can give the wrapper program a new name. The default name is the same
          as the attribute name itself.</para>

          <para>Additionally, this option can set capabilities on a
          wrapper program that propagates those capabilities down to the
          wrapped, real program.</para>

          <para>NOTE: cap_setpcap, which is required for the wrapper
          program to be able to raise caps into the Ambient set is NOT
          raised to the Ambient set so that the real program cannot
          modify its own capabilities!! This may be too restrictive for
          cases in which the real program needs cap_setpcap but it at
          least leans on the side security paranoid vs. too
          relaxed.</para>
        </note>
      '';
    };

    security.wrapperDir = lib.mkOption {
      type        = lib.types.path;
      default     = "/run/wrappers/bin";
      internal    = true;
      description = ''
        This option defines the path to the wrapper programs. It
        should not be overriden.
      '';
    };
  };

  ###### implementation
  config = {

    security.wrappers = {
      fusermount.source = "${pkgs.fuse}/bin/fusermount";
      fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";
    };

    boot.specialFileSystems.${parentWrapperDir} = {
      fsType = "tmpfs";
      options = [ "nodev" ];
    };

    # Make sure our wrapperDir exports to the PATH env variable when
    # initializing the shell
    environment.extraInit = ''
      # Wrappers override other bin directories.
      export PATH="${wrapperDir}:$PATH"
    '';

    ###### setcap activation script
    system.activationScripts.wrappers =
      lib.stringAfter [ "specialfs" "users" ]
        ''
          # Look in the system path and in the default profile for
          # programs to be wrapped.
          WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin

          # We want to place the tmpdirs for the wrappers to the parent dir.
          wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
          chmod a+rx $wrapperDir

          ${lib.concatStringsSep "\n" mkWrappedPrograms}

          if [ -L ${wrapperDir} ]; then
            # Atomically replace the symlink
            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
            old=$(readlink -f ${wrapperDir})
            ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
            mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
            rm --force --recursive $old
          else
            # For initial setup
            ln --symbolic $wrapperDir ${wrapperDir}
          fi
        '';
  };
}
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`{ config, lib, pkgs, ... }:`
			`let`

nixos: remove remaining reference to setuidPrograms The option doesn't exist anymore. 2017-02-14 22:20:27 +01:00			`inherit (config.security) wrapperDir wrappers;`
Derp derp 2017-01-29 01:27:11 -06:00
wrappers service: make /run/wrappers a mountpoint Also remove some compatibility code because the directory in question would be shadowed by a mountpoint anyway. 2017-02-18 20:06:09 +03:00			`parentWrapperDir = dirOf wrapperDir;`

Derp derp 2017-01-29 01:27:11 -06:00			`programs =`
More wibbles? 2017-01-29 01:41:39 -06:00			`(lib.mapAttrsToList`
treewide: remove redundant quotes 2019-08-13 21:52:01 +00:00			`(n: v: (if v ? program then v else v // {program=n;}))`
More wibbles? 2017-01-29 01:41:39 -06:00			`wrappers);`
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00			`securityWrapper = pkgs.stdenv.mkDerivation {`
Simplifying the wrapper program derivation 2017-02-14 08:27:40 -06:00			`name = "security-wrapper";`
			`phases = [ "installPhase" "fixupPhase" ];`
			`buildInputs = [ pkgs.libcap pkgs.libcap_ng pkgs.linuxHeaders ];`
			`hardeningEnable = [ "pie" ];`
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00			`installPhase = ''`
			`mkdir -p $out/bin`
nixos/security-wrapper: Fix cross-compilation 2017-12-16 23:05:51 -05:00			`$CC -Wall -O2 -DWRAPPER_DIR=\"${parentWrapperDir}\" \`
Simplifying the wrapper program derivation 2017-02-14 08:27:40 -06:00			`-lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper`
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00			`'';`
			`};`
Addressing PR feedback 2017-01-28 20:48:03 -08:00
			`###### Activation script for the setcap wrappers`
			`mkSetcapProgram =`
			`{ program`
			`, capabilities`
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00			`, source`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`, owner ? "nobody"`
			`, group ? "nogroup"`
setcapWrapper: add support for setting permissions 2017-02-17 15:41:31 +01:00			`, permissions ? "u+rx,g+x,o+x"`
setcap-wrapper: Syntax wibble 2017-01-29 01:20:02 -06:00			`, ...`
Switching to individually generated derivations 2017-01-30 12:26:56 -06:00			`}:`
setcap-wrapper: Addressing more PR feedback, unifying drvs, and cleaning up a bit 2017-01-29 01:07:12 -06:00			`assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");`
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00			`''`
			`cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}`
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00			`echo -n "${source}" > $wrapperDir/${program}.real`
Addressing PR feedback 2017-01-28 20:48:03 -08:00
			`# Prevent races`
			`chmod 0000 $wrapperDir/${program}`
			`chown ${owner}.${group} $wrapperDir/${program}`

			`# Set desired capabilities on the file plus cap_setpcap so`
			`# the wrapper program can elevate the capabilities set on`
			`# its file into the Ambient set.`
			`${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}`

			`# Set the executable bit`
setcapWrapper: add support for setting permissions 2017-02-17 15:41:31 +01:00			`chmod ${permissions} $wrapperDir/${program}`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`'';`

			`###### Activation script for the setuid wrappers`
			`mkSetuidProgram =`
			`{ program`
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00			`, source`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`, owner ? "nobody"`
			`, group ? "nogroup"`
			`, setuid ? false`
			`, setgid ? false`
			`, permissions ? "u+rx,g+x,o+x"`
setcap-wrapper: Syntax wibble 2017-01-29 01:20:02 -06:00			`, ...`
Switching to individually generated derivations 2017-01-30 12:26:56 -06:00			`}:`
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00			`''`
			`cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}`
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00			`echo -n "${source}" > $wrapperDir/${program}.real`
Addressing PR feedback 2017-01-28 20:48:03 -08:00
			`# Prevent races`
			`chmod 0000 $wrapperDir/${program}`
			`chown ${owner}.${group} $wrapperDir/${program}`

			`chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}`
			`'';`
Derp derp 2017-01-29 01:27:11 -06:00
			`mkWrappedPrograms =`
			`builtins.map`
treewide: remove redundant quotes 2019-08-13 21:52:01 +00:00			`(s: if (s ? capabilities)`
Default should be to set owner and group to root on setcap wrappers too 2017-02-14 08:40:12 -06:00			`then mkSetcapProgram`
			`({ owner = "root";`
Syntax wibble 2017-02-14 08:42:08 -06:00			`group = "root";`
Default should be to set owner and group to root on setcap wrappers too 2017-02-14 08:40:12 -06:00			`} // s)`
nixos/security-wrapper: Fix cross-compilation 2017-12-16 23:05:51 -05:00			`else if`
treewide: remove redundant quotes 2019-08-13 21:52:01 +00:00			`(s ? setuid && s.setuid) \|\|`
			`(s ? setgid && s.setgid) \|\|`
			`(s ? permissions)`
Derp derp 2017-01-29 01:27:11 -06:00			`then mkSetuidProgram s`
Gotta provide sane defaults! This is what I get for 5AM coding 2017-01-29 16:47:14 -06:00			`else mkSetuidProgram`
			`({ owner = "root";`
			`group = "root";`
			`setuid = true;`
			`setgid = false;`
			`permissions = "u+rx,g+x,o+x";`
			`} // s)`
Derp derp 2017-01-29 01:27:11 -06:00			`) programs;`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`in`
			`{`
nixos/treewide: Move rename.nix imports to their respective modules A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file 2019-12-10 02:51:19 +01:00			`imports = [`
			`(lib.mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")`
			`(lib.mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")`
			`];`
Addressing PR feedback 2017-01-28 20:48:03 -08:00
			`###### interface`

			`options = {`
			`security.wrappers = lib.mkOption {`
			`type = lib.types.attrs;`
			`default = {};`
nixos/security.wrappers: use literalExample in documentation It's much more readable when the example attrset is pretty printed instead of written as one line. 2017-02-15 09:07:16 +01:00			`example = lib.literalExample`
			`''`
			`{ sendmail.source = "/nix/store/.../bin/sendmail";`
			`ping = {`
			`source = "${pkgs.iputils.out}/bin/ping";`
			`owner = "nobody";`
			`group = "nogroup";`
			`capabilities = "cap_net_raw+ep";`
			`};`
			`}`
			`'';`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`description = ''`
security-wrapper: Wrap <para> tags in a <note> tag 2017-02-14 21:30:04 -06:00			`This option allows the ownership and permissions on the setuid`
			`wrappers for specific programs to be overridden from the`
			`default (setuid root, but not setgid root).`

			`<note>`
nixos/security.wrappers: improve documentation * The source attribute is mandatory, not optional * The program attribute is optional * Move the info about the mandatory attribute first (most important, IMHO) 2017-02-15 19:51:12 +01:00			`<para>The sub-attribute <literal>source</literal> is mandatory,`
			`it must be the absolute path to the program to be wrapped.`
			`</para>`

			`<para>The sub-attribute <literal>program</literal> is optional and`
			`can give the wrapper program a new name. The default name is the same`
			`as the attribute name itself.</para>`

security-wrapper: Wrap <para> tags in a <note> tag 2017-02-14 21:30:04 -06:00			`<para>Additionally, this option can set capabilities on a`
			`wrapper program that propagates those capabilities down to the`
			`wrapped, real program.</para>`

			`<para>NOTE: cap_setpcap, which is required for the wrapper`
			`program to be able to raise caps into the Ambient set is NOT`
			`raised to the Ambient set so that the real program cannot`
			`modify its own capabilities!! This may be too restrictive for`
			`cases in which the real program needs cap_setpcap but it at`
			`least leans on the side security paranoid vs. too`
			`relaxed.</para>`
			`</note>`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`'';`
			`};`

			`security.wrapperDir = lib.mkOption {`
			`type = lib.types.path;`
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00			`default = "/run/wrappers/bin";`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`internal = true;`
			`description = ''`
			`This option defines the path to the wrapper programs. It`
			`should not be overriden.`
			`'';`
			`};`
			`};`

			`###### implementation`
			`config = {`
Set merge + mkIf always surprises me 2017-01-29 17:10:32 -06:00
fuse3: init at 3.1.1 This includes fuse-common (fusePackages.fuse_3.common) as recommended by upstream. But while fuse(2) and fuse3 would normally depend on fuse-common we can't do that in nixpkgs while fuse-common is just another output from the fuse3 multiple-output derivation (i.e. this would result in a circular dependency). To avoid building fuse3 twice I decided it would be best to copy the shared files (i.e. the ones provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and avoid collision warnings by defining priorities. Now it should be possible to install an arbitrary combination of "fuse", "fuse3", and "fuse-common" without getting any collision warnings. The end result should be the same and all changes should be backwards compatible (assuming that mount.fuse from fuse3 is backwards compatible as stated by upstream [0] - if not this might break some /etc/fstab definitions but that should be very unlikely). My tests with sshfs (version 2 and 3) didn't show any problems. See #28409 for some additional information. [0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0 2017-08-19 18:50:53 +02:00			`security.wrappers = {`
			`fusermount.source = "${pkgs.fuse}/bin/fusermount";`
			`fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";`
			`};`
Set merge + mkIf always surprises me 2017-01-29 17:10:32 -06:00
wrappers service: make /run/wrappers a mountpoint Also remove some compatibility code because the directory in question would be shadowed by a mountpoint anyway. 2017-02-18 20:06:09 +03:00			`boot.specialFileSystems.${parentWrapperDir} = {`
			`fsType = "tmpfs";`
			`options = [ "nodev" ];`
			`};`

setcap-wrapper: Addressing more PR feedback, unifying drvs, and cleaning up a bit 2017-01-29 01:07:12 -06:00			`# Make sure our wrapperDir exports to the PATH env variable when`
			`# initializing the shell`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`environment.extraInit = ''`
setcap-wrapper: Addressing more PR feedback, unifying drvs, and cleaning up a bit 2017-01-29 01:07:12 -06:00			`# Wrappers override other bin directories.`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`export PATH="${wrapperDir}:$PATH"`
			`'';`

			`###### setcap activation script`
			`system.activationScripts.wrappers =`
security-wrapper: run activation script after specialfs Ensures that parentWrapperDir exists before it is used. Closes #26851 2017-06-25 21:42:07 +02:00			`lib.stringAfter [ "specialfs" "users" ]`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`''`
			`# Look in the system path and in the default profile for`
			`# programs to be wrapped.`
			`WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin`

wrappers service: make /run/wrappers a mountpoint Also remove some compatibility code because the directory in question would be shadowed by a mountpoint anyway. 2017-02-18 20:06:09 +03:00			`# We want to place the tmpdirs for the wrappers to the parent dir.`
			`wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`chmod a+rx $wrapperDir`

setcap-wrapper: Addressing more PR feedback, unifying drvs, and cleaning up a bit 2017-01-29 01:07:12 -06:00			`${lib.concatStringsSep "\n" mkWrappedPrograms}`
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
			`if [ -L ${wrapperDir} ]; then`
			`# Atomically replace the symlink`
			`# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/`
A few more tweaks 2017-01-29 05:05:30 -06:00			`old=$(readlink -f ${wrapperDir})`
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00			`ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp`
			`mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}`
			`rm --force --recursive $old`
			`else`
			`# For initial setup`
			`ln --symbolic $wrapperDir ${wrapperDir}`
			`fi`
Addressing PR feedback 2017-01-28 20:48:03 -08:00			`'';`
			`};`
			`}`