public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make /var/empty immutable

Browse Source 
Fixes #14910 and #18358

Deployed to an existing server, restarted sshd and polkit to verify
they don't fail.
This commit is contained in:
Domen Kožar 2016-09-06 17:14:50 +02:00
parent 9ab141ce27
commit 3877ec5b2f
1 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nixos/modules/system/activation/activation-script.nix
View File

@ -12,11 +12,14 @@ let
''; '';
}); });
path = map getBin path = with pkgs; map getBin
[ pkgs.coreutils pkgs.gnugrep pkgs.findutils [ coreutils
pkgs.glibc # needed for getent gnugrep
pkgs.shadow findutils
pkgs.nettools # needed for hostname glibc # needed for getent
shadow
nettools # needed for hostname
e2fsprogs # needed for chattr
]; ];
in in
@ -137,8 +140,13 @@ in
mkdir -m 1777 -p /var/tmp mkdir -m 1777 -p /var/tmp
# Make sure it's really empty
chattr -i /var/empty
rm -rf /var/empty
# Empty, read-only home directory of many system accounts. # Empty, read-only home directory of many system accounts.
mkdir -m 0555 -p /var/empty mkdir -m 0555 -p /var/empty
chattr +i /var/empty
''; '';
system.activationScripts.usrbinenv = if config.environment.usrbinenv != null system.activationScripts.usrbinenv = if config.environment.usrbinenv != null