everything?: Updating every package that depended on the old setuidPrograms configuration.

nixos/modules/programs/kbdlight.nix

@@ -11,6 +11,13 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.kbdlight ];
-    security.setuidPrograms = [ "kbdlight" ];
+
+    security.permissionsWrappers.setuid =
+    [ { program = "kbdlight";
+        source  = "${pkgs.kbdlight.out}/bin/kbdlight";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+    }];
   };
 }

nixos/modules/programs/light.nix

@@ -21,6 +21,13 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.light ];
-    security.setuidPrograms = [ "light" ];
+
+    security.permissionsWrappers.setuid =
+    [ { program = "light";
+        source  = "${pkgs.light.out}/bin/light";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+    }];
   };
 }

nixos/modules/programs/shadow.nix

@@ -102,11 +102,48 @@ in
         chgpasswd = { rootOK = true; };
       };
 
-    security.setuidPrograms = [ "su" "chfn" ]
-      ++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
-      ++ lib.optionals config.users.mutableUsers
-      [ "passwd" "sg" "newgrp" ];
+    security.setuidPrograms = 
+    [
+      { program = "su";
+        source  = "${pkgs.shadow.su}/bin/su";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+      }
 
+      { program = "chfn";
+        source  = "${pkgs.shadow.out}/bin/chfn";
+        user    = "root";
+        group   = "root";
+        setuid  = true;
+      }
+    ] ++
+    (lib.optionals config.users.mutableUsers
+     map (x: x // { user = "root";
+                    group   = "root";
+                    setuid  = true;
+                  })
+         [
+           { program = "passwd";
+             source  = "${pkgs.shadow.out}/bin/passwd";
+           }
+
+           { program = "sg";
+             source  = "${pkgs.shadow.out}/bin/sg";
+           }
+
+           { program = "newgrp";
+             source  = "${pkgs.shadow.out}/bin/newgrp";
+           }
+
+           { program = "newuidmap";
+             source  = "${pkgs.shadow.out}/bin/newuidmap";
+           }
+
+           { program = "newgidmap";
+             source  = "${pkgs.shadow.out}/bin/newgidmap";
+           }
+         ]
+    );
   };
-
 }

nixos/modules/rename.nix

@@ -10,7 +10,6 @@ with lib;
     (mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ])
     (mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
 
-    (mkRenamedOptionModule [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ])
     (mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
     (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
 

nixos/modules/security/duosec.nix

@@ -193,7 +193,17 @@ in
       ];
 
      environment.systemPackages = [ pkgs.duo-unix ];
-     security.setuidPrograms    = [ "login_duo" ];
+
+     security.permissionsWrappers.setuid =
+     [
+       { program = "login_duo";
+         source  = "${pkgs.duo-unix.out}/bin/login_duo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+     ];
+
      environment.etc = loginCfgFile ++ pamCfgFile;
 
      /* If PAM *and* SSH are enabled, then don't do anything special.

nixos/modules/security/pam.nix

@@ -442,8 +442,25 @@ in
       ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
       ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
 
-    security.setuidPrograms =
-        optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
+    security.permissionsWrappers.setuid =
+      [
+        (optionals config.security.pam.enableEcryptfs
+          { program = "mount.ecryptfs_private"
+            source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
+            user    = "root";
+            group   = "root";
+            setuid  = true;
+          })
+          
+        (optionals config.security.pam.enableEcryptfs
+          { program = "umount.ecryptfs_private";
+            source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
+            user    = "root";
+            group   = "root";
+            setuid  = true;
+          })
+      ]
+        
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;

nixos/modules/security/pam_usb.nix

@@ -32,10 +32,25 @@ in
 
   config = mkIf (cfg.enable || anyUsbAuth) {
 
-    # pmount need to have a set-uid bit to make pam_usb works in user
-    # environment. (like su, sudo)
+    # Make sure pmount and pumount are setuid wrapped.
+    security.permissionsWrappers.setuid =
+      [
+        { program = "pmount";
+          source  = "${pkgs.pmount.out}/bin/pmount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
 
-    security.setuidPrograms = [ "pmount" "pumount" ];
+        { program = "pumount";
+          source  = "${pkgs.pmount.out}/bin/pumount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ];
+
+setuidPrograms = [ "pmount" "pumount" ];
     environment.systemPackages = [ pkgs.pmount ];
 
   };

nixos/modules/security/permissions-wrappers/default.nix

@@ -43,11 +43,6 @@ let
     '';
 
   ###### Activation script for the setuid wrappers
-  setuidPrograms =
-    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
-      config.security.setuidPrograms)
-    ++ config.security.setuidOwners;
-
   makeSetuidWrapper =
     { program
     , source ? null

nixos/modules/security/polkit.nix

@@ -83,7 +83,15 @@ in
 
     security.pam.services.polkit-1 = {};
 
-    security.setuidPrograms = [ "pkexec" ];
+    security.permissionsWrappers.setuid = 
+      [
+        { program = "pkexec";
+          source  = "${pkgs.polkit.out}/bin/pkexec";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ];
 
     security.setuidOwners = [
       { program = "polkit-agent-helper-1";

nixos/modules/security/sudo.nix

@@ -81,7 +81,22 @@ in
         ${cfg.extraConfig}
       '';
 
-    security.setuidPrograms = [ "sudo" "sudoedit" ];
+    security.permissionsWrappers.setuid =
+     [
+       { program = "sudo";
+         source  = "${pkgs.sudo.out}/bin/sudo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+
+       { program = "sudoedit"
+         source  = "${pkgs.sudo.out}/bin/sudo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+    ];
 
     environment.systemPackages = [ sudo ];
 

nixos/modules/services/mail/exim.nix

@@ -89,7 +89,15 @@ in
       gid = config.ids.gids.exim;
     };
 
-    security.setuidPrograms = [ "exim" ];
+    security.permissionsWrappers.setuid =
+    [
+      { program = "exim";
+        source  = "${pkgs.exim.out}/bin/exim";
+        user    = "root";
+        group   = "root";
+        setuid  = true;
+      }
+    ]
 
     systemd.services.exim = {
       description = "Exim Mail Daemon";

nixos/modules/services/scheduling/cron.nix

@@ -95,7 +95,15 @@ in
 
     (mkIf (config.services.cron.enable) {
 
-      security.setuidPrograms = [ "crontab" ];
+      security.permissionsWrappers.setuid =
+      [
+        { program = "crontab";
+          source  = "${pkgs.cronNixosPkg.out}/bin/crontab";
+          user    = "root";
+          group   = "root";
+          setuid  = true;        
+        }
+      ];
 
       environment.systemPackages = [ cronNixosPkg ];
 

nixos/modules/services/scheduling/fcron.nix

@@ -106,7 +106,15 @@ in
 
     environment.systemPackages = [ pkgs.fcron ];
 
-    security.setuidPrograms = [ "fcrontab" ];
+    security.permissionsWrappers.setuid =
+    [
+      { program = "fcrontab";
+        source  = "${pkgs.fcron.out}/bin/fcrontab";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+      }
+    ];
 
     systemd.services.fcron = {
       description = "fcron daemon";

nixos/modules/services/x11/desktop-managers/enlightenment.nix

@@ -62,7 +62,15 @@ in
       '';
     }];
 
-    security.setuidPrograms = [ "e_freqset" ];
+    security.permissionsWrappers.setuid =
+    [
+      { program = "e_freqset";
+        source  = "${e.enlightenment.out}/bin/e_freqset";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+      }
+    ];
 
     environment.etc = singleton
       { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";

pkgs/desktops/enlightenment/enlightenment.nix

@@ -40,13 +40,13 @@ stdenv.mkDerivation rec {
   # this is a hack and without this cpufreq module is not working. does the following:
   #   1. moves the "freqset" binary to "e_freqset",
   #   2. linkes "e_freqset" to enlightenment/bin so that,
-  #   3. setuidPrograms detects it and makes appropriate stuff to /var/setuid-wrappers/e_freqset,
-  #   4. and finaly, linkes /var/setuid-wrappers/e_freqset to original destination where enlightenment wants it
+  #   3. permissionsWrappers.setuid detects it and places wrappers in /var/permissions-wrappers/e_freqset,
+  #   4. and finally, links /var/permissions-wrappers/e_freqset to original destination where enlightenment wants it
   postInstall = ''
     export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`;
     mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset
     ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset
-    ln -sv /var/setuid-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
+    ln -sv /var/permissions-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
   '';
 
   meta = {