From 390ab0b3eff809052d5b9d9b5335413b36898481 Mon Sep 17 00:00:00 2001 From: Parnell Springmeyer Date: Fri, 15 Jul 2016 19:10:48 -0500 Subject: [PATCH] everything?: Updating every package that depended on the old setuidPrograms configuration. --- nixos/modules/programs/kbdlight.nix | 9 +++- nixos/modules/programs/light.nix | 9 +++- nixos/modules/programs/shadow.nix | 47 +++++++++++++++++-- nixos/modules/rename.nix | 1 - nixos/modules/security/duosec.nix | 12 ++++- nixos/modules/security/pam.nix | 21 ++++++++- nixos/modules/security/pam_usb.nix | 21 +++++++-- .../security/permissions-wrappers/default.nix | 5 -- nixos/modules/security/polkit.nix | 10 +++- nixos/modules/security/sudo.nix | 17 ++++++- nixos/modules/services/mail/exim.nix | 10 +++- nixos/modules/services/scheduling/cron.nix | 10 +++- nixos/modules/services/scheduling/fcron.nix | 10 +++- .../x11/desktop-managers/enlightenment.nix | 10 +++- pkgs/desktops/enlightenment/enlightenment.nix | 6 +-- 15 files changed, 170 insertions(+), 28 deletions(-) diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix index 0172368e968..c3ea6b5e973 100644 --- a/nixos/modules/programs/kbdlight.nix +++ b/nixos/modules/programs/kbdlight.nix @@ -11,6 +11,13 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kbdlight ]; - security.setuidPrograms = [ "kbdlight" ]; + + security.permissionsWrappers.setuid = + [ { program = "kbdlight"; + source = "${pkgs.kbdlight.out}/bin/kbdlight"; + user = "root"; + group = "root"; + setuid = true; + }]; }; } diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix index 09cd1113d9c..d141eaf66f7 100644 --- a/nixos/modules/programs/light.nix +++ b/nixos/modules/programs/light.nix @@ -21,6 +21,13 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.light ]; - security.setuidPrograms = [ "light" ]; + + security.permissionsWrappers.setuid = + [ { program = "light"; + source = "${pkgs.light.out}/bin/light"; + user = "root"; + group = "root"; + setuid = true; + }]; }; } diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 878c9cc0cf0..8ee324eaf63 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -102,11 +102,48 @@ in chgpasswd = { rootOK = true; }; }; - security.setuidPrograms = [ "su" "chfn" ] - ++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x - ++ lib.optionals config.users.mutableUsers - [ "passwd" "sg" "newgrp" ]; + security.setuidPrograms = + [ + { program = "su"; + source = "${pkgs.shadow.su}/bin/su"; + user = "root"; + group = "root"; + setuid = true; + } + { program = "chfn"; + source = "${pkgs.shadow.out}/bin/chfn"; + user = "root"; + group = "root"; + setuid = true; + } + ] ++ + (lib.optionals config.users.mutableUsers + map (x: x // { user = "root"; + group = "root"; + setuid = true; + }) + [ + { program = "passwd"; + source = "${pkgs.shadow.out}/bin/passwd"; + } + + { program = "sg"; + source = "${pkgs.shadow.out}/bin/sg"; + } + + { program = "newgrp"; + source = "${pkgs.shadow.out}/bin/newgrp"; + } + + { program = "newuidmap"; + source = "${pkgs.shadow.out}/bin/newuidmap"; + } + + { program = "newgidmap"; + source = "${pkgs.shadow.out}/bin/newgidmap"; + } + ] + ); }; - } diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 412cccc20d5..e4584146d6f 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -10,7 +10,6 @@ with lib; (mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ]) (mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ]) - (mkRenamedOptionModule [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ]) (mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ]) (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ]) diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 0e3a54325ca..202218c915c 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -193,7 +193,17 @@ in ]; environment.systemPackages = [ pkgs.duo-unix ]; - security.setuidPrograms = [ "login_duo" ]; + + security.permissionsWrappers.setuid = + [ + { program = "login_duo"; + source = "${pkgs.duo-unix.out}/bin/login_duo"; + user = "root"; + group = "root"; + setuid = true; + } + ]; + environment.etc = loginCfgFile ++ pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 77815cd6dcc..4c6b54f0274 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -442,8 +442,25 @@ in ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; - security.setuidPrograms = - optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ]; + security.permissionsWrappers.setuid = + [ + (optionals config.security.pam.enableEcryptfs + { program = "mount.ecryptfs_private" + source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + user = "root"; + group = "root"; + setuid = true; + }) + + (optionals config.security.pam.enableEcryptfs + { program = "umount.ecryptfs_private"; + source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + user = "root"; + group = "root"; + setuid = true; + }) + ] + environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 11708a1f016..699cf6306e1 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -32,10 +32,25 @@ in config = mkIf (cfg.enable || anyUsbAuth) { - # pmount need to have a set-uid bit to make pam_usb works in user - # environment. (like su, sudo) + # Make sure pmount and pumount are setuid wrapped. + security.permissionsWrappers.setuid = + [ + { program = "pmount"; + source = "${pkgs.pmount.out}/bin/pmount"; + user = "root"; + group = "root"; + setuid = true; + } - security.setuidPrograms = [ "pmount" "pumount" ]; + { program = "pumount"; + source = "${pkgs.pmount.out}/bin/pumount"; + user = "root"; + group = "root"; + setuid = true; + } + ]; + +setuidPrograms = [ "pmount" "pumount" ]; environment.systemPackages = [ pkgs.pmount ]; }; diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix index a4491946df5..5d4634daf78 100644 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ b/nixos/modules/security/permissions-wrappers/default.nix @@ -43,11 +43,6 @@ let ''; ###### Activation script for the setuid wrappers - setuidPrograms = - (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) - config.security.setuidPrograms) - ++ config.security.setuidOwners; - makeSetuidWrapper = { program , source ? null diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 507f81bbf07..db078667acf 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -83,7 +83,15 @@ in security.pam.services.polkit-1 = {}; - security.setuidPrograms = [ "pkexec" ]; + security.permissionsWrappers.setuid = + [ + { program = "pkexec"; + source = "${pkgs.polkit.out}/bin/pkexec"; + user = "root"; + group = "root"; + setuid = true; + } + ]; security.setuidOwners = [ { program = "polkit-agent-helper-1"; diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index bced2a6ed75..06dde14cd1c 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -81,7 +81,22 @@ in ${cfg.extraConfig} ''; - security.setuidPrograms = [ "sudo" "sudoedit" ]; + security.permissionsWrappers.setuid = + [ + { program = "sudo"; + source = "${pkgs.sudo.out}/bin/sudo"; + user = "root"; + group = "root"; + setuid = true; + } + + { program = "sudoedit" + source = "${pkgs.sudo.out}/bin/sudo"; + user = "root"; + group = "root"; + setuid = true; + } + ]; environment.systemPackages = [ sudo ]; diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index e0890d96a88..aad497cbc71 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -89,7 +89,15 @@ in gid = config.ids.gids.exim; }; - security.setuidPrograms = [ "exim" ]; + security.permissionsWrappers.setuid = + [ + { program = "exim"; + source = "${pkgs.exim.out}/bin/exim"; + user = "root"; + group = "root"; + setuid = true; + } + ] systemd.services.exim = { description = "Exim Mail Daemon"; diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index f5e132fd77d..541fbb7ee64 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -95,7 +95,15 @@ in (mkIf (config.services.cron.enable) { - security.setuidPrograms = [ "crontab" ]; + security.permissionsWrappers.setuid = + [ + { program = "crontab"; + source = "${pkgs.cronNixosPkg.out}/bin/crontab"; + user = "root"; + group = "root"; + setuid = true; + } + ]; environment.systemPackages = [ cronNixosPkg ]; diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index 7b4665a8204..6e8465ab08f 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -106,7 +106,15 @@ in environment.systemPackages = [ pkgs.fcron ]; - security.setuidPrograms = [ "fcrontab" ]; + security.permissionsWrappers.setuid = + [ + { program = "fcrontab"; + source = "${pkgs.fcron.out}/bin/fcrontab"; + user = "root"; + group = "root"; + setuid = true; + } + ]; systemd.services.fcron = { description = "fcron daemon"; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 8a03dd65b33..b55950c6373 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -62,7 +62,15 @@ in ''; }]; - security.setuidPrograms = [ "e_freqset" ]; + security.permissionsWrappers.setuid = + [ + { program = "e_freqset"; + source = "${e.enlightenment.out}/bin/e_freqset"; + user = "root"; + group = "root"; + setuid = true; + } + ]; environment.etc = singleton { source = "${pkgs.xkeyboard_config}/etc/X11/xkb"; diff --git a/pkgs/desktops/enlightenment/enlightenment.nix b/pkgs/desktops/enlightenment/enlightenment.nix index f4ff94ad088..979843ffe9c 100644 --- a/pkgs/desktops/enlightenment/enlightenment.nix +++ b/pkgs/desktops/enlightenment/enlightenment.nix @@ -40,13 +40,13 @@ stdenv.mkDerivation rec { # this is a hack and without this cpufreq module is not working. does the following: # 1. moves the "freqset" binary to "e_freqset", # 2. linkes "e_freqset" to enlightenment/bin so that, - # 3. setuidPrograms detects it and makes appropriate stuff to /var/setuid-wrappers/e_freqset, - # 4. and finaly, linkes /var/setuid-wrappers/e_freqset to original destination where enlightenment wants it + # 3. permissionsWrappers.setuid detects it and places wrappers in /var/permissions-wrappers/e_freqset, + # 4. and finally, links /var/permissions-wrappers/e_freqset to original destination where enlightenment wants it postInstall = '' export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`; mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset - ln -sv /var/setuid-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset + ln -sv /var/permissions-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset ''; meta = {