everything?: Updating every package that depended on the old setuidPrograms configuration.

2016-07-15 19:10:48 -05:00 · 2016-07-15 19:10:48 -05:00 · 390ab0b3ef
parent 81b33eb466
commit 390ab0b3ef
15 changed files with 170 additions and 28 deletions
--- a/nixos/modules/programs/kbdlight.nix
+++ b/nixos/modules/programs/kbdlight.nix
@ -11,6 +11,13 @@ in
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.kbdlight ];
-    security.setuidPrograms = [ "kbdlight" ];
+
    security.permissionsWrappers.setuid =
    [ { program = "kbdlight";
        source  = "${pkgs.kbdlight.out}/bin/kbdlight";
        user    = "root";
        group   = "root";
        setuid  = true;        
    }];
  };
 }
--- a/nixos/modules/programs/light.nix
+++ b/nixos/modules/programs/light.nix
@ -21,6 +21,13 @@ in
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.light ];
-    security.setuidPrograms = [ "light" ];
+
    security.permissionsWrappers.setuid =
    [ { program = "light";
        source  = "${pkgs.light.out}/bin/light";
        user    = "root";
        group   = "root";
        setuid  = true;        
    }];
  };
 }
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@ -102,11 +102,48 @@ in
        chgpasswd = { rootOK = true; };
      };
-    security.setuidPrograms = [ "su" "chfn" ]
+    security.setuidPrograms = 
-      ++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
+    [
-      ++ lib.optionals config.users.mutableUsers
+      { program = "su";
-      [ "passwd" "sg" "newgrp" ];
+        source  = "${pkgs.shadow.su}/bin/su";
        user    = "root";
        group   = "root";
        setuid  = true;        
      }
      { program = "chfn";
        source  = "${pkgs.shadow.out}/bin/chfn";
        user    = "root";
        group   = "root";
        setuid  = true;
      }
    ] ++
    (lib.optionals config.users.mutableUsers
     map (x: x // { user = "root";
                    group   = "root";
                    setuid  = true;
                  })
         [
           { program = "passwd";
             source  = "${pkgs.shadow.out}/bin/passwd";
           }
           { program = "sg";
             source  = "${pkgs.shadow.out}/bin/sg";
           }
           { program = "newgrp";
             source  = "${pkgs.shadow.out}/bin/newgrp";
           }
           { program = "newuidmap";
             source  = "${pkgs.shadow.out}/bin/newuidmap";
           }
           { program = "newgidmap";
             source  = "${pkgs.shadow.out}/bin/newgidmap";
           }
         ]
    );
  };
 }
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -10,7 +10,6 @@ with lib;
    (mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ])
    (mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
    (mkRenamedOptionModule [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ])
    (mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
    (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@ -193,7 +193,17 @@ in
      ];
     environment.systemPackages = [ pkgs.duo-unix ];
-     security.setuidPrograms    = [ "login_duo" ];
+
     security.permissionsWrappers.setuid =
     [
       { program = "login_duo";
         source  = "${pkgs.duo-unix.out}/bin/login_duo";
         user    = "root";
         group   = "root";
         setuid  = true;
       }
     ];
     environment.etc = loginCfgFile ++ pamCfgFile;
     /* If PAM *and* SSH are enabled, then don't do anything special.
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -442,8 +442,25 @@ in
      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
      ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
-    security.setuidPrograms =
+    security.permissionsWrappers.setuid =
-        optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
+      [
        (optionals config.security.pam.enableEcryptfs
          { program = "mount.ecryptfs_private"
            source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
            user    = "root";
            group   = "root";
            setuid  = true;
          })
        (optionals config.security.pam.enableEcryptfs
          { program = "umount.ecryptfs_private";
            source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
            user    = "root";
            group   = "root";
            setuid  = true;
          })
      ]
    environment.etc =
      mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@ -32,10 +32,25 @@ in
  config = mkIf (cfg.enable || anyUsbAuth) {
-    # pmount need to have a set-uid bit to make pam_usb works in user
+    # Make sure pmount and pumount are setuid wrapped.
-    # environment. (like su, sudo)
+    security.permissionsWrappers.setuid =
      [
        { program = "pmount";
          source  = "${pkgs.pmount.out}/bin/pmount";
          user    = "root";
          group   = "root";
          setuid  = true;
        }
-    security.setuidPrograms = [ "pmount" "pumount" ];
+        { program = "pumount";
          source  = "${pkgs.pmount.out}/bin/pumount";
          user    = "root";
          group   = "root";
          setuid  = true;
        }
      ];
 setuidPrograms = [ "pmount" "pumount" ];
    environment.systemPackages = [ pkgs.pmount ];
  };
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@ -43,11 +43,6 @@ let
    '';
  ###### Activation script for the setuid wrappers
  setuidPrograms =
    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
      config.security.setuidPrograms)
    ++ config.security.setuidOwners;
  makeSetuidWrapper =
    { program
    , source ? null
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@ -83,7 +83,15 @@ in
    security.pam.services.polkit-1 = {};
-    security.setuidPrograms = [ "pkexec" ];
+    security.permissionsWrappers.setuid = 
      [
        { program = "pkexec";
          source  = "${pkgs.polkit.out}/bin/pkexec";
          user    = "root";
          group   = "root";
          setuid  = true;
        }
      ];
    security.setuidOwners = [
      { program = "polkit-agent-helper-1";
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@ -81,7 +81,22 @@ in
        ${cfg.extraConfig}
      '';
-    security.setuidPrograms = [ "sudo" "sudoedit" ];
+    security.permissionsWrappers.setuid =
     [
       { program = "sudo";
         source  = "${pkgs.sudo.out}/bin/sudo";
         user    = "root";
         group   = "root";
         setuid  = true;
       }
       { program = "sudoedit"
         source  = "${pkgs.sudo.out}/bin/sudo";
         user    = "root";
         group   = "root";
         setuid  = true;
       }
    ];
    environment.systemPackages = [ sudo ];
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@ -89,7 +89,15 @@ in
      gid = config.ids.gids.exim;
    };
-    security.setuidPrograms = [ "exim" ];
+    security.permissionsWrappers.setuid =
    [
      { program = "exim";
        source  = "${pkgs.exim.out}/bin/exim";
        user    = "root";
        group   = "root";
        setuid  = true;
      }
    ]
    systemd.services.exim = {
      description = "Exim Mail Daemon";
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@ -95,7 +95,15 @@ in
    (mkIf (config.services.cron.enable) {
-      security.setuidPrograms = [ "crontab" ];
+      security.permissionsWrappers.setuid =
      [
        { program = "crontab";
          source  = "${pkgs.cronNixosPkg.out}/bin/crontab";
          user    = "root";
          group   = "root";
          setuid  = true;        
        }
      ];
      environment.systemPackages = [ cronNixosPkg ];
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@ -106,7 +106,15 @@ in
    environment.systemPackages = [ pkgs.fcron ];
-    security.setuidPrograms = [ "fcrontab" ];
+    security.permissionsWrappers.setuid =
    [
      { program = "fcrontab";
        source  = "${pkgs.fcron.out}/bin/fcrontab";
        user    = "root";
        group   = "root";
        setuid  = true;        
      }
    ];
    systemd.services.fcron = {
      description = "fcron daemon";
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@ -62,7 +62,15 @@ in
      '';
    }];
-    security.setuidPrograms = [ "e_freqset" ];
+    security.permissionsWrappers.setuid =
    [
      { program = "e_freqset";
        source  = "${e.enlightenment.out}/bin/e_freqset";
        user    = "root";
        group   = "root";
        setuid  = true;        
      }
    ];
    environment.etc = singleton
      { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
--- a/pkgs/desktops/enlightenment/enlightenment.nix
+++ b/pkgs/desktops/enlightenment/enlightenment.nix
@ -40,13 +40,13 @@ stdenv.mkDerivation rec {
  # this is a hack and without this cpufreq module is not working. does the following:
  #   1. moves the "freqset" binary to "e_freqset",
  #   2. linkes "e_freqset" to enlightenment/bin so that,
-  #   3. setuidPrograms detects it and makes appropriate stuff to /var/setuid-wrappers/e_freqset,
+  #   3. permissionsWrappers.setuid detects it and places wrappers in /var/permissions-wrappers/e_freqset,
-  #   4. and finaly, linkes /var/setuid-wrappers/e_freqset to original destination where enlightenment wants it
+  #   4. and finally, links /var/permissions-wrappers/e_freqset to original destination where enlightenment wants it
  postInstall = ''
    export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`;
    mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset
    ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset
-    ln -sv /var/setuid-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
+    ln -sv /var/permissions-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
  '';
  meta = {