From 497108b4568d01cefee6acdf92b738ee80e22023 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= Date: Sun, 15 Oct 2017 11:20:11 +0200 Subject: [PATCH] nixos/atd: remove "batch" from setuid wrappers "batch" is a shell script so invoking it via setuid wrapper never worked anyway. (The kernel drops perms on executables with shebang.) A previous nixpkgs commit made "batch" invoke the NixOS setuid "at" wrapper to gain needed privileges. Thanks to @yesbox for noticing. --- nixos/modules/services/scheduling/atd.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 0216c9771c9..77a3f6b51e8 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -42,6 +42,8 @@ in config = mkIf cfg.enable { + # Not wrapping "batch" because it's a shell script (kernel drops perms + # anyway) and it's patched to invoke the "at" setuid wrapper. security.wrappers = builtins.listToAttrs ( map (program: { name = "${program}"; value = { source = "${at}/bin/${program}"; @@ -49,7 +51,7 @@ in group = "atd"; setuid = true; setgid = true; - };}) [ "at" "atq" "atrm" "batch" ]); + };}) [ "at" "atq" "atrm" ]); environment.systemPackages = [ at ];