public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/atd: remove "batch" from setuid wrappers 

"batch" is a shell script so invoking it via setuid wrapper never worked
anyway. (The kernel drops perms on executables with shebang.) A previous
nixpkgs commit made "batch" invoke the NixOS setuid "at" wrapper to gain
needed privileges.

Thanks to @yesbox for noticing.
This commit is contained in:
Bjørn Forsman 2017-10-15 11:20:11 +02:00
parent 943730ff9b
commit 497108b456
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/services/scheduling/atd.nix
View File

@ -42,6 +42,8 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Not wrapping "batch" because it's a shell script (kernel drops perms
# anyway) and it's patched to invoke the "at" setuid wrapper.
security.wrappers = builtins.listToAttrs ( security.wrappers = builtins.listToAttrs (
map (program: { name = "${program}"; value = { map (program: { name = "${program}"; value = {
source = "${at}/bin/${program}"; source = "${at}/bin/${program}";
@ -49,7 +51,7 @@ in
group = "atd"; group = "atd";
setuid = true; setuid = true;
setgid = true; setgid = true;
};}) [ "at" "atq" "atrm" "batch" ]); };}) [ "at" "atq" "atrm" ]);
environment.systemPackages = [ at ]; environment.systemPackages = [ at ];