* Make the set of setuid programs configurable.

* Make crontab setuid.

svn path=/nixos/trunk/; revision=7636

system/activate-configuration.sh

@@ -121,7 +121,7 @@ ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
 wrapperDir=@wrapperDir@
 if test -d $wrapperDir; then rm -f $wrapperDir/*; fi
 mkdir -p $wrapperDir
-for i in passwd su; do
+for i in @setuidPrograms@; do
     program=$(type -tp $i)
     cp $(type -tp setuid-wrapper) $wrapperDir/$i
     echo -n $program > $wrapperDir/$i.real

system/options.nix

@@ -523,4 +523,14 @@
   }
 
   
+  {
+    name = ["security" "setuidPrograms"];
+    default = ["passwd" "su" "crontab"];
+    description = "
+      Only the programs listed here will be made setuid root (through
+      a wrapper program).
+    ";
+  }
+
+  
 ]

system/system.nix

@@ -189,6 +189,7 @@ rec {
     inherit (pkgs) kernel;
     readOnlyRoot = config.get ["boot" "readOnlyRoot"];
     hostName = config.get ["networking" "hostName"];
+    setuidPrograms = config.get ["security" "setuidPrograms"];
     wrapperDir = setuidWrapper.wrapperDir;
 
     path = [