* Make the set of setuid programs configurable.
* Make crontab setuid. svn path=/nixos/trunk/; revision=7636
This commit is contained in:
parent
6b364875f9
commit
580f98f1ed
@ -121,7 +121,7 @@ ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
|
||||
wrapperDir=@wrapperDir@
|
||||
if test -d $wrapperDir; then rm -f $wrapperDir/*; fi
|
||||
mkdir -p $wrapperDir
|
||||
for i in passwd su; do
|
||||
for i in @setuidPrograms@; do
|
||||
program=$(type -tp $i)
|
||||
cp $(type -tp setuid-wrapper) $wrapperDir/$i
|
||||
echo -n $program > $wrapperDir/$i.real
|
||||
|
@ -523,4 +523,14 @@
|
||||
}
|
||||
|
||||
|
||||
{
|
||||
name = ["security" "setuidPrograms"];
|
||||
default = ["passwd" "su" "crontab"];
|
||||
description = "
|
||||
Only the programs listed here will be made setuid root (through
|
||||
a wrapper program).
|
||||
";
|
||||
}
|
||||
|
||||
|
||||
]
|
||||
|
@ -189,6 +189,7 @@ rec {
|
||||
inherit (pkgs) kernel;
|
||||
readOnlyRoot = config.get ["boot" "readOnlyRoot"];
|
||||
hostName = config.get ["networking" "hostName"];
|
||||
setuidPrograms = config.get ["security" "setuidPrograms"];
|
||||
wrapperDir = setuidWrapper.wrapperDir;
|
||||
|
||||
path = [
|
||||
|
Loading…
x
Reference in New Issue
Block a user