From 580f98f1ed15f16bfa5f88cbe0331709c4075d45 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 11 Jan 2007 16:29:23 +0000
Subject: [PATCH] * Make the set of setuid programs configurable. * Make
 crontab setuid.

svn path=/nixos/trunk/; revision=7636
---
 system/activate-configuration.sh |  2 +-
 system/options.nix               | 10 ++++++++++
 system/system.nix                |  1 +
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/system/activate-configuration.sh b/system/activate-configuration.sh
index d00bba5d442..647ba768d44 100644
--- a/system/activate-configuration.sh
+++ b/system/activate-configuration.sh
@@ -121,7 +121,7 @@ ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
 wrapperDir=@wrapperDir@
 if test -d $wrapperDir; then rm -f $wrapperDir/*; fi
 mkdir -p $wrapperDir
-for i in passwd su; do
+for i in @setuidPrograms@; do
     program=$(type -tp $i)
     cp $(type -tp setuid-wrapper) $wrapperDir/$i
     echo -n $program > $wrapperDir/$i.real
diff --git a/system/options.nix b/system/options.nix
index b182e673b97..6216025c45b 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -523,4 +523,14 @@
   }
 
   
+  {
+    name = ["security" "setuidPrograms"];
+    default = ["passwd" "su" "crontab"];
+    description = "
+      Only the programs listed here will be made setuid root (through
+      a wrapper program).
+    ";
+  }
+
+  
 ]
diff --git a/system/system.nix b/system/system.nix
index 2cfc6f2ee7c..1cd6e8e5b69 100644
--- a/system/system.nix
+++ b/system/system.nix
@@ -189,6 +189,7 @@ rec {
     inherit (pkgs) kernel;
     readOnlyRoot = config.get ["boot" "readOnlyRoot"];
     hostName = config.get ["networking" "hostName"];
+    setuidPrograms = config.get ["security" "setuidPrograms"];
     wrapperDir = setuidWrapper.wrapperDir;
 
     path = [