public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Using para tags for manual formatting

Browse Source
This commit is contained in:
Parnell Springmeyer 2017-02-14 08:53:30 -06:00
parent 794b3721bc
commit 69794e333a
No known key found for this signature in database
GPG Key ID: DCCF89258EAD874A
1 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
nixos/modules/security/wrappers/default.nix
View File

@ -109,26 +109,27 @@ in
}; };
}; };
description = '' description = ''
This option allows the ownership and permissions on the setuid <para>This option allows the ownership and permissions on the
wrappers for specific programs to be overridden from the setuid wrappers for specific programs to be overridden from
default (setuid root, but not setgid root). the default (setuid root, but not setgid root).</para>
Additionally, this option can set capabilities on a wrapper <para>Additionally, this option can set capabilities on a
program that propagates those capabilities down to the wrapper program that propagates those capabilities down to the
wrapped, real program. wrapped, real program.</para>
The <literal>program</literal> attribute is the name of the <para>The <literal>program</literal> attribute is the name of
program to be wrapped. If no <literal>source</literal> the program to be wrapped. If no <literal>source</literal>
attribute is provided, specifying the absolute path to the attribute is provided, specifying the absolute path to the
program, then the program will be searched for in the path program, then the program will be searched for in the path
environment variable. environment variable.</para>
NOTE: cap_setpcap, which is required for the wrapper program <para>NOTE: cap_setpcap, which is required for the wrapper
to be able to raise caps into the Ambient set is NOT raised to program to be able to raise caps into the Ambient set is NOT
the Ambient set so that the real program cannot modify its own raised to the Ambient set so that the real program cannot
capabilities!! This may be too restrictive for cases in which modify its own capabilities!! This may be too restrictive for
the real program needs cap_setpcap but it at least leans on cases in which the real program needs cap_setpcap but it at
the side security paranoid vs. too relaxed. least leans on the side security paranoid vs. too
relaxed.</para>
''; '';
}; };