public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Removing dead code

Browse Source
This commit is contained in:
Parnell Springmeyer 2017-01-29 01:22:19 -06:00
parent 82de4c0fad
commit 70ec24093c
No known key found for this signature in database
GPG Key ID: DCCF89258EAD874A
1 changed files with 23 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
nixos/modules/security/wrappers/default.nix
View File

@ -76,37 +76,6 @@ in
###### interface ###### interface
options = { options = {
security.wrappers.setcap = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [];
example =
[ { program = "ping";
source = "${pkgs.iputils.out}/bin/ping";
owner = "nobody";
group = "nogroup";
capabilities = "cap_net_raw+ep";
}
];
description = ''
This option sets capabilities on a wrapper program that
propagates those capabilities down to the wrapped, real
program.
The <literal>program</literal> attribute is the name of the
program to be wrapped. If no <literal>source</literal>
attribute is provided, specifying the absolute path to the
program, then the program will be searched for in the path
environment variable.
NOTE: cap_setpcap, which is required for the wrapper program
to be able to raise caps into the Ambient set is NOT raised to
the Ambient set so that the real program cannot modify its own
capabilities!! This may be too restrictive for cases in which
the real program needs cap_setpcap but it at least leans on
the side security paranoid vs. too relaxed.
'';
};
security.setuidPrograms = mkOption { security.setuidPrograms = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];
@ -125,11 +94,34 @@ in
default = {}; default = {};
example = { example = {
sendmail.source = "/nix/store/.../bin/sendmail"; sendmail.source = "/nix/store/.../bin/sendmail";
ping = {
source = "${pkgs.iputils.out}/bin/ping";
owner = "nobody";
group = "nogroup";
capabilities = "cap_net_raw+ep";
};
}; };
description = '' description = ''
This option allows the ownership and permissions on the setuid This option allows the ownership and permissions on the setuid
wrappers for specific programs to be overridden from the wrappers for specific programs to be overridden from the
default (setuid root, but not setgid root). default (setuid root, but not setgid root).
Additionally, this option can set capabilities on a wrapper
program that propagates those capabilities down to the
wrapped, real program.
The <literal>program</literal> attribute is the name of the
program to be wrapped. If no <literal>source</literal>
attribute is provided, specifying the absolute path to the
program, then the program will be searched for in the path
environment variable.
NOTE: cap_setpcap, which is required for the wrapper program
to be able to raise caps into the Ambient set is NOT raised to
the Ambient set so that the real program cannot modify its own
capabilities!! This may be too restrictive for cases in which
the real program needs cap_setpcap but it at least leans on
the side security paranoid vs. too relaxed.
''; '';
}; };