Put /var/setuid-wrappers on a tmpfs

This allows all other filesystems to be mounted without the suid option.
2014-04-19 12:40:09 +02:00 · 2014-04-19 12:40:09 +02:00 · 9f1c9404da
commit 9f1c9404da
parent 2a64b0a91b
2 changed files with 8 additions and 3 deletions
--- a/nixos/modules/security/setuid-wrappers.nix
+++ b/nixos/modules/security/setuid-wrappers.nix
@ -117,8 +117,7 @@ in
          # programs to be wrapped.
          SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin

-          if test -d ${wrapperDir}; then rm -f ${wrapperDir}/*; fi # */
-          mkdir -p ${wrapperDir}
+          rm -f ${wrapperDir}/* # */

          ${concatMapStrings makeSetuidWrapper setuidPrograms}
        '';
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@ -82,7 +82,7 @@ done

 # More special file systems, initialise required directories.
 mkdir -m 0755 /dev/shm
-mount -t tmpfs -o "rw,nosuid,nodev,size=@devShmSize@" tmpfs /dev/shm
+mount -t tmpfs -o "rw,nosuid,nodev,size=@devShmSize@" none /dev/shm
 mkdir -m 0755 -p /dev/pts
 [ -e /proc/bus/usb ] && mount -t usbfs none /proc/bus/usb # UML doesn't have USB by default
 mkdir -m 01777 -p /tmp
@ -149,6 +149,12 @@ else
 fi


+# Create /var/setuid-wrappers as a tmpfs.
+rm -rf /var/setuid-wrappers
+mkdir -m 0755 -p /var/setuid-wrappers
+mount -t tmpfs -o "mode=0755" none /var/setuid-wrappers
+
+
 # Run the script that performs all configuration activation that does
 # not have to be done at boot time.
 echo "running activation script..."