From 9f1c9404da858eb6347493190e40e59c7f81f2c8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sat, 19 Apr 2014 12:40:09 +0200 Subject: [PATCH] Put /var/setuid-wrappers on a tmpfs This allows all other filesystems to be mounted without the suid option. --- nixos/modules/security/setuid-wrappers.nix | 3 +-- nixos/modules/system/boot/stage-2-init.sh | 8 +++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix index 450fed73658..4cdc1023baa 100644 --- a/nixos/modules/security/setuid-wrappers.nix +++ b/nixos/modules/security/setuid-wrappers.nix @@ -117,8 +117,7 @@ in # programs to be wrapped. SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin - if test -d ${wrapperDir}; then rm -f ${wrapperDir}/*; fi # */ - mkdir -p ${wrapperDir} + rm -f ${wrapperDir}/* # */ ${concatMapStrings makeSetuidWrapper setuidPrograms} ''; diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 57f85674c5b..a64c6cdfa19 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -82,7 +82,7 @@ done # More special file systems, initialise required directories. mkdir -m 0755 /dev/shm -mount -t tmpfs -o "rw,nosuid,nodev,size=@devShmSize@" tmpfs /dev/shm +mount -t tmpfs -o "rw,nosuid,nodev,size=@devShmSize@" none /dev/shm mkdir -m 0755 -p /dev/pts [ -e /proc/bus/usb ] && mount -t usbfs none /proc/bus/usb # UML doesn't have USB by default mkdir -m 01777 -p /tmp @@ -149,6 +149,12 @@ else fi +# Create /var/setuid-wrappers as a tmpfs. +rm -rf /var/setuid-wrappers +mkdir -m 0755 -p /var/setuid-wrappers +mount -t tmpfs -o "mode=0755" none /var/setuid-wrappers + + # Run the script that performs all configuration activation that does # not have to be done at boot time. echo "running activation script..."