From f0eb823a34f103bceef4b6fcf0406634b08f937d Mon Sep 17 00:00:00 2001
From: "Yury G. Kudryashov" <urkud.urkud@gmail.com>
Date: Fri, 13 Aug 2010 14:07:34 +0000
Subject: [PATCH] Add unix_chkpwd suid wrapper

svn path=/nixos/trunk/; revision=23165
---
 modules/security/pam.nix             | 12 ++++++++++--
 modules/security/setuid-wrappers.nix |  3 ++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 5c59282fe8a..a5491792f7e 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -191,7 +191,7 @@ in
   ###### implementation
 
   config = {
-  
+
     environment.systemPackages =
       # Include the PAM modules in the system path mostly for the manpages.
       [ pkgs.pam ]
@@ -205,6 +205,14 @@ in
           target = "pam.d/other";
         };
 
+    security.setuidOwners = [ {
+      program = "unix_chkpwd";
+      source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
+      owner = "root";
+      setuid = true;
+    } ];
+
+
     security.pam.services =
       # Most of these should be moved to specific modules.
       [ { name = "cups"; }
@@ -217,5 +225,5 @@ in
       ];
 
   };
-  
+
 }
diff --git a/modules/security/setuid-wrappers.nix b/modules/security/setuid-wrappers.nix
index a7513477353..3c4a08c16b7 100644
--- a/modules/security/setuid-wrappers.nix
+++ b/modules/security/setuid-wrappers.nix
@@ -62,7 +62,8 @@ in
       default = "/var/setuid-wrappers";
       description = ''
         This option defines the path to the setuid wrappers.  It
-        should generally not be overriden.
+        should generally not be overriden. Some packages in nixpkgs rely on
+        wrapperDir == /var/setuid-wrappers
       '';
     };