Convert "nixos security options"

svn path=/nixos/branches/fix-style/; revision=14363
2009-03-06 12:25:46 +00:00 · 2009-03-06 12:25:46 +00:00 · f889d6215e
commit f889d6215e
parent b5a7c767c5
2 changed files with 52 additions and 38 deletions
--- a/system/nixos-security.nix
+++ b/system/nixos-security.nix
@ -0,0 +1,49 @@
 {pkgs, config, ...}:
 let
  inherit (pkgs.lib) mergeOneOption mkOption mkIf;
 in
 {
  require = [
    {
      security = {
        setuidPrograms = mkOption {
          default = [
            "passwd" "su" "crontab" "ping" "ping6"
            "fusermount" "wodim" "cdrdao" "growisofs"
          ];
          description = "
            Only the programs from system path listed her will be made setuid root
            (through a wrapper program).  It's better to set
            <option>security.extraSetuidPrograms</option>.
          ";
        };
        extraSetuidPrograms = mkOption {
          default = [];
          example = ["fusermount"];
          description = "
            This option lists additional programs that must be made setuid
            root.
          ";
        };
        setuidOwners = mkOption {
          default = [];
          example = [{
            program = "sendmail";
            owner = "nodody";
            group = "postdrop";
            setuid = false;
            setgid = true;
          }];
          description = ''
            List of non-trivial setuid programs from system path, like Postfix sendmail. Default 
            should probably be nobody:nogroup:false:false - if you are bothering
            doing anything with a setuid program, "root.root u+s g-s" is not what
            you are aiming at..
          '';
        };
      };
    }
  ];
 }
--- a/system/options.nix
+++ b/system/options.nix
@ -1980,44 +1980,6 @@ in
  security = {
    setuidPrograms = mkOption {
      default = [
        "passwd" "su" "crontab" "ping" "ping6"
        "fusermount" "wodim" "cdrdao" "growisofs"
      ];
      description = "
        Only the programs from system path listed her will be made setuid root
        (through a wrapper program).  It's better to set
        <option>security.extraSetuidPrograms</option>.
      ";
    };
    extraSetuidPrograms = mkOption {
      default = [];
      example = ["fusermount"];
      description = "
        This option lists additional programs that must be made setuid
        root.
      ";
    };
    setuidOwners = mkOption {
      default = [];
      example = [{
        program = "sendmail";
        owner = "nodody";
        group = "postdrop";
        setuid = false;
        setgid = true;
      }];
      description = ''
        List of non-trivial setuid programs from system path, like Postfix sendmail. Default 
        should probably be nobody:nogroup:false:false - if you are bothering
        doing anything with a setuid program, "root.root u+s g-s" is not what
        you are aiming at..
      '';
    };
    seccureKeys = {
      public = mkOption {
        default = /var/elliptic-keys/public;
@ -2098,6 +2060,9 @@ in
    # hardware
    (import ../upstart-jobs/pcmcia.nix)
    # security
    (import ../system/nixos-security.nix)
    # services
    (import ../upstart-jobs/avahi-daemon.nix)
    (import ../upstart-jobs/atd.nix)