diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index c5b99c0c801..9e4f3fdaa01 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -109,27 +109,29 @@ in
};
};
description = ''
- This option allows the ownership and permissions on the
- setuid wrappers for specific programs to be overridden from
- the default (setuid root, but not setgid root).
+ This option allows the ownership and permissions on the setuid
+ wrappers for specific programs to be overridden from the
+ default (setuid root, but not setgid root).
- Additionally, this option can set capabilities on a
- wrapper program that propagates those capabilities down to the
- wrapped, real program.
+
+ Additionally, this option can set capabilities on a
+ wrapper program that propagates those capabilities down to the
+ wrapped, real program.
- The program attribute is the name of
- the program to be wrapped. If no source
- attribute is provided, specifying the absolute path to the
- program, then the program will be searched for in the path
- environment variable.
+ The program attribute is the name of
+ the program to be wrapped. If no source
+ attribute is provided, specifying the absolute path to the
+ program, then the program will be searched for in the path
+ environment variable.
- NOTE: cap_setpcap, which is required for the wrapper
- program to be able to raise caps into the Ambient set is NOT
- raised to the Ambient set so that the real program cannot
- modify its own capabilities!! This may be too restrictive for
- cases in which the real program needs cap_setpcap but it at
- least leans on the side security paranoid vs. too
- relaxed.
+ NOTE: cap_setpcap, which is required for the wrapper
+ program to be able to raise caps into the Ambient set is NOT
+ raised to the Ambient set so that the real program cannot
+ modify its own capabilities!! This may be too restrictive for
+ cases in which the real program needs cap_setpcap but it at
+ least leans on the side security paranoid vs. too
+ relaxed.
+
'';
};