b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nixos: add implict security.wrappers options

Browse source 
This is to keep the same permissions/setuid/setgid as before the change
in security.wrappers defaults.
This commit is contained in:
rnhmjoj 2021-06-10 01:47:55 +02:00
parent 41a498578e
commit 8f76a6eefc
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450
9 changed files with 22 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/programs/ccache.nix
View file

@ -28,7 +28,9 @@ in {
# "nix-ccache --show-stats" and "nix-ccache --clear" # "nix-ccache --show-stats" and "nix-ccache --clear"
security.wrappers.nix-ccache = { security.wrappers.nix-ccache = {
owner = "nobody";
group = "nixbld"; group = "nixbld";
setuid = false;
setgid = true; setgid = true;
source = pkgs.writeScript "nix-ccache.pl" '' source = pkgs.writeScript "nix-ccache.pl" ''
#!${pkgs.perl}/bin/perl #!${pkgs.perl}/bin/perl

2
nixos/modules/programs/msmtp.nix
View file

@ -78,6 +78,8 @@ in {
source = "${pkgs.msmtp}/bin/sendmail"; source = "${pkgs.msmtp}/bin/sendmail";
setuid = false; setuid = false;
setgid = false; setgid = false;
owner = "root";
group = "root";
}; };
environment.etc."msmtprc".text = let environment.etc."msmtprc".text = let

2
nixos/modules/programs/ssmtp.nix
View file

@ -181,6 +181,8 @@ in
source = "${pkgs.ssmtp}/bin/sendmail"; source = "${pkgs.ssmtp}/bin/sendmail";
setuid = false; setuid = false;
setgid = false; setgid = false;
owner = "root";
group = "root";
}; };
}; };

1
nixos/modules/security/pam.nix
View file

@ -871,6 +871,7 @@ in
unix_chkpwd = { unix_chkpwd = {
source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root"; owner = "root";
group = "nogroup";
setuid = true; setuid = true;
}; };
}; };

5
nixos/modules/services/mail/opensmtpd.nix
View file

@ -103,12 +103,15 @@ in {
}; };
security.wrappers.smtpctl = { security.wrappers.smtpctl = {
owner = "nobody";
group = "smtpq"; group = "smtpq";
setuid = false;
setgid = true; setgid = true;
source = "${cfg.package}/bin/smtpctl"; source = "${cfg.package}/bin/smtpctl";
}; };
services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail security.wrappers.smtpctl; services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail
security.wrappers.smtpctl // { program = "sendmail"; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/spool/smtpd 711 root - - -" "d /var/spool/smtpd 711 root - - -"

4
nixos/modules/services/mail/postfix.nix
View file

@ -673,6 +673,7 @@ in
services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail { services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {
program = "sendmail"; program = "sendmail";
source = "${pkgs.postfix}/bin/sendmail"; source = "${pkgs.postfix}/bin/sendmail";
owner = "nobody";
group = setgidGroup; group = setgidGroup;
setuid = false; setuid = false;
setgid = true; setgid = true;
@ -681,6 +682,7 @@ in
security.wrappers.mailq = { security.wrappers.mailq = {
program = "mailq"; program = "mailq";
source = "${pkgs.postfix}/bin/mailq"; source = "${pkgs.postfix}/bin/mailq";
owner = "nobody";
group = setgidGroup; group = setgidGroup;
setuid = false; setuid = false;
setgid = true; setgid = true;
@ -689,6 +691,7 @@ in
security.wrappers.postqueue = { security.wrappers.postqueue = {
program = "postqueue"; program = "postqueue";
source = "${pkgs.postfix}/bin/postqueue"; source = "${pkgs.postfix}/bin/postqueue";
owner = "nobody";
group = setgidGroup; group = setgidGroup;
setuid = false; setuid = false;
setgid = true; setgid = true;
@ -697,6 +700,7 @@ in
security.wrappers.postdrop = { security.wrappers.postdrop = {
program = "postdrop"; program = "postdrop";
source = "${pkgs.postfix}/bin/postdrop"; source = "${pkgs.postfix}/bin/postdrop";
owner = "nobody";
group = setgidGroup; group = setgidGroup;
setuid = false; setuid = false;
setgid = true; setgid = true;

2
nixos/modules/services/networking/x2goserver.nix
View file

@ -88,12 +88,14 @@ in {
source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl"; source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl";
owner = "x2go"; owner = "x2go";
group = "x2go"; group = "x2go";
setuid = false;
setgid = true; setgid = true;
}; };
security.wrappers.x2goprintWrapper = { security.wrappers.x2goprintWrapper = {
source = "${pkgs.x2goserver}/bin/x2goprint"; source = "${pkgs.x2goserver}/bin/x2goprint";
owner = "x2go"; owner = "x2go";
group = "x2go"; group = "x2go";
setuid = false;
setgid = true; setgid = true;
}; };

2
nixos/modules/services/scheduling/fcron.nix
View file

@ -136,9 +136,11 @@ in
owner = "fcron"; owner = "fcron";
group = "fcron"; group = "fcron";
setgid = true; setgid = true;
setuid = false;
}; };
fcronsighup = { fcronsighup = {
source = "${pkgs.fcron}/bin/fcronsighup"; source = "${pkgs.fcron}/bin/fcronsighup";
owner = "root";
group = "fcron"; group = "fcron";
}; };
}; };

5
nixos/modules/services/x11/desktop-managers/cde.nix
View file

@ -49,9 +49,10 @@ in {
users.groups.mail = {}; users.groups.mail = {};
security.wrappers = { security.wrappers = {
dtmail = { dtmail = {
source = "${pkgs.cdesktopenv}/bin/dtmail";
group = "mail";
setgid = true; setgid = true;
owner = "nobody";
group = "mail";
source = "${pkgs.cdesktopenv}/bin/dtmail";
}; };
}; };