b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
501609 commits 2 branches 0 tags 3.3 GiB
Commit graph

6513 commits

Author SHA1 Message Date
Guillaume Girol 0e4b8a05b2 nixos/wrappers: allow setuid and setgid wrappers to run in user namespaces 
In user namespaces where an unprivileged user is mapped as root and root
is unmapped, setuid bits have no effect. However setuid root
executables like mount are still usable *in the namespace* as the user
already has the required privileges. This commit detects the situation
where the wrapper gained no privileges that the parent process did not
already have and in this case does less sanity checking. In short there
is no need to be picky since the parent already can execute the foo.real
executable themselves.

Details:
man 7 user_namespaces:
   Set-user-ID and set-group-ID programs
       When a process inside a user namespace executes a set-user-ID
       (set-group-ID) program, the process's effective user (group) ID
       inside the namespace is changed to whatever value is mapped for
       the user (group) ID of the file.  However, if either the user or
       the group ID of the file has no mapping inside the namespace, the
       set-user-ID (set-group-ID) bit is silently ignored: the new
       program is executed, but the process's effective user (group) ID
       is left unchanged.  (This mirrors the semantics of executing a
       set-user-ID or set-group-ID program that resides on a filesystem
       that was mounted with the MS_NOSUID flag, as described in
       mount(2).)

The effect of the setuid bit is that the real user id is preserved and
the effective and set user ids are changed to the owner of the wrapper.
We detect that no privilege was gained by checking that euid == suid
== ruid. In this case we stop checking that euid == owner of the
wrapper file.

As a reminder here are the values of euid, ruid, suid, stat.st_uid and
stat.st_mode & S_ISUID in various cases when running a setuid 42 executable as user 1000:

Normal case:
ruid=1000 euid=42 suid=42
setuid=2048, st_uid=42

nosuid mount:
ruid=1000 euid=1000 suid=1000
setuid=2048, st_uid=42

inside unshare -rm:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534

inside unshare -rm, on a suid mount:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534
 2023-08-09 12:00:00 +00:00
Jan Tojnar 6bbcd65c44 gedit: Move out of GNOME 
It has been moved out of GNOME core in favour of gnome-text-editor.
And it is not much of a GNOME app anymore either, using custom gtksourceview fork.
 2023-07-05 14:56:27 +02:00
Emily 3a79936b45
Merge pull request #217536 from sephii/caddy-reload 
nixos/caddy: add support for reload
 2023-07-04 22:57:24 +02:00
Martin Weinelt 06f0af1f0a
firefox-esr-115-unwrapped: init at 115.0esr 
The next major version of the Firefox Extended Support Release.

https://www.mozilla.org/en-US/firefox/115.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/

Fixes: CVE-2023-3482, CVE-2023-37201, CVE-2023-37202, CVE-2023-37203
       CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-37207,
       CVE-2023-37208, CVE-2023-37209, CVE-2023-37210, CVE-2023-37211,
       CVE-2023-37211, CVE-2023-37212
 2023-07-04 16:07:25 +02:00
Sylvain Fankhauser 1f0ac736b4
nixos/caddy: add support for reload 2023-07-04 11:25:05 +02:00
Eric Wolf ee5cc38432 lemmy: Support secret options 
This commit implements #101777 by merging
the config with an external file at startup.
 2023-07-03 09:12:40 +08:00
Ryan Lahfa 7672c1e9ae
Merge pull request #201907 from Tom-Hubrecht/fail2ban 2023-07-02 13:57:47 +02:00
figsoda a86a7dafdf
Merge pull request #226977 from mac-chaffee/sws-module 2023-07-01 19:58:40 -04:00
Pol Dellaiera b9b176f8b8
Merge pull request #240725 from eskytthe/apachekafka-3.5.0 
apacheKafka: 3.5.0, 3.4.1, 3.3.1 -> 3.3.2
 2023-07-01 23:25:54 +02:00
Mac Chaffee 61cb4170fd
nixos/static-web-server: create module which uses upstream systemd units 
This commit creates a nixos module for static-web-server.
The module uses upstream systemd units to start static-web-server.
It also includes options for configuring static-web-server.
 2023-07-01 12:51:13 -04:00
Jörg Thalheim cf2167b39e
Merge pull request #231609 from Mic92/bcachefs-tools 
bcachefs-tools: unstable-2023-01-31 -> unstable-2023-05-13
 2023-07-01 16:31:43 +01:00
Jörg Thalheim af57956199 nixos/test/bcachefs: fix password input 2023-07-01 17:10:11 +02:00
TQ Hirsch 8ab22ad2ad
nixos/tests/powerdns: Stop manually configuring config path 2023-07-01 18:55:50 +08:00
pennae 969b4d7ba9
Merge pull request #232454 from quentinmit/bridge-vlan 
nixos/networkd: Fix typo in BridgeVLAN options
 2023-07-01 00:19:37 +02:00
Tom Hubrecht 208ee8b2e2 nixos/fail2ban: use attrsets for settings instead of strings 2023-06-30 22:27:40 +02:00
Erik Skytthe c09a0a837a apacheKafka: 3.5.0, 3.4.1, 3.3.1 -> 3.3.2 2023-06-30 17:59:40 +02:00
Nick Cao f633ed072a
nixosTests.deepin: raise virtualisation.memorySize to 2048 2023-06-30 10:58:03 +08:00
Arthur Gautier 9338511350 nixosTest: provide a test for lib.extend in nixosTests & runNixOSTest 2023-06-29 09:14:58 -07:00
Maximilian Bosch 089f26b5e2
Merge pull request #240397 from Ma27/linux-kernel-updates 
Linux kernel updates 2023-06-28
 2023-06-29 10:00:19 +02:00
Gaël Reyrol 1a821e7bf5
nixos/prometheus-exporters: add php-fpm 2023-06-28 22:11:36 +02:00
Maximilian Bosch 0b4e493e58
linux_6_3_hardened: expose package 2023-06-28 21:23:00 +02:00
Gaël Reyrol 3a4e234b07
services/calibre-server: Add new http & auth options (#216497) 
nixos/doc: add calibre-server new options
 2023-06-28 14:06:47 +02:00
Pol Dellaiera e1b3f7b159
Merge pull request #239803 from gaelreyrol/prometheus-scaphandre-exporter-init 
services/prometheus/exporters: add scaphandre
 2023-06-28 09:46:08 +02:00
Christian Kögler 934a291b5a
Merge pull request #240121 from NickCao/tmate-msgpack 
tmate, tmate-ssh-server: update and use msgpack-c instead of msgpack
 2023-06-28 08:39:52 +02:00
Lily Foster 73710c4a5b
Merge pull request #238848 from nikstur/qemu-vm-volatile-root 
nixos/tests/qemu-vm-volatile-root: init
 2023-06-27 16:00:41 -04:00
Gaël Reyrol e11f06a951
services/prometheus/exporters: add scaphandre 2023-06-27 20:50:58 +02:00
Nick Cao 6ecfdd3fa4
nixos/tmate-ssh-server: fix test by opening port on firewall 2023-06-27 21:21:25 +08:00
adisbladis d76f499f99
Merge pull request #239690 from adisbladis/lemmy-0_18_0 
lemmy: 0.17.4 -> 0.18.0
 2023-06-28 00:10:09 +12:00
Janik 946c3f8c51
Merge pull request #214063 from michaelshmitty/anuko-timetracker 2023-06-27 13:19:44 +02:00
Michael Smith 7532dbaa32 nixos/anuko-time-tracker: init 2023-06-27 12:30:33 +02:00
Nick Cao e3d52286b1
nixos/sing-box: add basic test 2023-06-27 13:58:02 +08:00
Matej Cotman 4b789ef027 lemmy: build sharp 2023-06-27 16:24:23 +12:00
Pol Dellaiera 5f85fe1e8a
php83: init at 8.3.0alpha2 (#239151) 
* php83: init at 8.3.0alpha2

* phpExtensions.blackfire: disable for php 8.3

* phpExtensions.apcu: patch for 8.3 only
 2023-06-26 20:51:23 +02:00
Gaël Reyrol c7bb191426
scaphandre: init at 0.5.0 (#238462) 
* scaphandre: init at 0.5.0

* Update pkgs/servers/scaphandre/default.nix

---------

Co-authored-by: Pol Dellaiera <pol.dellaiera@protonmail.com>
 2023-06-26 19:41:28 +02:00
Felix Buehler 6672dde558 treewide: use optionalAttrs instead of 'else {}' 2023-06-25 11:01:34 -03:00
Naïm Favier b7098c1239
Merge pull request #239427 from ncfavier/syncthing-escaping 
nixos/syncthing: fix escaping
 2023-06-23 20:29:42 +02:00
Naïm Favier 9a9ded1675
nixos/syncthing: fix escaping 2023-06-23 20:19:51 +02:00
pennae 50a780ce5c
Merge pull request #237824 from drupol/add-guacamole-server-and-client 
{guacamole-server,guacamole-client}: init at 1.5.2
 2023-06-23 15:41:50 +02:00
Ryan Lahfa 230a3705fc
Merge pull request #234223 from alyssais/stage-1-bind-file 2023-06-22 21:47:30 +02:00
Guillaume Girol a3a23358fc
Merge pull request #237235 from alyssais/vmTools-deb 
nixosTests.os-prober: fix
 2023-06-22 19:14:11 +00:00
Sandro 996d7cabba
Merge pull request #225877 from jappeace/upgrade-keter-2.1 
nixos/keter: 2.0 -> 2.1
 2023-06-22 20:00:22 +02:00
Elis Hirwing da7b79c90e
Merge pull request #239049 from LeSuisse/php80-removal 
php: drop PHP 8.0
 2023-06-22 08:43:39 +02:00
Vladimír Čunát e603dc5f06
Merge #238997: nixosTests.sway: don't use ORC 2023-06-22 07:47:41 +02:00
Pol Dellaiera 6cc1b175d3
nixos/guacamole-server: init 2023-06-21 22:11:44 +02:00
Thomas Gerbet 84c0cb1471 php: drop PHP 8.0 
Closes #224505
 2023-06-21 22:09:16 +02:00
Pol Dellaiera a950888024
nixos/guacamole-client: init 2023-06-21 20:47:31 +02:00
Sandro 7e38f9e981
Merge pull request #236104 from Luflosi/apfs-test-module-based-runner 
nixos/tests/apfs: clean up code
 2023-06-21 19:19:36 +02:00
Patrick Hilhorst 5bd226bfd9
nixosTests.sway: don't timeout gpg-agent 2023-06-21 16:08:00 +02:00
Patrick Hilhorst ae4e5957d8
nixosTests.sway: don't use ORC 2023-06-21 14:58:10 +02:00
Domen Kožar b37c9b89a4
Merge pull request #221169 from bouk/bouk/mainpr 
opentelemetry-collector: add NixOS module
 2023-06-21 13:07:50 +01:00