alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

More fixes and improvements

Browse source
This commit is contained in:
Parnell Springmeyer 2017-01-26 00:05:40 -08:00
parent bae00e8aa8
commit 025555d7f1
No known key found for this signature in database
GPG key ID: DCCF89258EAD874A
12 changed files with 37 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-1609.xml
View file

@ -202,7 +202,7 @@ following incompatible changes:</para>
<listitem> <listitem>
<para>The directory container setuid wrapper programs, <para>The directory container setuid wrapper programs,
<filename>/var/setuid-wrappers</filename>, <link <filename>/var/permissions-wrappers</filename>, <link
xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
updated atomically to prevent failures if the switch to a new updated atomically to prevent failures if the switch to a new
configuration is interrupted.</link></para> configuration is interrupted.</link></para>

2
nixos/modules/installer/tools/nixos-install.sh
View file

@ -260,7 +260,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
# Ask the user to set a root password. # Ask the user to set a root password.
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/permissions-wrappers/passwd ] && [ -t 0 ]; then
echo "setting root password..." echo "setting root password..."
chroot $mountPoint /var/permissions-wrappers/passwd chroot $mountPoint /var/permissions-wrappers/passwd
fi fi

4
nixos/modules/security/permissions-wrappers/default.nix
View file

@ -154,6 +154,10 @@ in
export PATH="${config.security.permissionsWrapperDir}:$PATH" export PATH="${config.security.permissionsWrapperDir}:$PATH"
''; '';
system.activationScripts.wrapper-dir = ''
mkdir -p "${config.security.permissionsWrapperDir}"
'';
###### setcap activation script ###### setcap activation script
system.activationScripts.setcap = system.activationScripts.setcap =
lib.stringAfter [ "users" ] lib.stringAfter [ "users" ]

22
nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
View file

@ -5,17 +5,17 @@ let
# Produce a shell-code splice intended to be stitched into one of # Produce a shell-code splice intended to be stitched into one of
# the build or install phases within the derivation. # the build or install phases within the derivation.
mkSetcapWrapper = { program, source ? null, ...}: mkSetcapWrapper = { program, source ? null, ...}: ''
'' if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then # If we can't find the program, fall back to the
# If we can't find the program, fall back to the # system profile.
# system profile. source=/nix/var/nix/profiles/default/bin/${program}
source=/nix/var/nix/profiles/default/bin/${program} fi
fi
gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
''; -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
'';
in in
# This is only useful for Linux platforms and a kernel version of # This is only useful for Linux platforms and a kernel version of
@ -26,7 +26,7 @@ assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.
pkgs.stdenv.mkDerivation { pkgs.stdenv.mkDerivation {
name = "setcap-wrapper"; name = "setcap-wrapper";
unpackPhase = "true"; unpackPhase = "true";
buildInputs = [ pkgs.linuxHeaders pkgs.libcap pkgs.libcap_ng ]; buildInputs = [ pkgs.linuxHeaders ];
installPhase = '' installPhase = ''
mkdir -p $out/bin mkdir -p $out/bin

5
nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
View file

@ -13,8 +13,9 @@ let
source=/nix/var/nix/profiles/default/bin/${program} source=/nix/var/nix/profiles/default/bin/${program}
fi fi
gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
''; '';
in in

13
nixos/modules/services/networking/smokeping.nix
View file

@ -219,14 +219,14 @@ in
type = types.string; type = types.string;
default = '' default = ''
+ FPing + FPing
binary = ${config.security.wrapperDir}/fping binary = ${config.security.permissionsWrapperDir}/fping
''; '';
description = "Probe configuration"; description = "Probe configuration";
}; };
sendmail = mkOption { sendmail = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
example = "/var/setuid-wrappers/sendmail"; example = "/var/permissions-wrappers/sendmail";
description = "Use this sendmail compatible script to deliver alerts"; description = "Use this sendmail compatible script to deliver alerts";
}; };
smokeMailTemplate = mkOption { smokeMailTemplate = mkOption {
@ -273,7 +273,14 @@ in
message = "services.smokeping: sendmail and Mailhost cannot both be enabled."; message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
} }
]; ];
security.setuidPrograms = [ "fping" ]; security.permissionsWrappers.setuid = [
{ program = "fping";
source = "${e.enlightenment.out}/bin/fping";
owner = "root";
group = "root";
setuid = true;
}
];
environment.systemPackages = [ pkgs.fping ]; environment.systemPackages = [ pkgs.fping ];
users.extraUsers = singleton { users.extraUsers = singleton {
name = cfg.user; name = cfg.user;

2
nixos/tests/smokeping.nix
View file

@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : {
mailHost = "127.0.0.2"; mailHost = "127.0.0.2";
probeConfig = '' probeConfig = ''
+ FPing + FPing
binary = /var/setuid-wrappers/fping binary = /var/permissions-wrappers/fping
offset = 0% offset = 0%
''; '';
}; };

4
pkgs/applications/networking/browsers/chromium/default.nix
View file

@ -83,9 +83,9 @@ in stdenv.mkDerivation {
ed -v -s "$out/bin/chromium" << EOF ed -v -s "$out/bin/chromium" << EOF
2i 2i
if [ -x "/var/setuid-wrappers/${sandboxExecutableName}" ] if [ -x "/var/permissions-wrappers/${sandboxExecutableName}" ]
then then
export CHROME_DEVEL_SANDBOX="/var/setuid-wrappers/${sandboxExecutableName}" export CHROME_DEVEL_SANDBOX="/var/permissions-wrappers/${sandboxExecutableName}"
else else
export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}" export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
fi fi

2
pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
View file

@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c
#include <unistd.h> #include <unistd.h>
-#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit" -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
+#define EXECUTE "/var/setuid-wrappers/start_kdeinit" +#define EXECUTE "/var/permissions-wrappers/start_kdeinit"
#if KDEINIT_OOM_PROTECT #if KDEINIT_OOM_PROTECT

2
pkgs/os-specific/linux/mdadm/4.nix
View file

@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
preConfigure = '' preConfigure = ''
sed -e 's@/lib/udev@''${out}/lib/udev@' \ sed -e 's@/lib/udev@''${out}/lib/udev@' \
-e 's@ -Werror @ @' \ -e 's@ -Werror @ @' \
-e 's@/usr/sbin/sendmail@/var/setuid-wrappers/sendmail@' -i Makefile -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
''; '';
meta = { meta = {

2
pkgs/tools/security/ecryptfs/helper.nix
View file

@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
buildInputs = [ makeWrapper ]; buildInputs = [ makeWrapper ];
# Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/setuid-wrappers # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/permissions-wrappers
installPhase = '' installPhase = ''
mkdir -p $out/bin $out/libexec mkdir -p $out/bin $out/libexec
cp $src $out/libexec/ecryptfs-helper.py cp $src $out/libexec/ecryptfs-helper.py

2
pkgs/tools/system/cron/default.nix
View file

@ -23,7 +23,7 @@ stdenv.mkDerivation {
#define _PATH_SENDMAIL "${sendmailPath}" #define _PATH_SENDMAIL "${sendmailPath}"
#undef _PATH_DEFPATH #undef _PATH_DEFPATH
#define _PATH_DEFPATH "/var/setuid-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" #define _PATH_DEFPATH "/var/permissions-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
__EOT__ __EOT__
# Implicit saved uids do not work here due to way NixOS uses setuid wrappers # Implicit saved uids do not work here due to way NixOS uses setuid wrappers