alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

setuid-wrappers : Prepare permissions for running wrappers

Browse source 
The new setuid-wrappers in /run cannot be executed by users due to:

1) the temporary directory does not allow access
2) the /run is mounted nosuid
This commit is contained in:
Karn Kallio 2016-09-03 16:42:09 -04:00 committed by Joachim Fasting
parent d3ee483bfe
commit 8d977ead38
No known key found for this signature in database
GPG key ID: 7544761007FE4E08
2 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
nixos/modules/security/setuid-wrappers.nix
View file

@ -117,6 +117,7 @@ in
mkdir -p /run/setuid-wrapper-dirs
wrapperDir=$(mktemp --directory --tmpdir=/run/setuid-wrapper-dirs setuid-wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir
${concatMapStrings makeSetuidWrapper setuidPrograms}

2
nixos/modules/tasks/filesystems.nix
View file

@ -287,7 +287,7 @@ in
boot.specialFileSystems = {
"/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; };
"/sys" = { fsType = "sysfs"; options = [ "nosuid" "noexec" "nodev" ]; };
"/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; };
"/run" = { fsType = "tmpfs"; options = [ "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; };
"/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; };
"/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; };
"/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; };