alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

nixos: explicitely set security.wrappers ownership

Browse source 
This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
This commit is contained in:
rnhmjoj 2021-09-12 18:53:48 +02:00
parent 8f76a6eefc
commit fedd7cd690
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450
39 changed files with 276 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
nixos/modules/programs/bandwhich.nix
View file

@ -22,8 +22,10 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ bandwhich ];
security.wrappers.bandwhich = {
source = "${pkgs.bandwhich}/bin/bandwhich";
owner = "root";
group = "root";
capabilities = "cap_net_raw,cap_net_admin+ep";
source = "${pkgs.bandwhich}/bin/bandwhich";
};
};
}

4
nixos/modules/programs/captive-browser.nix
View file

@ -105,11 +105,15 @@ in
);
security.wrappers.udhcpc = {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.busybox}/bin/udhcpc";
};
security.wrappers.captive-browser = {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = pkgs.writeShellScript "captive-browser" ''
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"

7
nixos/modules/programs/firejail.nix
View file

@ -81,7 +81,12 @@ in {
};
config = mkIf cfg.enable {
security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";
security.wrappers.firejail =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin pkgs.firejail}/bin/firejail";
};
environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];
};

2
nixos/modules/programs/gamemode.nix
View file

@ -56,6 +56,8 @@ in
polkit.enable = true;
wrappers = mkIf cfg.enableRenice {
gamemoded = {
owner = "root";
group = "root";
source = "${pkgs.gamemode}/bin/gamemoded";
capabilities = "cap_sys_nice+ep";
};

4
nixos/modules/programs/iftop.nix
View file

@ -11,8 +11,10 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.iftop ];
security.wrappers.iftop = {
source = "${pkgs.iftop}/bin/iftop";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.iftop}/bin/iftop";
};
};
}

4
nixos/modules/programs/iotop.nix
View file

@ -10,8 +10,10 @@ in {
};
config = mkIf cfg.enable {
security.wrappers.iotop = {
source = "${pkgs.iotop}/bin/iotop";
owner = "root";
group = "root";
capabilities = "cap_net_admin+p";
source = "${pkgs.iotop}/bin/iotop";
};
};
}

7
nixos/modules/programs/kbdlight.nix
View file

@ -11,6 +11,11 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.kbdlight ];
security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";
security.wrappers.kbdlight =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.kbdlight.out}/bin/kbdlight";
};
};
}

4
nixos/modules/programs/liboping.nix
View file

@ -13,8 +13,10 @@ in {
security.wrappers = mkMerge (map (
exec: {
"${exec}" = {
source = "${pkgs.liboping}/bin/${exec}";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.liboping}/bin/${exec}";
};
}
) [ "oping" "noping" ]);

4
nixos/modules/programs/mtr.nix
View file

@ -31,8 +31,10 @@ in {
environment.systemPackages = with pkgs; [ cfg.package ];
security.wrappers.mtr-packet = {
source = "${cfg.package}/bin/mtr-packet";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${cfg.package}/bin/mtr-packet";
};
};
}

4
nixos/modules/programs/noisetorch.nix
View file

@ -18,8 +18,10 @@ in {
config = mkIf cfg.enable {
security.wrappers.noisetorch = {
source = "${cfg.package}/bin/noisetorch";
owner = "root";
group = "root";
capabilities = "cap_sys_resource=+ep";
source = "${cfg.package}/bin/noisetorch";
};
};
}

21
nixos/modules/programs/shadow.nix
View file

@ -43,6 +43,13 @@ let
'';
mkSetuidRoot = source:
{ setuid = true;
owner = "root";
group = "root";
inherit source;
};
in
{
@ -109,14 +116,14 @@ in
};
security.wrappers = {
su.source = "${pkgs.shadow.su}/bin/su";
sg.source = "${pkgs.shadow.out}/bin/sg";
newgrp.source = "${pkgs.shadow.out}/bin/newgrp";
newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
su = mkSetuidRoot "${pkgs.shadow.su}/bin/su";
sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg";
newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp";
newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap";
newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap";
} // lib.optionalAttrs config.users.mutableUsers {
chsh.source = "${pkgs.shadow.out}/bin/chsh";
passwd.source = "${pkgs.shadow.out}/bin/passwd";
chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh";
passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd";
};
};
}

7
nixos/modules/programs/singularity.nix
View file

@ -16,7 +16,12 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ singularity ];
security.wrappers.singularity-suid.source = "${singularity}/libexec/singularity/bin/starter-suid.orig";
security.wrappers.singularity-suid =
{ setuid = true;
owner = "root";
group = "root";
source = "${singularity}/libexec/singularity/bin/starter-suid.orig";
};
systemd.tmpfiles.rules = [
"d /var/singularity/mnt/session 0770 root root -"
"d /var/singularity/mnt/final 0770 root root -"

7
nixos/modules/programs/slock.nix
View file

@ -21,6 +21,11 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.slock ];
security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock";
security.wrappers.slock =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.slock.out}/bin/slock";
};
};
}

4
nixos/modules/programs/traceroute.nix
View file

@ -19,8 +19,10 @@ in {
config = mkIf cfg.enable {
security.wrappers.traceroute = {
source = "${pkgs.traceroute}/bin/traceroute";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.traceroute}/bin/traceroute";
};
};
}

7
nixos/modules/programs/udevil.nix
View file

@ -9,6 +9,11 @@ in {
options.programs.udevil.enable = mkEnableOption "udevil";
config = mkIf cfg.enable {
security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil";
security.wrappers.udevil =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin pkgs.udevil}/bin/udevil";
};
};
}

4
nixos/modules/programs/wavemon.nix
View file

@ -21,8 +21,10 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ wavemon ];
security.wrappers.wavemon = {
source = "${pkgs.wavemon}/bin/wavemon";
owner = "root";
group = "root";
capabilities = "cap_net_admin+ep";
source = "${pkgs.wavemon}/bin/wavemon";
};
};
}

7
nixos/modules/programs/wshowkeys.nix
View file

@ -17,6 +17,11 @@ in {
};
config = mkIf cfg.enable {
security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys";
security.wrappers.wshowkeys =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.wshowkeys}/bin/wshowkeys";
};
};
}

7
nixos/modules/security/chromium-suid-sandbox.nix
View file

@ -28,6 +28,11 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
security.wrappers.${sandbox.passthru.sandboxExecutableName} =
{ setuid = true;
owner = "root";
group = "root";
source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
};
};
}

9
nixos/modules/security/doas.nix
View file

@ -241,9 +241,12 @@ in
}
];
security.wrappers = {
doas.source = "${doas}/bin/doas";
};
security.wrappers.doas =
{ setuid = true;
owner = "root";
group = "root";
source = "${doas}/bin/doas";
};
environment.systemPackages = [
doas

7
nixos/modules/security/duosec.nix
View file

@ -186,7 +186,12 @@ in
config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
environment.systemPackages = [ pkgs.duo-unix ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
security.wrappers.login_duo =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.duo-unix.out}/bin/login_duo";
};
system.activationScripts = {
login_duo = mkIf cfg.ssh.enable ''

14
nixos/modules/security/pam_usb.nix
View file

@ -32,8 +32,18 @@ in
# Make sure pmount and pumount are setuid wrapped.
security.wrappers = {
pmount.source = "${pkgs.pmount.out}/bin/pmount";
pumount.source = "${pkgs.pmount.out}/bin/pumount";
pmount =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.pmount.out}/bin/pmount";
};
pumount =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.pmount.out}/bin/pumount";
};
};
environment.systemPackages = [ pkgs.pmount ];

14
nixos/modules/security/polkit.nix
View file

@ -83,8 +83,18 @@ in
security.pam.services.polkit-1 = {};
security.wrappers = {
pkexec.source = "${pkgs.polkit.bin}/bin/pkexec";
polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
pkexec =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.polkit.bin}/bin/pkexec";
};
polkit-agent-helper-1 =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
};
};
systemd.tmpfiles.rules = [

57
nixos/modules/security/wrappers/default.nix
View file

@ -33,12 +33,10 @@ let
};
options.owner = lib.mkOption
{ type = lib.types.str;
default = "root";
description = "The owner of the wrapper program.";
};
options.group = lib.mkOption
{ type = lib.types.str;
default = "root";
description = "The group of the wrapper program.";
};
options.permissions = lib.mkOption
@ -74,7 +72,7 @@ let
};
options.setuid = lib.mkOption
{ type = lib.types.bool;
default = true;
default = false;
description = "Whether to add the setuid bit the wrapper program.";
};
options.setgid = lib.mkOption
@ -156,13 +154,30 @@ in
default = {};
example = lib.literalExample
''
{ sendmail.source = "/nix/store/.../bin/sendmail";
ping = {
source = "${pkgs.iputils.out}/bin/ping";
owner = "nobody";
group = "nogroup";
capabilities = "cap_net_raw+ep";
};
{
# a setuid root program
doas =
{ setuid = true;
owner = "root";
group = "root";
source = "''${pkgs.doas}/bin/doas";
};
# a setgid program
locate =
{ setgid = true;
owner = "root";
group = "mlocate";
source = "''${pkgs.locate}/bin/locate";
};
# a program with the CAP_NET_RAW capability
ping =
{ owner = "root";
group = "root";
capabilities = "cap_net_raw+ep";
source = "''${pkgs.iputils.out}/bin/ping";
};
}
'';
description = ''
@ -198,13 +213,21 @@ in
}
) wrappers;
security.wrappers = {
# These are mount related wrappers that require the +s permission.
fusermount.source = "${pkgs.fuse}/bin/fusermount";
fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";
mount.source = "${lib.getBin pkgs.util-linux}/bin/mount";
umount.source = "${lib.getBin pkgs.util-linux}/bin/umount";
};
security.wrappers =
let
mkSetuidRoot = source:
{ setuid = true;
owner = "root";
group = "root";
inherit source;
};
in
{ # These are mount related wrappers that require the +s permission.
fusermount = mkSetuidRoot "${pkgs.fuse}/bin/fusermount";
fusermount3 = mkSetuidRoot "${pkgs.fuse3}/bin/fusermount3";
mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
};
boot.specialFileSystems.${parentWrapperDir} = {
fsType = "tmpfs";

4
nixos/modules/services/desktops/gnome/gnome-keyring.nix
View file

@ -52,8 +52,10 @@ with lib;
security.pam.services.login.enableGnomeKeyring = true;
security.wrappers.gnome-keyring-daemon = {
source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
owner = "root";
group = "root";
capabilities = "cap_ipc_lock=ep";
source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
};
};

7
nixos/modules/services/mail/exim.nix
View file

@ -104,7 +104,12 @@ in
gid = config.ids.gids.exim;
};
security.wrappers.exim.source = "${cfg.package}/bin/exim";
security.wrappers.exim =
{ setuid = true;
owner = "root";
group = "root";
source = "${cfg.package}/bin/exim";
};
systemd.services.exim = {
description = "Exim Mail Daemon";

4
nixos/modules/services/misc/mame.nix
View file

@ -45,8 +45,10 @@ in
environment.systemPackages = [ pkgs.mame ];
security.wrappers."${mame}" = {
source = "${pkgs.mame}/bin/${mame}";
owner = "root";
group = "root";
capabilities = "cap_net_admin,cap_net_raw+eip";
source = "${pkgs.mame}/bin/${mame}";
};
systemd.services.mame = {

7
nixos/modules/services/misc/weechat.nix
View file

@ -52,7 +52,12 @@ in
wants = [ "network.target" ];
};
security.wrappers.screen.source = "${pkgs.screen}/bin/screen";
security.wrappers.screen =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.screen}/bin/screen";
};
};
meta.doc = ./weechat.xml;

7
nixos/modules/services/monitoring/incron.nix
View file

@ -71,7 +71,12 @@ in
environment.systemPackages = [ pkgs.incron ];
security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab";
security.wrappers.incrontab =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.incron}/bin/incrontab";
};
# incron won't read symlinks
environment.etc."incron.d/system" = {

7
nixos/modules/services/monitoring/zabbix-proxy.nix
View file

@ -262,7 +262,12 @@ in
};
security.wrappers = {
fping.source = "${pkgs.fping}/bin/fping";
fping =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping";
};
};
systemd.services.zabbix-proxy = {

14
nixos/modules/services/networking/smokeping.nix
View file

@ -278,8 +278,18 @@ in
}
];
security.wrappers = {
fping.source = "${pkgs.fping}/bin/fping";
fping6.source = "${pkgs.fping}/bin/fping6";
fping =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping";
};
fping6 =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping6";
};
};
environment.systemPackages = [ pkgs.fping ];
users.users.${cfg.user} = {

7
nixos/modules/services/scheduling/cron.nix
View file

@ -93,7 +93,12 @@ in
{ services.cron.enable = mkDefault (allFiles != []); }
(mkIf (config.services.cron.enable) {
security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab";
security.wrappers.crontab =
{ setuid = true;
owner = "root";
group = "root";
source = "${cronNixosPkg}/bin/crontab";
};
environment.systemPackages = [ cronNixosPkg ];
environment.etc.crontab =
{ source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

1
nixos/modules/services/scheduling/fcron.nix
View file

@ -142,6 +142,7 @@ in
source = "${pkgs.fcron}/bin/fcronsighup";
owner = "root";
group = "fcron";
setuid = true;
};
};
systemd.services.fcron = {

4
nixos/modules/services/video/replay-sorcery.nix
View file

@ -44,8 +44,10 @@ in
security.wrappers = mkIf cfg.enableSysAdminCapability {
replay-sorcery = {
source = "${pkgs.replay-sorcery}/bin/replay-sorcery";
owner = "root";
group = "root";
capabilities = "cap_sys_admin+ep";
source = "${pkgs.replay-sorcery}/bin/replay-sorcery";
};
};

21
nixos/modules/services/x11/desktop-managers/enlightenment.nix
View file

@ -65,9 +65,24 @@ in
# Wrappers for programs installed by enlightenment that should be setuid
security.wrappers = {
enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";
enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";
enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";
enlightenment_ckpasswd =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";
};
enlightenment_sys =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";
};
enlightenment_system =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";
};
};
environment.etc."X11/xkb".source = xcfg.xkbDir;

24
nixos/modules/services/x11/desktop-managers/plasma5.nix
View file

@ -197,12 +197,24 @@ in
};
security.wrappers = {
kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";
start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
kwin_wayland = {
source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";
capabilities = "cap_sys_nice+ep";
};
kcheckpass =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";
};
start_kdeinit =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
};
kwin_wayland =
{ owner = "root";
group = "root";
capabilities = "cap_sys_nice+ep";
source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";
};
};
# DDC support

14
nixos/modules/tasks/filesystems/ecryptfs.nix
View file

@ -7,8 +7,18 @@ with lib;
config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {
system.fsPackages = [ pkgs.ecryptfs ];
security.wrappers = {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
"mount.ecryptfs_private" =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
};
"umount.ecryptfs_private" =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
};
};
};
}

9
nixos/modules/tasks/network-interfaces.nix
View file

@ -1133,11 +1133,16 @@ in
# kernel because we need the ambient capability
security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then {
ping = {
source = "${pkgs.iputils.out}/bin/ping";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.iputils.out}/bin/ping";
};
} else {
ping.source = "${pkgs.iputils.out}/bin/ping";
setuid = true;
owner = "root";
group = "root";
source = "${pkgs.iputils.out}/bin/ping";
};
security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
/run/wrappers/bin/ping {

3
nixos/modules/virtualisation/libvirtd.nix
View file

@ -183,6 +183,9 @@ in {
};
security.wrappers.qemu-bridge-helper = {
setuid = true;
owner = "root";
group = "root";
source = "/run/${dirName}/nix-helpers/qemu-bridge-helper";
};

6
nixos/modules/virtualisation/spice-usb-redirection.nix
View file

@ -14,9 +14,11 @@
config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {
environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions
security.wrappers.spice-client-glib-usb-acl-helper ={
source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
security.wrappers.spice-client-glib-usb-acl-helper = {
owner = "root";
group = "root";
capabilities = "cap_fowner+ep";
source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
};
};