What this allows us to do is define a "dumpcap" setuid wrapper in NixOS
and have wireshark use that instead of the non-setuid dumpcap binary
that it normally uses.
As far as I can tell, the code that is changed to do lookup in PATH is
only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's
typically setuid, is not affected by this patch. wireshark and tshark
should *not* be installed setuid, so the fact that they now do lookup in
PATH is not a security concern.
With this commit, and the following config, only "root" and users in the
"wireshark" group will have access to capturing network traffic with
wireshark/dumpcap:
environment.systemPackages = [ pkgs.wireshark ];
security.setuidOwners = [
{ program = "dumpcap";
owner = "root";
group = "wireshark";
setuid = true;
setgid = false;
permissions = "u+rx,g+x";
}
];
users.extraGroups.wireshark.gid = 500;
(This wouldn't have worked before, because then wireshark would not use
our setuid dumpcap binary.)
This makes running wireshark (or more specifically, dumpcap) as root a
bit more secure. From <wireshark-1.11.2>/doc/README.packaging:
The "--with-libcap" option is only useful when dumpcap is installed
setuid. If it is enabled dumpcap will try to drop any setuid privileges
it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW
capabilities. It is enabled by default, if the Linux capabilities
library (on which it depends) is found.
By enabling ‘services.openssh.startWhenNeeded’, sshd is started
on-demand by systemd using socket activation. This is particularly
useful if you have a zillion containers and don't want to have sshd
running permanently. Note that socket activation is not noticeable
slower, contrary to what the manpage for ‘sshd -i’ says, so we might
want to make this the default one day.
This resolves a cyclic dependency: the daemon depends on tools (for
dbus-send) while tools depends on the daemon. Keeping them separate
doesn't seem very useful in any case.
Our version of SQLite causes the tests to fail, so I'm hereby adding a
patch from dbsrgits/dbix-class@ed5550d36 with the hunk for the Changes
file dropped.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This causes OpenVPN services to reach the "active" state when the VPN
connection is up (i.e., after OpenVPN prints "Initialization Sequence
Completed"). This allows units to be ordered correctly after openvpn-*
units, and makes systemctl present a password prompt:
$ start openvpn-foo
Enter Private Key Password: *************
(I first tried to implement this by calling "systemd-notify --ready"
from the "up" script, but systemd-notify is not reliable.)
The real path of the schemas is:
$out/share/gsettings-schemas/gsettings-desktop-schemas-3.10.1/glib-2.0/schemas
While the previous approach was to load schemas from:
$out/share/glib-2.0/schemas
So, we're now relying on the setup hook of glib to find the right schema
path.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
If dmenu isn't installed in the user environment, dmenu_run will fail
because it searches $PATH for its own binaries.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Youtube feeds now don't append a "sig" query string argument anymore, so
all those feeds would fail without this patch. For the latter, a pull
request already exists on upstream at pculture/miro#428, so I guess we
can drop our patch upon release of the next new upstream bugfix release.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is needed because the pkgconfig file contains linker flags for
alsa-lib. And we had it propagated before already.
Should fix build of quite a lot of SDL dependencies, such as SDL_image:
https://hydra.nixos.org/build/10558332
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This seems to have combined badly with the systemd upgrade, we'll revert
for now and revisit after the 14.04 branch.
This reverts commit ad80532881, reversing
changes made to 1c5d3c7883.