Getting rid of the var indirection and using a bin path instead

pyrox.dev / nixpkgs

fork atom

lol

fork atom

Parnell Springmeyer 9 years ago 4aa09230 a8cb2afa

+86 -65

45 changed files

expand all collapse all

nixos

modules

installer

tools

nixos-install.sh

security

apparmor-suid.nix

wrappers

default.nix

services

logging

logcheck.nix

mail

dovecot.nix

exim.nix

monitoring

munin.nix

smartd.nix

network-filesystems

samba.nix

networking

prayer.nix

smokeping.nix

scheduling

atd.nix

cron.nix

fcron.nix

system

boot

stage-2-init.sh

virtualisation

virtualbox-host.nix

tests

smokeping.nix

pkgs

applications

editors

sublime3

default.nix

networking

browsers

chromium

default.nix

instant-messengers

gale

gale-install.in.patch

version-management

gitlab

remove-hardcoded-locations.patch

virtualization

virtualbox

hardened.patch

build-support

build-fhs-userenv

env.nix

desktops

enlightenment

enlightenment.nix

development

libraries

kde-frameworks

kinit

start_kdeinit-path.patch

libgksu

default.nix

polkit

default.nix

tools

unity3d

default.nix

os-specific

linux

fuse

default.nix

mdadm

4.nix

default.nix

pam

default.nix

util-linux

default.nix

servers

interlock

default.nix

mail

petidomo

default.nix

monitoring

nagios

plugins

official-2.x.nix

tools

X11

x11vnc

default.nix

admin

certbot

default.nix

misc

debian-devscripts

default.nix

security

ecryptfs

default.nix

helper.nix

sudo

default.nix

system

default.nix

cron

default.nix

+2 -2

nixos/modules/installer/tools/nixos-install.sh

reviewed

··· 259 259 260 260 261 261 # Ask the user to set a root password. 262 262 - if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then 262 262 + if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then 263 263 echo "setting root password..." 264 264 - chroot $mountPoint /run/wrappers/passwd 264 264 + chroot $mountPoint /run/wrappers/bin/passwd 265 265 fi 266 266 267 267

+1 -2

nixos/modules/security/apparmor-suid.nix

reviewed

··· 19 19 config = mkIf (cfg.confineSUIDApplications) { 20 20 security.apparmor.profiles = [ (pkgs.writeText "ping" '' 21 21 #include <tunables/global> 22 22 - /run/wrappers/ping { 22 22 + /run/wrappers/bin/ping { 23 23 #include <abstractions/base> 24 24 #include <abstractions/consoles> 25 25 #include <abstractions/nameservice> ··· 33 33 ${pkgs.attr.out}/lib/libattr.so* mr, 34 34 35 35 ${pkgs.iputils}/bin/ping mixr, 36 36 - /run/wrappers/ping.real r, 37 36 38 37 #/etc/modules.conf r, 39 38

+30 -3

nixos/modules/security/wrappers/default.nix

reviewed

··· 17 17 source=/nix/var/nix/profiles/default/bin/${program} 18 18 fi 19 19 20 20 - gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.wrapperDir}\" \ 20 20 + parentWrapperDir=$(dirname ${wrapperDir}) 21 21 + 22 22 + gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \ 21 23 -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ 22 24 -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include 23 25 ''; ··· 155 157 156 158 security.wrapperDir = lib.mkOption { 157 159 type = lib.types.path; 158 158 - default = "/run/wrappers"; 160 160 + default = "/run/wrappers/bin"; 159 161 internal = true; 160 162 description = '' 161 163 This option defines the path to the wrapper programs. It ··· 181 183 # programs to be wrapped. 182 184 WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin 183 185 186 186 + if [ -d ${config.security.old-wrapperDir} ]; then 187 187 + rm -rf ${config.security.old-wrapperDir} 188 188 + fi 189 189 + 190 190 + parentWrapperDir="$(dirname ${wrapperDir})" 191 191 + 184 192 mkdir -p ${wrapperDir} 185 185 - wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX) 193 193 + wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX) 186 194 chmod a+rx $wrapperDir 187 195 188 196 ${lib.concatStringsSep "\n" mkWrappedPrograms} 197 197 + 198 198 + if [ -L ${wrapperDir} ]; then 199 199 + # Atomically replace the symlink 200 200 + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ 201 201 + old=$(readlink ${wrapperDir}) 202 202 + ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp 203 203 + mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} 204 204 + rm --force --recursive $old 205 205 + elif [ -d ${wrapperDir} ]; then 206 206 + # Compatibility with old state, just remove the folder and symlink 207 207 + rm -f ${wrapperDir}/* 208 208 + # if it happens to be a tmpfs 209 209 + ${pkgs.utillinux}/bin/umount ${wrapperDir} || true 210 210 + rm -d ${wrapperDir} 211 211 + ln -d --symbolic $wrapperDir ${wrapperDir} 212 212 + else 213 213 + # For initial setup 214 214 + ln --symbolic $wrapperDir ${wrapperDir} 215 215 + fi 189 216 ''; 190 217 }; 191 218 }

+2 -2

nixos/modules/services/logging/logcheck.nix

reviewed

··· 29 29 }; 30 30 31 31 cronJob = '' 32 32 - @reboot logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} 33 33 - 2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} 32 32 + @reboot logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} 33 33 + 2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers/bin:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} 34 34 ''; 35 35 36 36 writeIgnoreRule = name: {level, regex, ...}:

+1 -1

nixos/modules/services/mail/dovecot.nix

reviewed

··· 13 13 '' 14 14 base_dir = ${baseDir} 15 15 protocols = ${concatStringsSep " " cfg.protocols} 16 16 - sendmail_path = /run/wrappers/sendmail 16 16 + sendmail_path = /run/wrappers/bin/sendmail 17 17 '' 18 18 19 19 (if isNull cfg.sslServerCert then ''

+1 -1

nixos/modules/services/mail/exim.nix

reviewed

··· 70 70 etc."exim.conf".text = '' 71 71 exim_user = ${cfg.user} 72 72 exim_group = ${cfg.group} 73 73 - exim_path = /run/wrappers/exim 73 73 + exim_path = /run/wrappers/bin/exim 74 74 spool_directory = ${cfg.spoolDir} 75 75 ${cfg.config} 76 76 '';

+2 -2

nixos/modules/services/monitoring/munin.nix

reviewed

··· 34 34 cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file) 35 35 36 36 wrapProgram $file \ 37 37 - --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ 37 37 + --set PATH "/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" \ 38 38 --set MUNIN_LIBDIR "${pkgs.munin}/lib" \ 39 39 --set MUNIN_PLUGSTATE "/var/run/munin" 40 40 ··· 183 183 184 184 mkdir -p /etc/munin/plugins 185 185 rm -rf /etc/munin/plugins/* 186 186 - PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash 186 186 + PATH="/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash 187 187 ''; 188 188 serviceConfig = { 189 189 ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";

+1 -1

nixos/modules/services/monitoring/smartd.nix

reviewed

··· 124 124 }; 125 125 126 126 mailer = mkOption { 127 127 - default = "/run/wrappers/sendmail"; 127 127 + default = "/run/wrappers/bin/sendmail"; 128 128 type = types.path; 129 129 description = '' 130 130 Sendmail-compatible binary to be used to send the messages.

+1 -1

nixos/modules/services/network-filesystems/samba.nix

reviewed

··· 30 30 '' 31 31 [ global ] 32 32 security = ${cfg.securityType} 33 33 - passwd program = /run/wrappers/passwd %u 33 33 + passwd program = /run/wrappers/bin/passwd %u 34 34 pam password change = ${smbToString cfg.syncPasswordsByPam} 35 35 invalid users = ${smbToString cfg.invalidUsers} 36 36

+1 -1

nixos/modules/services/networking/prayer.nix

reviewed

··· 18 18 var_prefix = "${stateDir}" 19 19 prayer_user = "${prayerUser}" 20 20 prayer_group = "${prayerGroup}" 21 21 - sendmail_path = "/run/wrappers/sendmail" 21 21 + sendmail_path = "/run/wrappers/bin/sendmail" 22 22 23 23 use_http_port ${cfg.port} 24 24

+1 -1

nixos/modules/services/networking/smokeping.nix

reviewed

··· 226 226 sendmail = mkOption { 227 227 type = types.nullOr types.path; 228 228 default = null; 229 229 - example = "/run/wrappers/sendmail"; 229 229 + example = "/run/wrappers/bin/sendmail"; 230 230 description = "Use this sendmail compatible script to deliver alerts"; 231 231 }; 232 232 smokeMailTemplate = mkOption {

+2 -2

nixos/modules/services/scheduling/atd.nix

reviewed

··· 42 42 43 43 config = mkIf cfg.enable { 44 44 45 45 - security.wrappers.setuid = map (program: "${program}" = { 45 45 + security.wrappers = map (program: {"${program}" = { 46 46 source = "${pkgs.atd}/bin/${program}"; 47 47 owner = "atd"; 48 48 group = "atd"; 49 49 setuid = true; 50 50 setgid = true; 51 51 - }) [ "at" "atq" "atrm" "batch" ]; 51 51 + };}) [ "at" "atq" "atrm" "batch" ]; 52 52 53 53 environment.systemPackages = [ at ]; 54 54

+1 -1

nixos/modules/services/scheduling/cron.nix

reviewed

··· 20 20 cronNixosPkg = pkgs.cron.override { 21 21 # The mail.nix nixos module, if there is any local mail system enabled, 22 22 # should have sendmail in this path. 23 23 - sendmailPath = "/run/wrappers/sendmail"; 23 23 + sendmailPath = "/run/wrappers/bin/sendmail"; 24 24 }; 25 25 26 26 allFiles =

+1 -1

nixos/modules/services/scheduling/fcron.nix

reviewed

··· 96 96 fcronallow = /etc/fcron.allow 97 97 fcrondeny = /etc/fcron.deny 98 98 shell = /bin/sh 99 99 - sendmail = /run/wrappers/sendmail 99 99 + sendmail = /run/wrappers/bin/sendmail 100 100 editor = /run/current-system/sw/bin/vi 101 101 ''; 102 102 target = "fcron.conf";

-5

nixos/modules/system/boot/stage-2-init.sh

reviewed

··· 131 131 cat /etc/resolv.conf | resolvconf -m 1000 -a host 132 132 fi 133 133 134 134 - # Create /run/wrappers as a tmpfs. 135 135 - rm -rf /run/wrappers 136 136 - mkdir -m 0755 -p /run/wrappers 137 137 - mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers 138 138 - 139 134 # Log the script output to /dev/kmsg or /run/log/stage-2-init.log. 140 135 # Only at this point are all the necessary prerequisites ready for these commands. 141 136 exec {logOutFd}>&1 {logErrFd}>&2

+2 -2

nixos/modules/virtualisation/virtualbox-host.nix

reviewed

··· 69 69 environment.systemPackages = [ virtualbox ]; 70 70 71 71 security.wrappers = let 72 72 - mkSuid = program: "${program}" = { 72 72 + mkSuid = program: {"${program}" = { 73 73 source = "${virtualbox}/libexec/virtualbox/${program}"; 74 74 owner = "root"; 75 75 group = "vboxusers"; 76 76 setuid = true; 77 77 - }; 77 77 + };}; 78 78 in mkIf cfg.enableHardening (map mkSuid [ 79 79 "VBoxHeadless" 80 80 "VBoxNetAdpCtl"

+1 -1

nixos/tests/smokeping.nix

reviewed

··· 14 14 mailHost = "127.0.0.2"; 15 15 probeConfig = '' 16 16 + FPing 17 17 - binary = /run/wrappers/fping 17 17 + binary = /run/wrappers/bin/fping 18 18 offset = 0% 19 19 ''; 20 20 };

+1 -1

pkgs/applications/editors/sublime3/default.nix

reviewed

··· 1 1 { fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2, 2 2 - pkexecPath ? "/run/wrappers/pkexec", libredirect, 2 2 + pkexecPath ? "/run/wrappers/bin/pkexec", libredirect, 3 3 gksuSupport ? false, gksu}: 4 4 5 5 assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";

+2 -2

pkgs/applications/networking/browsers/chromium/default.nix

reviewed

··· 83 83 ed -v -s "$out/bin/chromium" << EOF 84 84 2i 85 85 86 86 - if [ -x "/run/wrappers/${sandboxExecutableName}" ] 86 86 + if [ -x "/run/wrappers/bin/${sandboxExecutableName}" ] 87 87 then 88 88 - export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}" 88 88 + export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${sandboxExecutableName}" 89 89 else 90 90 export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}" 91 91 fi

+1 -1

pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch

reviewed

··· 26 26 + is_nixos=no 27 27 +fi 28 28 + 29 29 - +if [ -u /run/wrappers/gksign ]; then 29 29 + +if [ -u /run/wrappers/bin/gksign ]; then 30 30 + cat <<EOM 31 31 + 32 32 +Gale appears to have already been set up via the NixOS module system (check

+1 -1

pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch

reviewed

··· 11 11 - # # arguments: '-i -t' 12 12 - # # } 13 13 + config.action_mailer.sendmail_settings = { 14 14 - + location: '/run/wrappers/sendmail', 14 14 + + location: '/run/wrappers/bin/sendmail', 15 15 + arguments: '-i -t' 16 16 + } 17 17 config.action_mailer.perform_deliveries = true

+3 -3

pkgs/applications/virtualization/virtualbox/hardened.patch

reviewed

··· 96 96 /* get the path to the executable */ 97 97 char szPath[RTPATH_MAX]; 98 98 - RTPathAppPrivateArch(szPath, sizeof(szPath) - 1); 99 99 - + RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers"); 99 99 + + RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers/bin"); 100 100 size_t cchBufLeft = strlen(szPath); 101 101 szPath[cchBufLeft++] = RTPATH_DELIMITER; 102 102 szPath[cchBufLeft] = 0; ··· 154 154 155 155 +RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath) 156 156 +{ 157 157 - + return RTStrCopy(pszPath, cchPath, "/run/wrappers"); 157 157 + + return RTStrCopy(pszPath, cchPath, "/run/wrappers/bin"); 158 158 +} 159 159 + 160 160 + ··· 174 174 + * will cut off everything after the rightmost / as this function is analogous 175 175 + * to RTProcGetExecutablePath(). 176 176 + */ 177 177 - +#define SUIDDIR "/run/wrappers/" 177 177 + +#define SUIDDIR "/run/wrappers/bin/" 178 178 + 179 179 +RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath) 180 180 +{

+1 -1

pkgs/build-support/build-fhs-userenv/env.nix

reviewed

··· 51 51 export PS1='${name}-chrootenv:\u@\h:\w\$ ' 52 52 export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' 53 53 export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32' 54 54 - export PATH='/run/wrappers:/usr/bin:/usr/sbin' 54 54 + export PATH='/run/wrappers/bin:/usr/bin:/usr/sbin' 55 55 export PKG_CONFIG_PATH=/usr/lib/pkgconfig 56 56 57 57 # Force compilers to look in default search paths

+3 -3

pkgs/desktops/enlightenment/enlightenment.nix

reviewed

··· 42 42 # this is a hack and without this cpufreq module is not working. does the following: 43 43 # 1. moves the "freqset" binary to "e_freqset", 44 44 # 2. linkes "e_freqset" to enlightenment/bin so that, 45 45 - # 3. wrappers.setuid detects it and places wrappers in /run/wrappers/e_freqset, 46 46 - # 4. and finally, links /run/wrappers/e_freqset to original destination where enlightenment wants it 45 45 + # 3. wrappers.setuid detects it and places wrappers in /run/wrappers/bin/e_freqset, 46 46 + # 4. and finally, links /run/wrappers/bin/e_freqset to original destination where enlightenment wants it 47 47 postInstall = '' 48 48 export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`; 49 49 mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset 50 50 ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset 51 51 - ln -sv /run/wrappers/e_freqset $CPUFREQ_DIRPATH/freqset 51 51 + ln -sv /run/wrappers/bin/e_freqset $CPUFREQ_DIRPATH/freqset 52 52 ''; 53 53 54 54 meta = with stdenv.lib; {

+1 -1

pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch

reviewed

··· 7 7 #include <unistd.h> 8 8 9 9 -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit" 10 10 - +#define EXECUTE "/run/wrappers/start_kdeinit" 10 10 + +#define EXECUTE "/run/wrappers/bin/start_kdeinit" 11 11 12 12 #if KDEINIT_OOM_PROTECT 13 13

+2 -2

pkgs/development/libraries/libgksu/default.nix

reviewed

··· 57 57 58 58 # Fix some binary paths 59 59 sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c 60 60 - sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c 61 61 - sed -i -e 's|/bin/su$[^d]$|/run/wrappers/su\1|g' libgksu/libgksu.c 60 60 + sed -i -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|g' libgksu/libgksu.c 61 61 + sed -i -e 's|/bin/su$[^d]$|/run/wrappers/bin/su\1|g' libgksu/libgksu.c 62 62 63 63 touch NEWS README 64 64 '';

+1 -1

pkgs/development/libraries/polkit/default.nix

reviewed

··· 5 5 let 6 6 7 7 system = "/var/run/current-system/sw"; 8 8 - setuid = "/run/wrappers"; #TODO: from <nixos> config.security.wrapperDir; 8 8 + setuid = "/run/wrappers/bin"; #TODO: from <nixos> config.security.wrapperDir; 9 9 10 10 foolVars = { 11 11 SYSCONF = "/etc";

+1 -1

pkgs/development/tools/unity3d/default.nix

reviewed

··· 94 94 unitydir="$out/opt/Unity/Editor" 95 95 mkdir -p $unitydir 96 96 mv Editor/* $unitydir 97 97 - ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox 97 97 + ln -sf /run/wrappers/bin/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox 98 98 99 99 mkdir -p $out/share/applications 100 100 sed "/^Exec=/c\Exec=$out/bin/unity-editor" \

+1 -1

pkgs/os-specific/linux/fuse/default.nix

reviewed

··· 23 23 # Ensure that FUSE calls the setuid wrapper, not 24 24 # $out/bin/fusermount. It falls back to calling fusermount in 25 25 # $PATH, so it should also work on non-NixOS systems. 26 26 - export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\"" 26 26 + export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers/bin\"" 27 27 28 28 sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c 29 29 sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh

+1 -1

pkgs/os-specific/linux/mdadm/4.nix

reviewed

··· 31 31 preConfigure = '' 32 32 sed -e 's@/lib/udev@''${out}/lib/udev@' \ 33 33 -e 's@ -Werror @ @' \ 34 34 - -e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile 34 34 + -e 's@/usr/sbin/sendmail@/run/wrappers/bin/sendmail@' -i Makefile 35 35 ''; 36 36 37 37 meta = {

+1 -1

pkgs/os-specific/linux/mdadm/default.nix

reviewed

+1 -1

pkgs/os-specific/linux/pam/default.nix

reviewed

··· 34 34 35 35 postInstall = '' 36 36 mv -v $out/sbin/unix_chkpwd{,.orig} 37 37 - ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd 37 37 + ln -sv /run/wrappers/bin/unix_chkpwd $out/sbin/unix_chkpwd 38 38 ''; /* 39 39 rm -rf $out/etc 40 40 mkdir -p $modules/lib

+1 -1

pkgs/os-specific/linux/util-linux/default.nix

reviewed

··· 36 36 --enable-last 37 37 --enable-mesg 38 38 --disable-use-tty-group 39 39 - --enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin 39 39 + --enable-fs-paths-default=/run/wrappers/bin:/var/run/current-system/sw/bin:/sbin 40 40 ${if ncurses == null then "--without-ncurses" else ""} 41 41 ${if systemd == null then "" else '' 42 42 --with-systemd

+1 -1

pkgs/servers/interlock/default.nix

reviewed

··· 30 30 -e 's|/bin/chown|${coreutils}/bin/chown|' \ 31 31 -e 's|/bin/date|${coreutils}/bin/date|' \ 32 32 -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \ 33 33 - -e 's|/usr/bin/sudo|/run/wrappers/sudo|' \ 33 33 + -e 's|/usr/bin/sudo|/run/wrappers/bin/sudo|' \ 34 34 -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|' 35 35 ''; 36 36 }

+1 -1

pkgs/servers/mail/petidomo/default.nix

reviewed

··· 1 1 - { stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }: 1 1 + { stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/bin/sendmail" }: 2 2 3 3 stdenv.mkDerivation rec { 4 4 name = "petidomo-4.3";

+2 -2

pkgs/servers/monitoring/nagios/plugins/official-2.x.nix

reviewed

··· 16 16 # configured on the build machine). 17 17 preConfigure= " 18 18 configureFlagsArray=( 19 19 - --with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s' 20 20 - --with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s' 19 19 + --with-ping-command='/run/wrappers/bin/ping -n -U -w %d -c %d %s' 20 20 + --with-ping6-command='/run/wrappers/bin/ping6 -n -U -w %d -c %d %s' 21 21 ) 22 22 "; 23 23

+2 -2

pkgs/tools/X11/x11vnc/default.nix

reviewed

··· 20 20 configureFlags="--mandir=$out/share/man" 21 21 22 22 substituteInPlace x11vnc/unixpw.c \ 23 23 - --replace '"/bin/su"' '"/run/wrappers/su"' \ 23 23 + --replace '"/bin/su"' '"/run/wrappers/bin/su"' \ 24 24 --replace '"/bin/true"' '"${coreutils}/bin/true"' 25 25 26 26 - sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h 26 26 + sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/bin/su|g' x11vnc/ssltools.h 27 27 ''; 28 28 29 29 meta = {

+1 -1

pkgs/tools/admin/certbot/default.nix

reviewed

··· 31 31 buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]); 32 32 33 33 patchPhase = '' 34 34 - substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail" 34 34 + substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/bin/sendmail" 35 35 substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers" 36 36 ''; 37 37

+1 -1

pkgs/tools/misc/debian-devscripts/default.nix

reviewed

··· 2 2 , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper 3 3 , python3Packages 4 4 , perlPackages, curl, gnupg, diffutils 5 5 - , sendmailPath ? "/run/wrappers/sendmail" 5 5 + , sendmailPath ? "/run/wrappers/bin/sendmail" 6 6 }: 7 7 8 8 let

+1 -1

pkgs/tools/security/ecryptfs/default.nix

reviewed

··· 11 11 }; 12 12 13 13 # TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir; 14 14 - wrapperDir = "/run/wrappers"; 14 14 + wrapperDir = "/run/wrappers/bin"; 15 15 16 16 postPatch = '' 17 17 FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"

+1 -1

pkgs/tools/security/ecryptfs/helper.nix

reviewed

··· 18 18 19 19 buildInputs = [ makeWrapper ]; 20 20 21 21 - # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers 21 21 + # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers/bin 22 22 installPhase = '' 23 23 mkdir -p $out/bin $out/libexec 24 24 cp $src $out/libexec/ecryptfs-helper.py

+1 -1

pkgs/tools/security/sudo/default.nix

reviewed

··· 1 1 { stdenv, fetchurl, coreutils, pam, groff 2 2 - , sendmailPath ? "/run/wrappers/sendmail" 2 2 + , sendmailPath ? "/run/wrappers/bin/sendmail" 3 3 , withInsults ? false 4 4 }: 5 5

+1 -1

pkgs/tools/system/at/default.nix

reviewed

··· 1 1 - { fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }: 1 1 + { fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/bin/sendmail" }: 2 2 3 3 stdenv.mkDerivation { 4 4 name = "at-3.1.16";

+1 -1

pkgs/tools/system/cron/default.nix

reviewed

··· 23 23 #define _PATH_SENDMAIL "${sendmailPath}" 24 24 25 25 #undef _PATH_DEFPATH 26 26 - #define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" 26 26 + #define _PATH_DEFPATH "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin" 27 27 __EOT__ 28 28 29 29 # Implicit saved uids do not work here due to way NixOS uses setuid wrappers

+1 -1

pkgs/tools/system/ts/default.nix

reviewed

··· 1 1 {stdenv, fetchurl, 2 2 - sendmailPath ? "/run/wrappers/sendmail" }: 2 2 + sendmailPath ? "/run/wrappers/bin/sendmail" }: 3 3 4 4 stdenv.mkDerivation rec { 5 5