nixos: add implict security.wrappers options

pyrox.dev / nixpkgs

fork atom

lol

fork atom

This is to keep the same permissions/setuid/setgid as before the change
in security.wrappers defaults.

rnhmjoj 4 years ago 8f76a6ee 41a49857

+22 -3

9 changed files

expand all

nixos

modules

programs

ccache.nix

msmtp.nix

ssmtp.nix

security

pam.nix

services

mail

opensmtpd.nix

postfix.nix

networking

x2goserver.nix

scheduling

fcron.nix

x11

desktop-managers

cde.nix

nixos/modules/programs/ccache.nix

··· 28 28 29 29 # "nix-ccache --show-stats" and "nix-ccache --clear" 30 30 security.wrappers.nix-ccache = { 31 + owner = "nobody"; 31 32 group = "nixbld"; 33 + setuid = false; 32 34 setgid = true; 33 35 source = pkgs.writeScript "nix-ccache.pl" '' 34 36 #!${pkgs.perl}/bin/perl

nixos/modules/programs/msmtp.nix

··· 78 78 source = "${pkgs.msmtp}/bin/sendmail"; 79 79 setuid = false; 80 80 setgid = false; 81 + owner = "root"; 82 + group = "root"; 81 83 }; 82 84 83 85 environment.etc."msmtprc".text = let

nixos/modules/programs/ssmtp.nix

··· 181 181 source = "${pkgs.ssmtp}/bin/sendmail"; 182 182 setuid = false; 183 183 setgid = false; 184 + owner = "root"; 185 + group = "root"; 184 186 }; 185 187 186 188 };

nixos/modules/security/pam.nix

··· 871 871 unix_chkpwd = { 872 872 source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; 873 873 owner = "root"; 874 + group = "nogroup"; 874 875 setuid = true; 875 876 }; 876 877 };

+4 -1

nixos/modules/services/mail/opensmtpd.nix

··· 103 103 }; 104 104 105 105 security.wrappers.smtpctl = { 106 + owner = "nobody"; 106 107 group = "smtpq"; 108 + setuid = false; 107 109 setgid = true; 108 110 source = "${cfg.package}/bin/smtpctl"; 109 111 }; 110 112 111 - services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail security.wrappers.smtpctl; 113 + services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail 114 + security.wrappers.smtpctl // { program = "sendmail"; }; 112 115 113 116 systemd.tmpfiles.rules = [ 114 117 "d /var/spool/smtpd 711 root - - -"

nixos/modules/services/mail/postfix.nix

··· 673 673 services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail { 674 674 program = "sendmail"; 675 675 source = "${pkgs.postfix}/bin/sendmail"; 676 + owner = "nobody"; 676 677 group = setgidGroup; 677 678 setuid = false; 678 679 setgid = true; ··· 681 682 security.wrappers.mailq = { 682 683 program = "mailq"; 683 684 source = "${pkgs.postfix}/bin/mailq"; 685 + owner = "nobody"; 684 686 group = setgidGroup; 685 687 setuid = false; 686 688 setgid = true; ··· 689 691 security.wrappers.postqueue = { 690 692 program = "postqueue"; 691 693 source = "${pkgs.postfix}/bin/postqueue"; 694 + owner = "nobody"; 692 695 group = setgidGroup; 693 696 setuid = false; 694 697 setgid = true; ··· 697 700 security.wrappers.postdrop = { 698 701 program = "postdrop"; 699 702 source = "${pkgs.postfix}/bin/postdrop"; 703 + owner = "nobody"; 700 704 group = setgidGroup; 701 705 setuid = false; 702 706 setgid = true;

nixos/modules/services/networking/x2goserver.nix

··· 88 88 source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl"; 89 89 owner = "x2go"; 90 90 group = "x2go"; 91 + setuid = false; 91 92 setgid = true; 92 93 }; 93 94 security.wrappers.x2goprintWrapper = { 94 95 source = "${pkgs.x2goserver}/bin/x2goprint"; 95 96 owner = "x2go"; 96 97 group = "x2go"; 98 + setuid = false; 97 99 setgid = true; 98 100 }; 99 101

nixos/modules/services/scheduling/fcron.nix

··· 136 136 owner = "fcron"; 137 137 group = "fcron"; 138 138 setgid = true; 139 + setuid = false; 139 140 }; 140 141 fcronsighup = { 141 142 source = "${pkgs.fcron}/bin/fcronsighup"; 143 + owner = "root"; 142 144 group = "fcron"; 143 145 }; 144 146 };

+3 -2

nixos/modules/services/x11/desktop-managers/cde.nix

··· 49 49 users.groups.mail = {}; 50 50 security.wrappers = { 51 51 dtmail = { 52 + setgid = true; 53 + owner = "nobody"; 54 + group = "mail"; 52 55 source = "${pkgs.cdesktopenv}/bin/dtmail"; 53 - group = "mail"; 54 - setgid = true; 55 56 }; 56 57 }; 57 58