nixos/security/wrappers: fix shell quoting · pyrox.dev/nixpkgs@936e8ea

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/security/wrappers: fix shell quoting

rnhmjoj 4 years ago 936e8eaf 7d8b303e

+18 -18

1 changed file

expand all

nixos

modules

security

wrappers

default.nix

+18 -18

nixos/modules/security/wrappers/default.nix

··· 96 96 }: 97 97 assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"); 98 98 '' 99 - cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program} 100 - echo -n "${source}" > $wrapperDir/${program}.real 99 + cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}" 100 + echo -n "${source}" > "$wrapperDir/${program}.real" 101 101 102 102 # Prevent races 103 - chmod 0000 $wrapperDir/${program} 104 - chown ${owner}.${group} $wrapperDir/${program} 103 + chmod 0000 "$wrapperDir/${program}" 104 + chown ${owner}.${group} "$wrapperDir/${program}" 105 105 106 106 # Set desired capabilities on the file plus cap_setpcap so 107 107 # the wrapper program can elevate the capabilities set on 108 108 # its file into the Ambient set. 109 - ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program} 109 + ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" "$wrapperDir/${program}" 110 110 111 111 # Set the executable bit 112 - chmod ${permissions} $wrapperDir/${program} 112 + chmod ${permissions} "$wrapperDir/${program}" 113 113 ''; 114 114 115 115 ###### Activation script for the setuid wrappers ··· 124 124 , ... 125 125 }: 126 126 '' 127 - cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program} 128 - echo -n "${source}" > $wrapperDir/${program}.real 127 + cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}" 128 + echo -n "${source}" > "$wrapperDir/${program}.real" 129 129 130 130 # Prevent races 131 - chmod 0000 $wrapperDir/${program} 132 - chown ${owner}.${group} $wrapperDir/${program} 131 + chmod 0000 "$wrapperDir/${program}" 132 + chown ${owner}.${group} "$wrapperDir/${program}" 133 133 134 - chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program} 134 + chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" "$wrapperDir/${program}" 135 135 ''; 136 136 137 137 mkWrappedPrograms = ··· 238 238 239 239 # We want to place the tmpdirs for the wrappers to the parent dir. 240 240 wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) 241 - chmod a+rx $wrapperDir 241 + chmod a+rx "$wrapperDir" 242 242 243 243 ${lib.concatStringsSep "\n" mkWrappedPrograms} 244 244 ··· 246 246 # Atomically replace the symlink 247 247 # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ 248 248 old=$(readlink -f ${wrapperDir}) 249 - if [ -e ${wrapperDir}-tmp ]; then 250 - rm --force --recursive ${wrapperDir}-tmp 249 + if [ -e "${wrapperDir}-tmp" ]; then 250 + rm --force --recursive "${wrapperDir}-tmp" 251 251 fi 252 - ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp 253 - mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} 254 - rm --force --recursive $old 252 + ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp" 253 + mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}" 254 + rm --force --recursive "$old" 255 255 else 256 256 # For initial setup 257 - ln --symbolic $wrapperDir ${wrapperDir} 257 + ln --symbolic "$wrapperDir" "${wrapperDir}" 258 258 fi 259 259 ''; 260 260