+1 -1

nixos/modules/services/mail/mail.nix

··· 26 26 27 27 config = mkIf (config.services.mail.sendmailSetuidWrapper != null) { 28 28 29 29 - security.wrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ]; 29 29 + security.wrappers.sendmail = config.services.mail.sendmailSetuidWrapper; 30 30 31 31 }; 32 32

+1 -1

nixos/modules/services/networking/gale.nix

··· 141 141 setgid = false; 142 142 }; 143 143 144 144 - security.wrappers.setuid = [ cfg.setuidWrapper ]; 144 144 + security.wrappers.gksign = cfg.setuidWrapper; 145 145 146 146 systemd.services.gale-galed = { 147 147 description = "Gale messaging daemon";

+1 -3

nixos/modules/services/scheduling/atd.nix

··· 42 42 43 43 config = mkIf cfg.enable { 44 44 45 45 - security.wrappers.setuid = map (program: { 46 46 - inherit program; 47 47 - 45 45 + security.wrappers.setuid = map (program: "${program}" = { 48 46 source = "${pkgs.atd}/bin/${program}"; 49 47 owner = "atd"; 50 48 group = "atd";

+1 -1

nixos/modules/services/scheduling/cron.nix

··· 61 61 A list of Cron jobs to be appended to the system-wide 62 62 crontab. See the manual page for crontab for the expected 63 63 format. If you want to get the results mailed you must setuid 64 64 - sendmail. See <option>security.wrappers.setuid</option> 64 64 + sendmail. See <option>security.wrappers</option> 65 65 66 66 If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root 67 67 will is allowed to have its own crontab file. The /var/cron/cron.deny file

+8 -9

nixos/modules/services/system/dbus.nix

··· 114 114 115 115 systemd.packages = [ pkgs.dbus.daemon ]; 116 116 117 117 - security.wrappers.setuid = singleton 118 118 - { program = "dbus-daemon-launch-helper"; 119 119 - source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper"; 120 120 - owner = "root"; 121 121 - group = "messagebus"; 122 122 - setuid = true; 123 123 - setgid = false; 124 124 - permissions = "u+rx,g+rx,o-rx"; 125 125 - }; 117 117 + security.wrappers.dbus-daemon-launch-helper = { 118 118 + source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper"; 119 119 + owner = "root"; 120 120 + group = "messagebus"; 121 121 + setuid = true; 122 122 + setgid = false; 123 123 + permissions = "u+rx,g+rx,o-rx"; 124 124 + }; 126 125 127 126 services.dbus.packages = [ 128 127 pkgs.dbus.out

+1 -7

nixos/modules/services/x11/desktop-managers/kde4.nix

··· 131 131 ''; 132 132 }; 133 133 134 134 - security.wrappers.setuid = singleton 135 135 - { program = "kcheckpass"; 136 136 - source = "${kde_workspace}/lib/kde4/libexec/kcheckpass"; 137 137 - owner = "root"; 138 138 - group = "root"; 139 139 - setuid = true; 140 140 - }; 134 134 + security.wrappers.kcheckpass.source = "${kde_workspace}/lib/kde4/libexec/kcheckpass"; 141 135 142 136 environment.systemPackages = 143 137 [ pkgs.kde4.kdelibs

+4 -14

nixos/modules/services/x11/desktop-managers/kde5.nix

··· 68 68 ''; 69 69 }; 70 70 71 71 - security.wrappers.setuid = [ 72 72 - { 73 73 - program = "kcheckpass"; 74 74 - source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass"; 75 75 - owner = "root"; 76 76 - setuid = true; 77 77 - } 78 78 - { 79 79 - program = "start_kdeinit"; 80 80 - source = "${kde5.kinit.out}/lib/libexec/kf5/start_kdeinit"; 81 81 - owner = "root"; 82 82 - setuid = true; 83 83 - } 84 84 - ]; 71 71 + security.wrappers = { 72 72 + kcheckpass.source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass"; 73 73 + "start_kdeinit".source = "${kde5.kinit.out}/lib/libexec/kf5/start_kdeinit"; 74 74 + }; 85 75 86 76 environment.systemPackages = 87 77 [

+2 -3

nixos/modules/virtualisation/virtualbox-host.nix

··· 68 68 boot.extraModulePackages = [ kernelModules ]; 69 69 environment.systemPackages = [ virtualbox ]; 70 70 71 71 - security.wrappers.setuid = let 72 72 - mkSuid = program: { 73 73 - inherit program; 71 71 + security.wrappers = let 72 72 + mkSuid = program: "${program}" = { 74 73 source = "${virtualbox}/libexec/virtualbox/${program}"; 75 74 owner = "root"; 76 75 group = "vboxusers";