+3 -1

nixos/modules/programs/bandwhich.nix

··· 22 22 config = mkIf cfg.enable { 23 23 environment.systemPackages = with pkgs; [ bandwhich ]; 24 24 security.wrappers.bandwhich = { 25 25 - source = "${pkgs.bandwhich}/bin/bandwhich"; 25 25 + owner = "root"; 26 26 + group = "root"; 26 27 capabilities = "cap_net_raw,cap_net_admin+ep"; 28 28 + source = "${pkgs.bandwhich}/bin/bandwhich"; 27 29 }; 28 30 }; 29 31 }

+4

nixos/modules/programs/captive-browser.nix

··· 105 105 ); 106 106 107 107 security.wrappers.udhcpc = { 108 108 + owner = "root"; 109 109 + group = "root"; 108 110 capabilities = "cap_net_raw+p"; 109 111 source = "${pkgs.busybox}/bin/udhcpc"; 110 112 }; 111 113 112 114 security.wrappers.captive-browser = { 115 115 + owner = "root"; 116 116 + group = "root"; 113 117 capabilities = "cap_net_raw+p"; 114 118 source = pkgs.writeShellScript "captive-browser" '' 115 119 export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"

+6 -1

nixos/modules/programs/firejail.nix

··· 81 81 }; 82 82 83 83 config = mkIf cfg.enable { 84 84 - security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail"; 84 84 + security.wrappers.firejail = 85 85 + { setuid = true; 86 86 + owner = "root"; 87 87 + group = "root"; 88 88 + source = "${lib.getBin pkgs.firejail}/bin/firejail"; 89 89 + }; 85 90 86 91 environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ]; 87 92 };

+2

nixos/modules/programs/gamemode.nix

··· 56 56 polkit.enable = true; 57 57 wrappers = mkIf cfg.enableRenice { 58 58 gamemoded = { 59 59 + owner = "root"; 60 60 + group = "root"; 59 61 source = "${pkgs.gamemode}/bin/gamemoded"; 60 62 capabilities = "cap_sys_nice+ep"; 61 63 };

+3 -1

nixos/modules/programs/iftop.nix

··· 11 11 config = mkIf cfg.enable { 12 12 environment.systemPackages = [ pkgs.iftop ]; 13 13 security.wrappers.iftop = { 14 14 - source = "${pkgs.iftop}/bin/iftop"; 14 14 + owner = "root"; 15 15 + group = "root"; 15 16 capabilities = "cap_net_raw+p"; 17 17 + source = "${pkgs.iftop}/bin/iftop"; 16 18 }; 17 19 }; 18 20 }

+3 -1

nixos/modules/programs/iotop.nix

··· 10 10 }; 11 11 config = mkIf cfg.enable { 12 12 security.wrappers.iotop = { 13 13 - source = "${pkgs.iotop}/bin/iotop"; 13 13 + owner = "root"; 14 14 + group = "root"; 14 15 capabilities = "cap_net_admin+p"; 16 16 + source = "${pkgs.iotop}/bin/iotop"; 15 17 }; 16 18 }; 17 19 }

+6 -1

nixos/modules/programs/kbdlight.nix

··· 11 11 12 12 config = mkIf cfg.enable { 13 13 environment.systemPackages = [ pkgs.kbdlight ]; 14 14 - security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight"; 14 14 + security.wrappers.kbdlight = 15 15 + { setuid = true; 16 16 + owner = "root"; 17 17 + group = "root"; 18 18 + source = "${pkgs.kbdlight.out}/bin/kbdlight"; 19 19 + }; 15 20 }; 16 21 }

+3 -1

nixos/modules/programs/liboping.nix

··· 13 13 security.wrappers = mkMerge (map ( 14 14 exec: { 15 15 "${exec}" = { 16 16 - source = "${pkgs.liboping}/bin/${exec}"; 16 16 + owner = "root"; 17 17 + group = "root"; 17 18 capabilities = "cap_net_raw+p"; 19 19 + source = "${pkgs.liboping}/bin/${exec}"; 18 20 }; 19 21 } 20 22 ) [ "oping" "noping" ]);

+3 -1

nixos/modules/programs/mtr.nix

··· 31 31 environment.systemPackages = with pkgs; [ cfg.package ]; 32 32 33 33 security.wrappers.mtr-packet = { 34 34 - source = "${cfg.package}/bin/mtr-packet"; 34 34 + owner = "root"; 35 35 + group = "root"; 35 36 capabilities = "cap_net_raw+p"; 37 37 + source = "${cfg.package}/bin/mtr-packet"; 36 38 }; 37 39 }; 38 40 }

+3 -1

nixos/modules/programs/noisetorch.nix

··· 18 18 19 19 config = mkIf cfg.enable { 20 20 security.wrappers.noisetorch = { 21 21 - source = "${cfg.package}/bin/noisetorch"; 21 21 + owner = "root"; 22 22 + group = "root"; 22 23 capabilities = "cap_sys_resource=+ep"; 24 24 + source = "${cfg.package}/bin/noisetorch"; 23 25 }; 24 26 }; 25 27 }

+14 -7

nixos/modules/programs/shadow.nix

··· 43 43 44 44 ''; 45 45 46 46 + mkSetuidRoot = source: 47 47 + { setuid = true; 48 48 + owner = "root"; 49 49 + group = "root"; 50 50 + inherit source; 51 51 + }; 52 52 + 46 53 in 47 54 48 55 { ··· 109 116 }; 110 117 111 118 security.wrappers = { 112 112 - su.source = "${pkgs.shadow.su}/bin/su"; 113 113 - sg.source = "${pkgs.shadow.out}/bin/sg"; 114 114 - newgrp.source = "${pkgs.shadow.out}/bin/newgrp"; 115 115 - newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap"; 116 116 - newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap"; 119 119 + su = mkSetuidRoot "${pkgs.shadow.su}/bin/su"; 120 120 + sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg"; 121 121 + newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp"; 122 122 + newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap"; 123 123 + newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap"; 117 124 } // lib.optionalAttrs config.users.mutableUsers { 118 118 - chsh.source = "${pkgs.shadow.out}/bin/chsh"; 119 119 - passwd.source = "${pkgs.shadow.out}/bin/passwd"; 125 125 + chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh"; 126 126 + passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd"; 120 127 }; 121 128 }; 122 129 }

+6 -1

nixos/modules/programs/singularity.nix

··· 16 16 17 17 config = mkIf cfg.enable { 18 18 environment.systemPackages = [ singularity ]; 19 19 - security.wrappers.singularity-suid.source = "${singularity}/libexec/singularity/bin/starter-suid.orig"; 19 19 + security.wrappers.singularity-suid = 20 20 + { setuid = true; 21 21 + owner = "root"; 22 22 + group = "root"; 23 23 + source = "${singularity}/libexec/singularity/bin/starter-suid.orig"; 24 24 + }; 20 25 systemd.tmpfiles.rules = [ 21 26 "d /var/singularity/mnt/session 0770 root root -" 22 27 "d /var/singularity/mnt/final 0770 root root -"

+6 -1

nixos/modules/programs/slock.nix

··· 21 21 22 22 config = mkIf cfg.enable { 23 23 environment.systemPackages = [ pkgs.slock ]; 24 24 - security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock"; 24 24 + security.wrappers.slock = 25 25 + { setuid = true; 26 26 + owner = "root"; 27 27 + group = "root"; 28 28 + source = "${pkgs.slock.out}/bin/slock"; 29 29 + }; 25 30 }; 26 31 }

+3 -1

nixos/modules/programs/traceroute.nix

··· 19 19 20 20 config = mkIf cfg.enable { 21 21 security.wrappers.traceroute = { 22 22 - source = "${pkgs.traceroute}/bin/traceroute"; 22 22 + owner = "root"; 23 23 + group = "root"; 23 24 capabilities = "cap_net_raw+p"; 25 25 + source = "${pkgs.traceroute}/bin/traceroute"; 24 26 }; 25 27 }; 26 28 }

+6 -1

nixos/modules/programs/udevil.nix

··· 9 9 options.programs.udevil.enable = mkEnableOption "udevil"; 10 10 11 11 config = mkIf cfg.enable { 12 12 - security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil"; 12 12 + security.wrappers.udevil = 13 13 + { setuid = true; 14 14 + owner = "root"; 15 15 + group = "root"; 16 16 + source = "${lib.getBin pkgs.udevil}/bin/udevil"; 17 17 + }; 13 18 }; 14 19 }

+3 -1

nixos/modules/programs/wavemon.nix

··· 21 21 config = mkIf cfg.enable { 22 22 environment.systemPackages = with pkgs; [ wavemon ]; 23 23 security.wrappers.wavemon = { 24 24 - source = "${pkgs.wavemon}/bin/wavemon"; 24 24 + owner = "root"; 25 25 + group = "root"; 25 26 capabilities = "cap_net_admin+ep"; 27 27 + source = "${pkgs.wavemon}/bin/wavemon"; 26 28 }; 27 29 }; 28 30 }

+6 -1

nixos/modules/programs/wshowkeys.nix

··· 17 17 }; 18 18 19 19 config = mkIf cfg.enable { 20 20 - security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys"; 20 20 + security.wrappers.wshowkeys = 21 21 + { setuid = true; 22 22 + owner = "root"; 23 23 + group = "root"; 24 24 + source = "${pkgs.wshowkeys}/bin/wshowkeys"; 25 25 + }; 21 26 }; 22 27 }

+6 -1

nixos/modules/security/chromium-suid-sandbox.nix

··· 28 28 29 29 config = mkIf cfg.enable { 30 30 environment.systemPackages = [ sandbox ]; 31 31 - security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; 31 31 + security.wrappers.${sandbox.passthru.sandboxExecutableName} = 32 32 + { setuid = true; 33 33 + owner = "root"; 34 34 + group = "root"; 35 35 + source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; 36 36 + }; 32 37 }; 33 38 }

+6 -3

nixos/modules/security/doas.nix

··· 241 241 } 242 242 ]; 243 243 244 244 - security.wrappers = { 245 245 - doas.source = "${doas}/bin/doas"; 246 246 - }; 244 244 + security.wrappers.doas = 245 245 + { setuid = true; 246 246 + owner = "root"; 247 247 + group = "root"; 248 248 + source = "${doas}/bin/doas"; 249 249 + }; 247 250 248 251 environment.systemPackages = [ 249 252 doas

+6 -1

nixos/modules/security/duosec.nix

··· 186 186 config = mkIf (cfg.ssh.enable || cfg.pam.enable) { 187 187 environment.systemPackages = [ pkgs.duo-unix ]; 188 188 189 189 - security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; 189 189 + security.wrappers.login_duo = 190 190 + { setuid = true; 191 191 + owner = "root"; 192 192 + group = "root"; 193 193 + source = "${pkgs.duo-unix.out}/bin/login_duo"; 194 194 + }; 190 195 191 196 system.activationScripts = { 192 197 login_duo = mkIf cfg.ssh.enable ''

+12 -2

nixos/modules/security/pam_usb.nix

··· 32 32 33 33 # Make sure pmount and pumount are setuid wrapped. 34 34 security.wrappers = { 35 35 - pmount.source = "${pkgs.pmount.out}/bin/pmount"; 36 36 - pumount.source = "${pkgs.pmount.out}/bin/pumount"; 35 35 + pmount = 36 36 + { setuid = true; 37 37 + owner = "root"; 38 38 + group = "root"; 39 39 + source = "${pkgs.pmount.out}/bin/pmount"; 40 40 + }; 41 41 + pumount = 42 42 + { setuid = true; 43 43 + owner = "root"; 44 44 + group = "root"; 45 45 + source = "${pkgs.pmount.out}/bin/pumount"; 46 46 + }; 37 47 }; 38 48 39 49 environment.systemPackages = [ pkgs.pmount ];

+12 -2

nixos/modules/security/polkit.nix

··· 83 83 security.pam.services.polkit-1 = {}; 84 84 85 85 security.wrappers = { 86 86 - pkexec.source = "${pkgs.polkit.bin}/bin/pkexec"; 87 87 - polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; 86 86 + pkexec = 87 87 + { setuid = true; 88 88 + owner = "root"; 89 89 + group = "root"; 90 90 + source = "${pkgs.polkit.bin}/bin/pkexec"; 91 91 + }; 92 92 + polkit-agent-helper-1 = 93 93 + { setuid = true; 94 94 + owner = "root"; 95 95 + group = "root"; 96 96 + source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; 97 97 + }; 88 98 }; 89 99 90 100 systemd.tmpfiles.rules = [

+40 -17

nixos/modules/security/wrappers/default.nix

··· 33 33 }; 34 34 options.owner = lib.mkOption 35 35 { type = lib.types.str; 36 36 - default = "root"; 37 36 description = "The owner of the wrapper program."; 38 37 }; 39 38 options.group = lib.mkOption 40 39 { type = lib.types.str; 41 41 - default = "root"; 42 40 description = "The group of the wrapper program."; 43 41 }; 44 42 options.permissions = lib.mkOption ··· 74 72 }; 75 73 options.setuid = lib.mkOption 76 74 { type = lib.types.bool; 77 77 - default = true; 75 75 + default = false; 78 76 description = "Whether to add the setuid bit the wrapper program."; 79 77 }; 80 78 options.setgid = lib.mkOption ··· 156 154 default = {}; 157 155 example = lib.literalExample 158 156 '' 159 159 - { sendmail.source = "/nix/store/.../bin/sendmail"; 160 160 - ping = { 161 161 - source = "${pkgs.iputils.out}/bin/ping"; 162 162 - owner = "nobody"; 163 163 - group = "nogroup"; 164 164 - capabilities = "cap_net_raw+ep"; 165 165 - }; 157 157 + { 158 158 + # a setuid root program 159 159 + doas = 160 160 + { setuid = true; 161 161 + owner = "root"; 162 162 + group = "root"; 163 163 + source = "''${pkgs.doas}/bin/doas"; 164 164 + }; 165 165 + 166 166 + # a setgid program 167 167 + locate = 168 168 + { setgid = true; 169 169 + owner = "root"; 170 170 + group = "mlocate"; 171 171 + source = "''${pkgs.locate}/bin/locate"; 172 172 + }; 173 173 + 174 174 + # a program with the CAP_NET_RAW capability 175 175 + ping = 176 176 + { owner = "root"; 177 177 + group = "root"; 178 178 + capabilities = "cap_net_raw+ep"; 179 179 + source = "''${pkgs.iputils.out}/bin/ping"; 180 180 + }; 166 181 } 167 182 ''; 168 183 description = '' ··· 198 213 } 199 214 ) wrappers; 200 215 201 201 - security.wrappers = { 202 202 - # These are mount related wrappers that require the +s permission. 203 203 - fusermount.source = "${pkgs.fuse}/bin/fusermount"; 204 204 - fusermount3.source = "${pkgs.fuse3}/bin/fusermount3"; 205 205 - mount.source = "${lib.getBin pkgs.util-linux}/bin/mount"; 206 206 - umount.source = "${lib.getBin pkgs.util-linux}/bin/umount"; 207 207 - }; 216 216 + security.wrappers = 217 217 + let 218 218 + mkSetuidRoot = source: 219 219 + { setuid = true; 220 220 + owner = "root"; 221 221 + group = "root"; 222 222 + inherit source; 223 223 + }; 224 224 + in 225 225 + { # These are mount related wrappers that require the +s permission. 226 226 + fusermount = mkSetuidRoot "${pkgs.fuse}/bin/fusermount"; 227 227 + fusermount3 = mkSetuidRoot "${pkgs.fuse3}/bin/fusermount3"; 228 228 + mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount"; 229 229 + umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount"; 230 230 + }; 208 231 209 232 boot.specialFileSystems.${parentWrapperDir} = { 210 233 fsType = "tmpfs";

+3 -1

nixos/modules/services/desktops/gnome/gnome-keyring.nix

··· 52 52 security.pam.services.login.enableGnomeKeyring = true; 53 53 54 54 security.wrappers.gnome-keyring-daemon = { 55 55 - source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon"; 55 55 + owner = "root"; 56 56 + group = "root"; 56 57 capabilities = "cap_ipc_lock=ep"; 58 58 + source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon"; 57 59 }; 58 60 59 61 };

+6 -1

nixos/modules/services/mail/exim.nix

··· 104 104 gid = config.ids.gids.exim; 105 105 }; 106 106 107 107 - security.wrappers.exim.source = "${cfg.package}/bin/exim"; 107 107 + security.wrappers.exim = 108 108 + { setuid = true; 109 109 + owner = "root"; 110 110 + group = "root"; 111 111 + source = "${cfg.package}/bin/exim"; 112 112 + }; 108 113 109 114 systemd.services.exim = { 110 115 description = "Exim Mail Daemon";

+3 -1

nixos/modules/services/misc/mame.nix

··· 45 45 environment.systemPackages = [ pkgs.mame ]; 46 46 47 47 security.wrappers."${mame}" = { 48 48 - source = "${pkgs.mame}/bin/${mame}"; 48 48 + owner = "root"; 49 49 + group = "root"; 49 50 capabilities = "cap_net_admin,cap_net_raw+eip"; 51 51 + source = "${pkgs.mame}/bin/${mame}"; 50 52 }; 51 53 52 54 systemd.services.mame = {

+6 -1

nixos/modules/services/misc/weechat.nix

··· 52 52 wants = [ "network.target" ]; 53 53 }; 54 54 55 55 - security.wrappers.screen.source = "${pkgs.screen}/bin/screen"; 55 55 + security.wrappers.screen = 56 56 + { setuid = true; 57 57 + owner = "root"; 58 58 + group = "root"; 59 59 + source = "${pkgs.screen}/bin/screen"; 60 60 + }; 56 61 }; 57 62 58 63 meta.doc = ./weechat.xml;

+6 -1

nixos/modules/services/monitoring/incron.nix

··· 71 71 72 72 environment.systemPackages = [ pkgs.incron ]; 73 73 74 74 - security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab"; 74 74 + security.wrappers.incrontab = 75 75 + { setuid = true; 76 76 + owner = "root"; 77 77 + group = "root"; 78 78 + source = "${pkgs.incron}/bin/incrontab"; 79 79 + }; 75 80 76 81 # incron won't read symlinks 77 82 environment.etc."incron.d/system" = {

+6 -1

nixos/modules/services/monitoring/zabbix-proxy.nix

··· 262 262 }; 263 263 264 264 security.wrappers = { 265 265 - fping.source = "${pkgs.fping}/bin/fping"; 265 265 + fping = 266 266 + { setuid = true; 267 267 + owner = "root"; 268 268 + group = "root"; 269 269 + source = "${pkgs.fping}/bin/fping"; 270 270 + }; 266 271 }; 267 272 268 273 systemd.services.zabbix-proxy = {

+12 -2

nixos/modules/services/networking/smokeping.nix

··· 278 278 } 279 279 ]; 280 280 security.wrappers = { 281 281 - fping.source = "${pkgs.fping}/bin/fping"; 282 282 - fping6.source = "${pkgs.fping}/bin/fping6"; 281 281 + fping = 282 282 + { setuid = true; 283 283 + owner = "root"; 284 284 + group = "root"; 285 285 + source = "${pkgs.fping}/bin/fping"; 286 286 + }; 287 287 + fping6 = 288 288 + { setuid = true; 289 289 + owner = "root"; 290 290 + group = "root"; 291 291 + source = "${pkgs.fping}/bin/fping6"; 292 292 + }; 283 293 }; 284 294 environment.systemPackages = [ pkgs.fping ]; 285 295 users.users.${cfg.user} = {

+6 -1

nixos/modules/services/scheduling/cron.nix

··· 93 93 94 94 { services.cron.enable = mkDefault (allFiles != []); } 95 95 (mkIf (config.services.cron.enable) { 96 96 - security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab"; 96 96 + security.wrappers.crontab = 97 97 + { setuid = true; 98 98 + owner = "root"; 99 99 + group = "root"; 100 100 + source = "${cronNixosPkg}/bin/crontab"; 101 101 + }; 97 102 environment.systemPackages = [ cronNixosPkg ]; 98 103 environment.etc.crontab = 99 104 { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

+1

nixos/modules/services/scheduling/fcron.nix

··· 142 142 source = "${pkgs.fcron}/bin/fcronsighup"; 143 143 owner = "root"; 144 144 group = "fcron"; 145 145 + setuid = true; 145 146 }; 146 147 }; 147 148 systemd.services.fcron = {

+3 -1

nixos/modules/services/video/replay-sorcery.nix

··· 44 44 45 45 security.wrappers = mkIf cfg.enableSysAdminCapability { 46 46 replay-sorcery = { 47 47 - source = "${pkgs.replay-sorcery}/bin/replay-sorcery"; 47 47 + owner = "root"; 48 48 + group = "root"; 48 49 capabilities = "cap_sys_admin+ep"; 50 50 + source = "${pkgs.replay-sorcery}/bin/replay-sorcery"; 49 51 }; 50 52 }; 51 53

+18 -3

nixos/modules/services/x11/desktop-managers/enlightenment.nix

··· 65 65 66 66 # Wrappers for programs installed by enlightenment that should be setuid 67 67 security.wrappers = { 68 68 - enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd"; 69 69 - enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys"; 70 70 - enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system"; 68 68 + enlightenment_ckpasswd = 69 69 + { setuid = true; 70 70 + owner = "root"; 71 71 + group = "root"; 72 72 + source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd"; 73 73 + }; 74 74 + enlightenment_sys = 75 75 + { setuid = true; 76 76 + owner = "root"; 77 77 + group = "root"; 78 78 + source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys"; 79 79 + }; 80 80 + enlightenment_system = 81 81 + { setuid = true; 82 82 + owner = "root"; 83 83 + group = "root"; 84 84 + source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system"; 85 85 + }; 71 86 }; 72 87 73 88 environment.etc."X11/xkb".source = xcfg.xkbDir;

+18 -6

nixos/modules/services/x11/desktop-managers/plasma5.nix

··· 197 197 }; 198 198 199 199 security.wrappers = { 200 200 - kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass"; 201 201 - start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit"; 202 202 - kwin_wayland = { 203 203 - source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland"; 204 204 - capabilities = "cap_sys_nice+ep"; 205 205 - }; 200 200 + kcheckpass = 201 201 + { setuid = true; 202 202 + owner = "root"; 203 203 + group = "root"; 204 204 + source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass"; 205 205 + }; 206 206 + start_kdeinit = 207 207 + { setuid = true; 208 208 + owner = "root"; 209 209 + group = "root"; 210 210 + source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit"; 211 211 + }; 212 212 + kwin_wayland = 213 213 + { owner = "root"; 214 214 + group = "root"; 215 215 + capabilities = "cap_sys_nice+ep"; 216 216 + source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland"; 217 217 + }; 206 218 }; 207 219 208 220 # DDC support

+12 -2

nixos/modules/tasks/filesystems/ecryptfs.nix

··· 7 7 config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) { 8 8 system.fsPackages = [ pkgs.ecryptfs ]; 9 9 security.wrappers = { 10 10 - "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; 11 11 - "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; 10 10 + "mount.ecryptfs_private" = 11 11 + { setuid = true; 12 12 + owner = "root"; 13 13 + group = "root"; 14 14 + source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; 15 15 + }; 16 16 + "umount.ecryptfs_private" = 17 17 + { setuid = true; 18 18 + owner = "root"; 19 19 + group = "root"; 20 20 + source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; 21 21 + }; 12 22 }; 13 23 }; 14 24 }

+7 -2

nixos/modules/tasks/network-interfaces.nix

··· 1133 1133 # kernel because we need the ambient capability 1134 1134 security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then { 1135 1135 ping = { 1136 1136 - source = "${pkgs.iputils.out}/bin/ping"; 1136 1136 + owner = "root"; 1137 1137 + group = "root"; 1137 1138 capabilities = "cap_net_raw+p"; 1139 1139 + source = "${pkgs.iputils.out}/bin/ping"; 1138 1140 }; 1139 1141 } else { 1140 1140 - ping.source = "${pkgs.iputils.out}/bin/ping"; 1142 1142 + setuid = true; 1143 1143 + owner = "root"; 1144 1144 + group = "root"; 1145 1145 + source = "${pkgs.iputils.out}/bin/ping"; 1141 1146 }; 1142 1147 security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' 1143 1148 /run/wrappers/bin/ping {

+3

nixos/modules/virtualisation/libvirtd.nix

··· 183 183 }; 184 184 185 185 security.wrappers.qemu-bridge-helper = { 186 186 + setuid = true; 187 187 + owner = "root"; 188 188 + group = "root"; 186 189 source = "/run/${dirName}/nix-helpers/qemu-bridge-helper"; 187 190 }; 188 191

+4 -2

nixos/modules/virtualisation/spice-usb-redirection.nix

··· 14 14 15 15 config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable { 16 16 environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions 17 17 - security.wrappers.spice-client-glib-usb-acl-helper ={ 18 18 - source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper"; 17 17 + security.wrappers.spice-client-glib-usb-acl-helper = { 18 18 + owner = "root"; 19 19 + group = "root"; 19 20 capabilities = "cap_fowner+ep"; 21 21 + source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper"; 20 22 }; 21 23 }; 22 24