everything?: Updating every package that depended on the old setuidPrograms configuration.

author: Parnell Springmeyer <parnell@awakenetworks.com> 2016-07-15 19:10:48 -0500
committer: Parnell Springmeyer <parnell@awakenetworks.com> 2016-09-01 19:17:43 -0500
commit: 390ab0b3eff809052d5b9d9b5335413b36898481 (patch)
tree: 15700959b5c568cff51e2e8abafed931bff7e6dd /nixos
parent: 81b33eb46645b1bd3ab5029c0ca2012a24902bb0 (diff)
14 files changed, 169 insertions, 27 deletions
diff --git a/nixos/modules/programs/kbdlight.nix b/nixos/modules/programs/kbdlight.nix
index 0172368e968f..c3ea6b5e9738 100644
--- a/nixos/modules/programs/kbdlight.nix
+++ b/nixos/modules/programs/kbdlight.nix
@@ -11,6 +11,13 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.kbdlight ];
-    security.setuidPrograms = [ "kbdlight" ];
+
+    security.permissionsWrappers.setuid =
+    [ { program = "kbdlight";
+        source  = "${pkgs.kbdlight.out}/bin/kbdlight";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+    }];
   };
 }
diff --git a/nixos/modules/programs/light.nix b/nixos/modules/programs/light.nix
index 09cd1113d9c7..d141eaf66f76 100644
--- a/nixos/modules/programs/light.nix
+++ b/nixos/modules/programs/light.nix
@@ -21,6 +21,13 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.light ];
-    security.setuidPrograms = [ "light" ];
+
+    security.permissionsWrappers.setuid =
+    [ { program = "light";
+        source  = "${pkgs.light.out}/bin/light";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+    }];
   };
 }
diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index 878c9cc0cf09..8ee324eaf63f 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -102,11 +102,48 @@ in
         chgpasswd = { rootOK = true; };
       };
 
-    security.setuidPrograms = [ "su" "chfn" ]
-      ++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
-      ++ lib.optionals config.users.mutableUsers
-      [ "passwd" "sg" "newgrp" ];
-
+    security.setuidPrograms = 
+    [
+      { program = "su";
+        source  = "${pkgs.shadow.su}/bin/su";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+      }
+
+      { program = "chfn";
+        source  = "${pkgs.shadow.out}/bin/chfn";
+        user    = "root";
+        group   = "root";
+        setuid  = true;
+      }
+    ] ++
+    (lib.optionals config.users.mutableUsers
+     map (x: x // { user = "root";
+                    group   = "root";
+                    setuid  = true;
+                  })
+         [
+           { program = "passwd";
+             source  = "${pkgs.shadow.out}/bin/passwd";
+           }
+
+           { program = "sg";
+             source  = "${pkgs.shadow.out}/bin/sg";
+           }
+
+           { program = "newgrp";
+             source  = "${pkgs.shadow.out}/bin/newgrp";
+           }
+
+           { program = "newuidmap";
+             source  = "${pkgs.shadow.out}/bin/newuidmap";
+           }
+
+           { program = "newgidmap";
+             source  = "${pkgs.shadow.out}/bin/newgidmap";
+           }
+         ]
+    );
   };
-
 }
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index 412cccc20d58..e4584146d6f0 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -10,7 +10,6 @@ with lib;
     (mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ])
     (mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
 
-    (mkRenamedOptionModule [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ])
     (mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
     (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
 
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix
index 0e3a54325cad..202218c915c9 100644
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@@ -193,7 +193,17 @@ in
       ];
 
      environment.systemPackages = [ pkgs.duo-unix ];
-     security.setuidPrograms    = [ "login_duo" ];
+
+     security.permissionsWrappers.setuid =
+     [
+       { program = "login_duo";
+         source  = "${pkgs.duo-unix.out}/bin/login_duo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+     ];
+
      environment.etc = loginCfgFile ++ pamCfgFile;
 
      /* If PAM *and* SSH are enabled, then don't do anything special.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 77815cd6dcc1..4c6b54f02745 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -442,8 +442,25 @@ in
       ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
       ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
 
-    security.setuidPrograms =
-        optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
+    security.permissionsWrappers.setuid =
+      [
+        (optionals config.security.pam.enableEcryptfs
+          { program = "mount.ecryptfs_private"
+            source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
+            user    = "root";
+            group   = "root";
+            setuid  = true;
+          })
+          
+        (optionals config.security.pam.enableEcryptfs
+          { program = "umount.ecryptfs_private";
+            source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
+            user    = "root";
+            group   = "root";
+            setuid  = true;
+          })
+      ]
+        
 
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix
index 11708a1f0167..699cf6306e1d 100644
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@@ -32,10 +32,25 @@ in
 
   config = mkIf (cfg.enable || anyUsbAuth) {
 
-    # pmount need to have a set-uid bit to make pam_usb works in user
-    # environment. (like su, sudo)
-
-    security.setuidPrograms = [ "pmount" "pumount" ];
+    # Make sure pmount and pumount are setuid wrapped.
+    security.permissionsWrappers.setuid =
+      [
+        { program = "pmount";
+          source  = "${pkgs.pmount.out}/bin/pmount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+
+        { program = "pumount";
+          source  = "${pkgs.pmount.out}/bin/pumount";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ];
+
+setuidPrograms = [ "pmount" "pumount" ];
     environment.systemPackages = [ pkgs.pmount ];
 
   };
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix
index a4491946df5d..5d4634daf78b 100644
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@@ -43,11 +43,6 @@ let
     '';
 
   ###### Activation script for the setuid wrappers
-  setuidPrograms =
-    (map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
-      config.security.setuidPrograms)
-    ++ config.security.setuidOwners;
-
   makeSetuidWrapper =
     { program
     , source ? null
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index 507f81bbf073..db078667acf0 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -83,7 +83,15 @@ in
 
     security.pam.services.polkit-1 = {};
 
-    security.setuidPrograms = [ "pkexec" ];
+    security.permissionsWrappers.setuid = 
+      [
+        { program = "pkexec";
+          source  = "${pkgs.polkit.out}/bin/pkexec";
+          user    = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ];
 
     security.setuidOwners = [
       { program = "polkit-agent-helper-1";
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index bced2a6ed757..06dde14cd1c1 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -81,7 +81,22 @@ in
         ${cfg.extraConfig}
       '';
 
-    security.setuidPrograms = [ "sudo" "sudoedit" ];
+    security.permissionsWrappers.setuid =
+     [
+       { program = "sudo";
+         source  = "${pkgs.sudo.out}/bin/sudo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+
+       { program = "sudoedit"
+         source  = "${pkgs.sudo.out}/bin/sudo";
+         user    = "root";
+         group   = "root";
+         setuid  = true;
+       }
+    ];
 
     environment.systemPackages = [ sudo ];
 
diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix
index e0890d96a88b..aad497cbc719 100644
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@@ -89,7 +89,15 @@ in
       gid = config.ids.gids.exim;
     };
 
-    security.setuidPrograms = [ "exim" ];
+    security.permissionsWrappers.setuid =
+    [
+      { program = "exim";
+        source  = "${pkgs.exim.out}/bin/exim";
+        user    = "root";
+        group   = "root";
+        setuid  = true;
+      }
+    ]
 
     systemd.services.exim = {
       description = "Exim Mail Daemon";
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix
index f5e132fd77d8..541fbb7ee644 100644
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -95,7 +95,15 @@ in
 
     (mkIf (config.services.cron.enable) {
 
-      security.setuidPrograms = [ "crontab" ];
+      security.permissionsWrappers.setuid =
+      [
+        { program = "crontab";
+          source  = "${pkgs.cronNixosPkg.out}/bin/crontab";
+          user    = "root";
+          group   = "root";
+          setuid  = true;        
+        }
+      ];
 
       environment.systemPackages = [ cronNixosPkg ];
 
diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix
index 7b4665a82046..6e8465ab08f4 100644
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@@ -106,7 +106,15 @@ in
 
     environment.systemPackages = [ pkgs.fcron ];
 
-    security.setuidPrograms = [ "fcrontab" ];
+    security.permissionsWrappers.setuid =
+    [
+      { program = "fcrontab";
+        source  = "${pkgs.fcron.out}/bin/fcrontab";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+      }
+    ];
 
     systemd.services.fcron = {
       description = "fcron daemon";
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
index 8a03dd65b335..b55950c6373b 100644
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@@ -62,7 +62,15 @@ in
       '';
     }];
 
-    security.setuidPrograms = [ "e_freqset" ];
+    security.permissionsWrappers.setuid =
+    [
+      { program = "e_freqset";
+        source  = "${e.enlightenment.out}/bin/e_freqset";
+        user    = "root";
+        group   = "root";
+        setuid  = true;        
+      }
+    ];
 
     environment.etc = singleton
       { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
author	Parnell Springmeyer <parnell@awakenetworks.com>	2016-07-15 19:10:48 -0500
committer	Parnell Springmeyer <parnell@awakenetworks.com>	2016-09-01 19:17:43 -0500
commit	390ab0b3eff809052d5b9d9b5335413b36898481 (patch)
tree	15700959b5c568cff51e2e8abafed931bff7e6dd /nixos
parent	81b33eb46645b1bd3ab5029c0ca2012a24902bb0 (diff)