diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-12 18:53:48 +0200 |
---|---|---|
committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 13:48:13 +0200 |
commit | fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch) | |
tree | 14b7af8318d75536656849335e20c51cdfdf3447 /nixos/modules/tasks/filesystems | |
parent | 8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff) | |
download | nixlib-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar nixlib-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.gz nixlib-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.bz2 nixlib-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.lz nixlib-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.xz nixlib-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.zst nixlib-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.zip |
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you to think about what the wrapper ownership and permissions will be.
Diffstat (limited to 'nixos/modules/tasks/filesystems')
-rw-r--r-- | nixos/modules/tasks/filesystems/ecryptfs.nix | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/nixos/modules/tasks/filesystems/ecryptfs.nix b/nixos/modules/tasks/filesystems/ecryptfs.nix index 12a407cabbfb..8138e6591610 100644 --- a/nixos/modules/tasks/filesystems/ecryptfs.nix +++ b/nixos/modules/tasks/filesystems/ecryptfs.nix @@ -7,8 +7,18 @@ with lib; config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) { system.fsPackages = [ pkgs.ecryptfs ]; security.wrappers = { - "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; - "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + "mount.ecryptfs_private" = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + }; + "umount.ecryptfs_private" = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + }; }; }; } |