diff options
| author | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-02-14 08:53:30 -0600 |
|---|---|---|
| committer | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-02-14 08:53:30 -0600 |
| commit | 69794e333a41f3d7d0de44da790c5d356c58e28b (patch) | |
| tree | 1cfb1b2ba96eba054057cbb99030b79f7aed37c3 /nixos/modules | |
| parent | 794b3721bc8bd06169b23ed923ce45905a1baf7b (diff) | |
| download | nixlib-69794e333a41f3d7d0de44da790c5d356c58e28b.tar nixlib-69794e333a41f3d7d0de44da790c5d356c58e28b.tar.gz nixlib-69794e333a41f3d7d0de44da790c5d356c58e28b.tar.bz2 nixlib-69794e333a41f3d7d0de44da790c5d356c58e28b.tar.lz nixlib-69794e333a41f3d7d0de44da790c5d356c58e28b.tar.xz nixlib-69794e333a41f3d7d0de44da790c5d356c58e28b.tar.zst nixlib-69794e333a41f3d7d0de44da790c5d356c58e28b.zip | |
Using para tags for manual formatting
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/security/wrappers/default.nix | 33 |
1 files changed, 17 insertions, 16 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 6f93403960af..c5b99c0c8015 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -109,26 +109,27 @@ in }; }; description = '' - This option allows the ownership and permissions on the setuid - wrappers for specific programs to be overridden from the - default (setuid root, but not setgid root). + <para>This option allows the ownership and permissions on the + setuid wrappers for specific programs to be overridden from + the default (setuid root, but not setgid root).</para> - Additionally, this option can set capabilities on a wrapper - program that propagates those capabilities down to the - wrapped, real program. + <para>Additionally, this option can set capabilities on a + wrapper program that propagates those capabilities down to the + wrapped, real program.</para> - The <literal>program</literal> attribute is the name of the - program to be wrapped. If no <literal>source</literal> + <para>The <literal>program</literal> attribute is the name of + the program to be wrapped. If no <literal>source</literal> attribute is provided, specifying the absolute path to the program, then the program will be searched for in the path - environment variable. - - NOTE: cap_setpcap, which is required for the wrapper program - to be able to raise caps into the Ambient set is NOT raised to - the Ambient set so that the real program cannot modify its own - capabilities!! This may be too restrictive for cases in which - the real program needs cap_setpcap but it at least leans on - the side security paranoid vs. too relaxed. + environment variable.</para> + + <para>NOTE: cap_setpcap, which is required for the wrapper + program to be able to raise caps into the Ambient set is NOT + raised to the Ambient set so that the real program cannot + modify its own capabilities!! This may be too restrictive for + cases in which the real program needs cap_setpcap but it at + least leans on the side security paranoid vs. too + relaxed.</para> ''; }; |