diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-19 12:40:09 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-19 12:40:09 +0200 |
commit | 9f1c9404da858eb6347493190e40e59c7f81f2c8 (patch) | |
tree | 6c8029f53d64252829f1f2badfa3a43202cf9bc0 /nixos | |
parent | 2a64b0a91b34f37328e4d6138744eef979314d9a (diff) | |
download | nixlib-9f1c9404da858eb6347493190e40e59c7f81f2c8.tar nixlib-9f1c9404da858eb6347493190e40e59c7f81f2c8.tar.gz nixlib-9f1c9404da858eb6347493190e40e59c7f81f2c8.tar.bz2 nixlib-9f1c9404da858eb6347493190e40e59c7f81f2c8.tar.lz nixlib-9f1c9404da858eb6347493190e40e59c7f81f2c8.tar.xz nixlib-9f1c9404da858eb6347493190e40e59c7f81f2c8.tar.zst nixlib-9f1c9404da858eb6347493190e40e59c7f81f2c8.zip |
Put /var/setuid-wrappers on a tmpfs
This allows all other filesystems to be mounted without the suid option.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/setuid-wrappers.nix | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-2-init.sh | 8 |
2 files changed, 8 insertions, 3 deletions
diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix index 450fed73658b..4cdc1023baab 100644 --- a/nixos/modules/security/setuid-wrappers.nix +++ b/nixos/modules/security/setuid-wrappers.nix @@ -117,8 +117,7 @@ in # programs to be wrapped. SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin - if test -d ${wrapperDir}; then rm -f ${wrapperDir}/*; fi # */ - mkdir -p ${wrapperDir} + rm -f ${wrapperDir}/* # */ ${concatMapStrings makeSetuidWrapper setuidPrograms} ''; diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 57f85674c5b4..a64c6cdfa191 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -82,7 +82,7 @@ done # More special file systems, initialise required directories. mkdir -m 0755 /dev/shm -mount -t tmpfs -o "rw,nosuid,nodev,size=@devShmSize@" tmpfs /dev/shm +mount -t tmpfs -o "rw,nosuid,nodev,size=@devShmSize@" none /dev/shm mkdir -m 0755 -p /dev/pts [ -e /proc/bus/usb ] && mount -t usbfs none /proc/bus/usb # UML doesn't have USB by default mkdir -m 01777 -p /tmp @@ -149,6 +149,12 @@ else fi +# Create /var/setuid-wrappers as a tmpfs. +rm -rf /var/setuid-wrappers +mkdir -m 0755 -p /var/setuid-wrappers +mount -t tmpfs -o "mode=0755" none /var/setuid-wrappers + + # Run the script that performs all configuration activation that does # not have to be done at boot time. echo "running activation script..." |