diff options
| author | Alois Wohlschlager <alois1@gmx-topmail.de> | 2023-09-08 19:21:22 +0200 |
|---|---|---|
| committer | Alois Wohlschlager <alois1@gmx-topmail.de> | 2023-09-08 19:21:22 +0200 |
| commit | bd0cbb43ec48dedd399c72b3bc04f980041ed20b (patch) | |
| tree | 3565c499ce96e2c4bd1882ab41705b6fa5ab88d2 /nixos | |
| parent | a5523118048cf4ff7db3c629277b8192b12cb7b8 (diff) | |
| download | nixlib-bd0cbb43ec48dedd399c72b3bc04f980041ed20b.tar nixlib-bd0cbb43ec48dedd399c72b3bc04f980041ed20b.tar.gz nixlib-bd0cbb43ec48dedd399c72b3bc04f980041ed20b.tar.bz2 nixlib-bd0cbb43ec48dedd399c72b3bc04f980041ed20b.tar.lz nixlib-bd0cbb43ec48dedd399c72b3bc04f980041ed20b.tar.xz nixlib-bd0cbb43ec48dedd399c72b3bc04f980041ed20b.tar.zst nixlib-bd0cbb43ec48dedd399c72b3bc04f980041ed20b.zip | |
nixos/plasma5: remove pointless setuid wrappers
The module for Plasma 5 contained two pointless setuid wrappers: * kscreenlocker_greet was introduced when the kscreenlocker package dropped kcheckpass. However, this was actually replaced by making proper use of PAM (which finally calls its unix_chkpwd setuid binary). kscreenlocker_greet itself was never intended to be setuid. Fortunately, this is not exploitable, because QCoreApplication immediately aborts if it detects setuid. The wrapper is still incorrect and pointless, so remove it. * start_kdeinit can optionally use setuid root or setcap CAP_SYS_RESOURCE to reduce its OOM killer score. However, with systemd startup, start_kdeinit does not get used at all. So in this case, the setuid wrapper is pointless, and so is removed as well. Ideally, the case where systemd startup is not enabled would use a capability wrapper instead, but since systemd startup is the default in NixOS and kinit is deprecated upstream for KF6, I don't bother any more.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/x11/desktop-managers/plasma5.nix | 13 |
1 files changed, 4 insertions, 9 deletions
diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 15a510fd8f96..282a34f6b011 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -172,24 +172,19 @@ in (mkIf (cfg.enable || cfg.mobile.enable || cfg.bigscreen.enable) { security.wrappers = { - kscreenlocker_greet = { - setuid = true; + kwin_wayland = { owner = "root"; group = "root"; - source = "${getBin libsForQt5.kscreenlocker}/libexec/kscreenlocker_greet"; + capabilities = "cap_sys_nice+ep"; + source = "${getBin plasma5.kwin}/bin/kwin_wayland"; }; + } // mkIf (!cfg.runUsingSystemd) { start_kdeinit = { setuid = true; owner = "root"; group = "root"; source = "${getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit"; }; - kwin_wayland = { - owner = "root"; - group = "root"; - capabilities = "cap_sys_nice+ep"; - source = "${getBin plasma5.kwin}/bin/kwin_wayland"; - }; }; environment.systemPackages = |