diff options
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/apparmor-suid.nix | 4 | ||||
-rw-r--r-- | nixos/modules/security/duosec.nix | 2 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 45 | ||||
-rw-r--r-- | nixos/modules/security/pam_usb.nix | 5 | ||||
-rw-r--r-- | nixos/modules/security/permissions-wrappers/default.nix | 48 | ||||
-rw-r--r-- | nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix | 6 | ||||
-rw-r--r-- | nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix | 6 | ||||
-rw-r--r-- | nixos/modules/security/polkit.nix | 18 | ||||
-rw-r--r-- | nixos/modules/security/sudo.nix | 8 |
9 files changed, 73 insertions, 69 deletions
diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index 4a6d61d26766..799f27b6708f 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -19,7 +19,7 @@ with lib; config = mkIf (cfg.confineSUIDApplications) { security.apparmor.profiles = [ (pkgs.writeText "ping" '' #include <tunables/global> - /var/setuid-wrappers/ping { + /var/permissions-wrappers/ping { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> @@ -33,7 +33,7 @@ with lib; ${pkgs.attr.out}/lib/libattr.so* mr, ${pkgs.iputils}/bin/ping mixr, - /var/setuid-wrappers/ping.real r, + /var/permissions-wrappers/ping.real r, #/etc/modules.conf r, diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 202218c915c9..b5e1417fc897 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -198,7 +198,7 @@ in [ { program = "login_duo"; source = "${pkgs.duo-unix.out}/bin/login_duo"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 4c6b54f02745..1c5e6862da68 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -444,34 +444,35 @@ in security.permissionsWrappers.setuid = [ - (optionals config.security.pam.enableEcryptfs - { program = "mount.ecryptfs_private" - source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; - user = "root"; - group = "root"; - setuid = true; - }) + { program = "unix_chkpwd"; + source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; + owner = "root"; + group = "root"; + setuid = true; + } + + - (optionals config.security.pam.enableEcryptfs - { program = "umount.ecryptfs_private"; - source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; - user = "root"; - group = "root"; - setuid = true; - }) - ] + ] ++ (optional config.security.pam.enableEcryptfs + { program = "umount.ecryptfs_private"; + source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + owner = "root"; + group = "root"; + setuid = true; + } + ) ++ (optional config.security.pam.enableEcryptfs + { program = "mount.ecryptfs_private"; + source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + owner = "root"; + group = "root"; + setuid = true; + } + ); environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; - security.setuidOwners = [ { - program = "unix_chkpwd"; - source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; - owner = "root"; - setuid = true; - } ]; - security.pam.services = { other.text = '' diff --git a/nixos/modules/security/pam_usb.nix b/nixos/modules/security/pam_usb.nix index 699cf6306e1d..53a7921a2440 100644 --- a/nixos/modules/security/pam_usb.nix +++ b/nixos/modules/security/pam_usb.nix @@ -37,20 +37,19 @@ in [ { program = "pmount"; source = "${pkgs.pmount.out}/bin/pmount"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } { program = "pumount"; source = "${pkgs.pmount.out}/bin/pumount"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } ]; -setuidPrograms = [ "pmount" "pumount" ]; environment.systemPackages = [ pkgs.pmount ]; }; diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix index 5d4634daf78b..6b0570faa402 100644 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ b/nixos/modules/security/permissions-wrappers/default.nix @@ -3,10 +3,17 @@ let inherit (config.security) permissionsWrapperDir; + isNotNull = v: if v != null then true else false; + cfg = config.security.permissionsWrappers; - setcapWrappers = import ./setcap-wrapper-drv.nix { }; - setuidWrappers = import ./setuid-wrapper-drv.nix { }; + setcapWrappers = import ./setcap-wrapper-drv.nix { + inherit config lib pkgs; + }; + + setuidWrappers = import ./setuid-wrapper-drv.nix { + inherit config lib pkgs; + }; ###### Activation script for the setcap wrappers configureSetcapWrapper = @@ -16,8 +23,7 @@ let , owner ? "nobody" , group ? "nogroup" , setcap ? false - }: - '' + }: '' cp ${setcapWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program} # Prevent races @@ -43,22 +49,22 @@ let ''; ###### Activation script for the setuid wrappers - makeSetuidWrapper = + configureSetuidWrapper = { program , source ? null , owner ? "nobody" + # Legacy code I can't find :( + , user ? null , group ? "nogroup" , setuid ? false , setgid ? false , permissions ? "u+rx,g+x,o+x" - }: - - '' + }: '' cp ${setuidWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program} # Prevent races chmod 0000 ${permissionsWrapperDir}/${program} - chown ${owner}.${group} ${permissionsWrapperDir}/${program} + chown ${if user != null then user else owner}.${group} ${permissionsWrapperDir}/${program} chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program} ''; @@ -68,12 +74,12 @@ in ###### interface options = { - security.permissionsWrappers.setcap = mkOption { - type = types.listOf types.attrs; + security.permissionsWrappers.setcap = lib.mkOption { + type = lib.types.listOf lib.types.attrs; default = []; example = [ { program = "ping"; - source = "${pkgs.iputils.out}/bin/ping" + source = "${pkgs.iputils.out}/bin/ping"; owner = "nobody"; group = "nogroup"; setcap = true; @@ -106,12 +112,12 @@ in ''; }; - security.permissionsWrappers.setuid = mkOption { - type = types.listOf types.attrs; + security.permissionsWrappers.setuid = lib.mkOption { + type = lib.types.listOf lib.types.attrs; default = []; example = [ { program = "sendmail"; - source = "${pkgs.sendmail.bin}/bin/sendmail"; + source = "/nix/store/.../bin/sendmail"; owner = "nobody"; group = "postdrop"; setuid = false; @@ -126,8 +132,8 @@ in ''; }; - security.permissionsWrapperDir = mkOption { - type = types.path; + security.permissionsWrapperDir = lib.mkOption { + type = lib.types.path; default = "/var/permissions-wrappers"; internal = true; description = '' @@ -152,7 +158,7 @@ in ###### setcap activation script system.activationScripts.setcap = - stringAfter [ "users" ] + lib.stringAfter [ "users" ] '' # Look in the system path and in the default profile for # programs to be wrapped. @@ -168,12 +174,12 @@ in # Concatenate the generated shell slices to configure # wrappers for each program needing specialized capabilities. - ${concatMapStrings configureSetcapWrapper cfg.setcap} + ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)} ''; ###### setuid activation script system.activationScripts.setuid = - stringAfter [ "users" ] + lib.stringAfter [ "users" ] '' # Look in the system path and in the default profile for # programs to be wrapped. @@ -189,7 +195,7 @@ in # Concatenate the generated shell slices to configure # wrappers for each program needing specialized capabilities. - ${concatMapStrings configureSetuidWrapper cfg.setuid} + ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)} ''; }; diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix index f64c683f6e84..adae9009fbe2 100644 --- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix +++ b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix @@ -13,7 +13,7 @@ let source=/nix/var/nix/profiles/default/bin/${program} fi - gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \ + gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper ''; in @@ -32,6 +32,6 @@ pkgs.stdenv.mkDerivation { # Concat together all of our shell splices to compile # binary wrapper programs for all configured setcap programs. - ${concatMapStrings mkSetcapWrapper cfg.setcap} + ${lib.concatMapStrings mkSetcapWrapper cfg.setcap} ''; -}; +} diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix index 15dc1918b5c5..e244364aa45b 100644 --- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix +++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix @@ -13,7 +13,7 @@ let source=/nix/var/nix/profiles/default/bin/${program} fi - gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \ + gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper ''; in @@ -31,6 +31,6 @@ pkgs.stdenv.mkDerivation { # Concat together all of our shell splices to compile # binary wrapper programs for all configured setcap programs. - ${concatMapStrings mkSetuidWrapper cfg.setuid} + ${lib.concatMapStrings mkSetuidWrapper cfg.setuid} ''; -}; +} diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index db078667acf0..098319d5ded3 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -87,20 +87,18 @@ in [ { program = "pkexec"; source = "${pkgs.polkit.out}/bin/pkexec"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } - ]; - security.setuidOwners = [ - { program = "polkit-agent-helper-1"; - owner = "root"; - group = "root"; - setuid = true; - source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; - } - ]; + { program = "polkit-agent-helper-1"; + owner = "root"; + group = "root"; + setuid = true; + source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + } + ]; system.activationScripts.polkit = '' diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 06dde14cd1c1..8a8f1525df40 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -85,14 +85,14 @@ in [ { program = "sudo"; source = "${pkgs.sudo.out}/bin/sudo"; - user = "root"; + owner = "root"; group = "root"; setuid = true; } - { program = "sudoedit" - source = "${pkgs.sudo.out}/bin/sudo"; - user = "root"; + { program = "sudoedit"; + source = "${pkgs.sudo.out}/bin/sudoedit"; + owner = "root"; group = "root"; setuid = true; } |