diff options
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/logging/logcheck.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/mail/dovecot.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/mail/exim.nix | 12 | ||||
-rw-r--r-- | nixos/modules/services/mail/mail.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/munin.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/smartd.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/network-filesystems/samba.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/gale.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/prayer.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/smokeping.nix | 20 | ||||
-rw-r--r-- | nixos/modules/services/scheduling/atd.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/scheduling/cron.nix | 18 | ||||
-rw-r--r-- | nixos/modules/services/scheduling/fcron.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/system/dbus.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/enlightenment.nix | 11 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/kde4.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/kde5.nix | 2 |
17 files changed, 26 insertions, 78 deletions
diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix index 86451ec318c9..c933c4964798 100644 --- a/nixos/modules/services/logging/logcheck.nix +++ b/nixos/modules/services/logging/logcheck.nix @@ -29,8 +29,8 @@ let }; cronJob = '' - @reboot logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} - 2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} + @reboot logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} + 2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} ''; writeIgnoreRule = name: {level, regex, ...}: diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 6b37a8a4ea2c..7cea2f75439b 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -13,7 +13,7 @@ let '' base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} - sendmail_path = /var/permissions-wrappers/sendmail + sendmail_path = /run/wrappers/sendmail '' (if isNull cfg.sslServerCert then '' diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index 6dfb8fdef119..71414bddd5dc 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -70,7 +70,7 @@ in etc."exim.conf".text = '' exim_user = ${cfg.user} exim_group = ${cfg.group} - exim_path = /var/permissions-wrappers/exim + exim_path = /run/wrappers/exim spool_directory = ${cfg.spoolDir} ${cfg.config} ''; @@ -89,15 +89,7 @@ in gid = config.ids.gids.exim; }; - security.permissionsWrappers.setuid = - [ - { program = "exim"; - source = "${pkgs.exim.out}/bin/exim"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "exim" ]; systemd.services.exim = { description = "Exim Mail Daemon"; diff --git a/nixos/modules/services/mail/mail.nix b/nixos/modules/services/mail/mail.nix index e8b16349f1a5..aef02eddbe1c 100644 --- a/nixos/modules/services/mail/mail.nix +++ b/nixos/modules/services/mail/mail.nix @@ -26,7 +26,7 @@ with lib; config = mkIf (config.services.mail.sendmailSetuidWrapper != null) { - security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ]; + security.wrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ]; }; diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix index a80565fa280b..cd4a5125029f 100644 --- a/nixos/modules/services/monitoring/munin.nix +++ b/nixos/modules/services/monitoring/munin.nix @@ -34,7 +34,7 @@ let cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file) wrapProgram $file \ - --set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ + --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \ --set MUNIN_LIBDIR "${pkgs.munin}/lib" \ --set MUNIN_PLUGSTATE "/var/run/munin" @@ -183,7 +183,7 @@ in mkdir -p /etc/munin/plugins rm -rf /etc/munin/plugins/* - PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash + PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash ''; serviceConfig = { ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/"; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index 99fd5c4d3674..af02d73597fe 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -124,7 +124,7 @@ in }; mailer = mkOption { - default = "/var/permissions-wrappers/sendmail"; + default = "/run/wrappers/sendmail"; type = types.path; description = '' Sendmail-compatible binary to be used to send the messages. diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 884966363b8b..8cc8f21851c4 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -30,7 +30,7 @@ let '' [ global ] security = ${cfg.securityType} - passwd program = /var/permissions-wrappers/passwd %u + passwd program = /run/wrappers/passwd %u pam password change = ${smbToString cfg.syncPasswordsByPam} invalid users = ${smbToString cfg.invalidUsers} diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix index bc9b884f11b4..f4c75c17290f 100644 --- a/nixos/modules/services/networking/gale.nix +++ b/nixos/modules/services/networking/gale.nix @@ -141,7 +141,7 @@ in setgid = false; }; - security.permissionsWrappers.setuid = [ cfg.setuidWrapper ]; + security.wrappers.setuid = [ cfg.setuidWrapper ]; systemd.services.gale-galed = { description = "Gale messaging daemon"; diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index 67d8cece6115..58e6ad8a683e 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -18,7 +18,7 @@ let var_prefix = "${stateDir}" prayer_user = "${prayerUser}" prayer_group = "${prayerGroup}" - sendmail_path = "/var/permissions-wrappers/sendmail" + sendmail_path = "/run/wrappers/sendmail" use_http_port ${cfg.port} diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index 67aa313c8605..b7bb55f55084 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -219,14 +219,14 @@ in type = types.string; default = '' + FPing - binary = ${config.security.permissionsWrapperDir}/fping + binary = ${config.security.wrapperDir}/fping ''; description = "Probe configuration"; }; sendmail = mkOption { type = types.nullOr types.path; default = null; - example = "/var/permissions-wrappers/sendmail"; + example = "/run/wrappers/sendmail"; description = "Use this sendmail compatible script to deliver alerts"; }; smokeMailTemplate = mkOption { @@ -273,21 +273,7 @@ in message = "services.smokeping: sendmail and Mailhost cannot both be enabled."; } ]; - security.permissionsWrappers.setuid = [ - { program = "fping"; - source = "${pkgs.fping}/bin/fping"; - owner = "root"; - group = "root"; - setuid = true; - } - - { program = "fping"; - source = "${pkgs.fping}/bin/fping6"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; + security.setuidPrograms = [ "fping" "fping6" ]; environment.systemPackages = [ pkgs.fping ]; users.extraUsers = singleton { name = cfg.user; diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix index 9c4f8d59faa4..316ab847b343 100644 --- a/nixos/modules/services/scheduling/atd.nix +++ b/nixos/modules/services/scheduling/atd.nix @@ -42,7 +42,7 @@ in config = mkIf cfg.enable { - security.permissionsWrappers.setuid = map (program: { + security.wrappers.setuid = map (program: { inherit program; source = "${pkgs.atd}/bin/${program}"; diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix index e33961658f02..26ce3c98d67c 100644 --- a/nixos/modules/services/scheduling/cron.nix +++ b/nixos/modules/services/scheduling/cron.nix @@ -20,7 +20,7 @@ let cronNixosPkg = pkgs.cron.override { # The mail.nix nixos module, if there is any local mail system enabled, # should have sendmail in this path. - sendmailPath = "/var/permissions-wrappers/sendmail"; + sendmailPath = "/run/wrappers/sendmail"; }; allFiles = @@ -61,7 +61,7 @@ in A list of Cron jobs to be appended to the system-wide crontab. See the manual page for crontab for the expected format. If you want to get the results mailed you must setuid - sendmail. See <option>security.permissionsWrappers.setuid</option> + sendmail. See <option>security.wrappers.setuid</option> If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root will is allowed to have its own crontab file. The /var/cron/cron.deny file @@ -92,21 +92,9 @@ in config = mkMerge [ { services.cron.enable = mkDefault (allFiles != []); } - (mkIf (config.services.cron.enable) { - - security.permissionsWrappers.setuid = - [ - { program = "crontab"; - source = "${pkgs.cronNixosPkg.out}/bin/crontab"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "crontab" ]; environment.systemPackages = [ cronNixosPkg ]; - environment.etc.crontab = { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; } '' diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index 5804f0ee72f7..f0de996224ff 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -96,7 +96,7 @@ in fcronallow = /etc/fcron.allow fcrondeny = /etc/fcron.deny shell = /bin/sh - sendmail = /var/permissions-wrappers/sendmail + sendmail = /run/wrappers/sendmail editor = /run/current-system/sw/bin/vi ''; target = "fcron.conf"; @@ -106,16 +106,7 @@ in environment.systemPackages = [ pkgs.fcron ]; - security.permissionsWrappers.setuid = - [ - { program = "fcrontab"; - source = "${pkgs.fcron.out}/bin/fcrontab"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "fcrontab" ]; systemd.services.fcron = { description = "fcron daemon"; after = [ "local-fs.target" ]; diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix index d15d5551e343..47fc4426af08 100644 --- a/nixos/modules/services/system/dbus.nix +++ b/nixos/modules/services/system/dbus.nix @@ -38,7 +38,7 @@ let sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf sed '${./dbus-system-local.conf.in}' \ - -e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \ + -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \ -e 's,@extra@,${systemExtraxml},' \ > "$out/system-local.conf" @@ -114,7 +114,7 @@ in systemd.packages = [ pkgs.dbus.daemon ]; - security.permissionsWrappers.setuid = singleton + security.wrappers.setuid = singleton { program = "dbus-daemon-launch-helper"; source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper"; owner = "root"; diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index 9d0ff77c2ae8..feee6ba87ec8 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -62,16 +62,7 @@ in ''; }]; - security.permissionsWrappers.setuid = - [ - { program = "e_freqset"; - source = "${e.enlightenment.out}/bin/e_freqset"; - owner = "root"; - group = "root"; - setuid = true; - } - ]; - + security.setuidPrograms = [ "e_freqset" ]; environment.etc = singleton { source = "${pkgs.xkeyboard_config}/etc/X11/xkb"; target = "X11/xkb"; diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix index 31d2ebcdf1a6..d21a1f28dca3 100644 --- a/nixos/modules/services/x11/desktop-managers/kde4.nix +++ b/nixos/modules/services/x11/desktop-managers/kde4.nix @@ -131,7 +131,7 @@ in ''; }; - security.permissionsWrappers.setuid = singleton + security.wrappers.setuid = singleton { program = "kcheckpass"; source = "${kde_workspace}/lib/kde4/libexec/kcheckpass"; owner = "root"; diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix index f886c60793d9..a4124aaefa9a 100644 --- a/nixos/modules/services/x11/desktop-managers/kde5.nix +++ b/nixos/modules/services/x11/desktop-managers/kde5.nix @@ -68,7 +68,7 @@ in ''; }; - security.permissionsWrappers.setuid = [ + security.wrappers.setuid = [ { program = "kcheckpass"; source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass"; |