17 files changed, 26 insertions, 78 deletions
diff --git a/nixos/modules/services/logging/logcheck.nix b/nixos/modules/services/logging/logcheck.nix
index 86451ec318c9..c933c4964798 100644
--- a/nixos/modules/services/logging/logcheck.nix
+++ b/nixos/modules/services/logging/logcheck.nix
@@ -29,8 +29,8 @@ let
     };
 
   cronJob = ''
-    @reboot   logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
-    2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
+    @reboot   logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
+    2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
   '';
 
   writeIgnoreRule = name: {level, regex, ...}:
diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix
index 6b37a8a4ea2c..7cea2f75439b 100644
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@@ -13,7 +13,7 @@ let
     ''
       base_dir = ${baseDir}
       protocols = ${concatStringsSep " " cfg.protocols}
-      sendmail_path = /var/permissions-wrappers/sendmail
+      sendmail_path = /run/wrappers/sendmail
     ''
 
     (if isNull cfg.sslServerCert then ''
diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix
index 6dfb8fdef119..71414bddd5dc 100644
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@@ -70,7 +70,7 @@ in
       etc."exim.conf".text = ''
         exim_user = ${cfg.user}
         exim_group = ${cfg.group}
-        exim_path = /var/permissions-wrappers/exim
+        exim_path = /run/wrappers/exim
         spool_directory = ${cfg.spoolDir}
         ${cfg.config}
       '';
@@ -89,15 +89,7 @@ in
       gid = config.ids.gids.exim;
     };
 
-    security.permissionsWrappers.setuid =
-    [
-      { program = "exim";
-        source  = "${pkgs.exim.out}/bin/exim";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;
-      }
-    ];
+    security.setuidPrograms = [ "exim" ];
 
     systemd.services.exim = {
       description = "Exim Mail Daemon";
diff --git a/nixos/modules/services/mail/mail.nix b/nixos/modules/services/mail/mail.nix
index e8b16349f1a5..aef02eddbe1c 100644
--- a/nixos/modules/services/mail/mail.nix
+++ b/nixos/modules/services/mail/mail.nix
@@ -26,7 +26,7 @@ with lib;
 
   config = mkIf (config.services.mail.sendmailSetuidWrapper != null) {
 
-    security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
+    security.wrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
 
   };
 
diff --git a/nixos/modules/services/monitoring/munin.nix b/nixos/modules/services/monitoring/munin.nix
index a80565fa280b..cd4a5125029f 100644
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@@ -34,7 +34,7 @@ let
         cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
 
         wrapProgram $file \
-          --set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
+          --set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
           --set MUNIN_LIBDIR "${pkgs.munin}/lib" \
           --set MUNIN_PLUGSTATE "/var/run/munin"
 
@@ -183,7 +183,7 @@ in
 
         mkdir -p /etc/munin/plugins
         rm -rf /etc/munin/plugins/*
-        PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
+        PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
       '';
       serviceConfig = {
         ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix
index 99fd5c4d3674..af02d73597fe 100644
--- a/nixos/modules/services/monitoring/smartd.nix
+++ b/nixos/modules/services/monitoring/smartd.nix
@@ -124,7 +124,7 @@ in
           };
 
           mailer = mkOption {
-            default = "/var/permissions-wrappers/sendmail";
+            default = "/run/wrappers/sendmail";
             type = types.path;
             description = ''
               Sendmail-compatible binary to be used to send the messages.
diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix
index 884966363b8b..8cc8f21851c4 100644
--- a/nixos/modules/services/network-filesystems/samba.nix
+++ b/nixos/modules/services/network-filesystems/samba.nix
@@ -30,7 +30,7 @@ let
     ''
       [ global ]
       security = ${cfg.securityType}
-      passwd program = /var/permissions-wrappers/passwd %u
+      passwd program = /run/wrappers/passwd %u
       pam password change = ${smbToString cfg.syncPasswordsByPam}
       invalid users = ${smbToString cfg.invalidUsers}
 
diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix
index bc9b884f11b4..f4c75c17290f 100644
--- a/nixos/modules/services/networking/gale.nix
+++ b/nixos/modules/services/networking/gale.nix
@@ -141,7 +141,7 @@ in
          setgid = false;
        };
 
-       security.permissionsWrappers.setuid = [ cfg.setuidWrapper ];
+       security.wrappers.setuid = [ cfg.setuidWrapper ];
 
        systemd.services.gale-galed = {
          description = "Gale messaging daemon";
diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix
index 67d8cece6115..58e6ad8a683e 100644
--- a/nixos/modules/services/networking/prayer.nix
+++ b/nixos/modules/services/networking/prayer.nix
@@ -18,7 +18,7 @@ let
     var_prefix = "${stateDir}"
     prayer_user = "${prayerUser}"
     prayer_group = "${prayerGroup}"
-    sendmail_path = "/var/permissions-wrappers/sendmail"
+    sendmail_path = "/run/wrappers/sendmail"
 
     use_http_port ${cfg.port}
 
diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix
index 67aa313c8605..b7bb55f55084 100644
--- a/nixos/modules/services/networking/smokeping.nix
+++ b/nixos/modules/services/networking/smokeping.nix
@@ -219,14 +219,14 @@ in
         type = types.string;
         default = ''
           + FPing
-          binary = ${config.security.permissionsWrapperDir}/fping
+          binary = ${config.security.wrapperDir}/fping
         '';
         description = "Probe configuration";
       };
       sendmail = mkOption {
         type = types.nullOr types.path;
         default = null;
-        example = "/var/permissions-wrappers/sendmail";
+        example = "/run/wrappers/sendmail";
         description = "Use this sendmail compatible script to deliver alerts";
       };
       smokeMailTemplate = mkOption {
@@ -273,21 +273,7 @@ in
         message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
       }
     ];
-    security.permissionsWrappers.setuid = [
-      { program = "fping";
-        source  = "${pkgs.fping}/bin/fping";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;
-      }
-
-      { program = "fping";
-        source  = "${pkgs.fping}/bin/fping6";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;
-      }
-    ];
+    security.setuidPrograms = [ "fping" "fping6" ];
     environment.systemPackages = [ pkgs.fping ];
     users.extraUsers = singleton {
       name = cfg.user;
diff --git a/nixos/modules/services/scheduling/atd.nix b/nixos/modules/services/scheduling/atd.nix
index 9c4f8d59faa4..316ab847b343 100644
--- a/nixos/modules/services/scheduling/atd.nix
+++ b/nixos/modules/services/scheduling/atd.nix
@@ -42,7 +42,7 @@ in
 
   config = mkIf cfg.enable {
 
-    security.permissionsWrappers.setuid = map (program: {
+    security.wrappers.setuid = map (program: {
       inherit program;
 
       source = "${pkgs.atd}/bin/${program}";
diff --git a/nixos/modules/services/scheduling/cron.nix b/nixos/modules/services/scheduling/cron.nix
index e33961658f02..26ce3c98d67c 100644
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -20,7 +20,7 @@ let
   cronNixosPkg = pkgs.cron.override {
     # The mail.nix nixos module, if there is any local mail system enabled,
     # should have sendmail in this path.
-    sendmailPath = "/var/permissions-wrappers/sendmail";
+    sendmailPath = "/run/wrappers/sendmail";
   };
 
   allFiles =
@@ -61,7 +61,7 @@ in
           A list of Cron jobs to be appended to the system-wide
           crontab.  See the manual page for crontab for the expected
           format. If you want to get the results mailed you must setuid
-          sendmail. See <option>security.permissionsWrappers.setuid</option>
+          sendmail. See <option>security.wrappers.setuid</option>
 
           If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
           will is allowed to have its own crontab file. The /var/cron/cron.deny file
@@ -92,21 +92,9 @@ in
   config = mkMerge [
 
     { services.cron.enable = mkDefault (allFiles != []); }
-
     (mkIf (config.services.cron.enable) {
-
-      security.permissionsWrappers.setuid =
-      [
-        { program = "crontab";
-          source  = "${pkgs.cronNixosPkg.out}/bin/crontab";
-          owner   = "root";
-          group   = "root";
-          setuid  = true;        
-        }
-      ];
-
+      security.setuidPrograms = [ "crontab" ];
       environment.systemPackages = [ cronNixosPkg ];
-
       environment.etc.crontab =
         { source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }
             ''
diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix
index 5804f0ee72f7..f0de996224ff 100644
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@@ -96,7 +96,7 @@ in
             fcronallow  =       /etc/fcron.allow
             fcrondeny   =       /etc/fcron.deny
             shell       =       /bin/sh
-            sendmail    =       /var/permissions-wrappers/sendmail
+            sendmail    =       /run/wrappers/sendmail
             editor      =       /run/current-system/sw/bin/vi
           '';
           target = "fcron.conf";
@@ -106,16 +106,7 @@ in
 
     environment.systemPackages = [ pkgs.fcron ];
 
-    security.permissionsWrappers.setuid =
-    [
-      { program = "fcrontab";
-        source  = "${pkgs.fcron.out}/bin/fcrontab";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;        
-      }
-    ];
-
+    security.setuidPrograms = [ "fcrontab" ];
     systemd.services.fcron = {
       description = "fcron daemon";
       after = [ "local-fs.target" ];
diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix
index d15d5551e343..47fc4426af08 100644
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@@ -38,7 +38,7 @@ let
       sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf
 
       sed '${./dbus-system-local.conf.in}' \
-        -e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \
+        -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
         -e 's,@extra@,${systemExtraxml},' \
         > "$out/system-local.conf"
 
@@ -114,7 +114,7 @@ in
 
     systemd.packages = [ pkgs.dbus.daemon ];
 
-    security.permissionsWrappers.setuid = singleton
+    security.wrappers.setuid = singleton
       { program = "dbus-daemon-launch-helper";
         source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
         owner = "root";
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
index 9d0ff77c2ae8..feee6ba87ec8 100644
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@@ -62,16 +62,7 @@ in
       '';
     }];
 
-    security.permissionsWrappers.setuid =
-    [
-      { program = "e_freqset";
-        source  = "${e.enlightenment.out}/bin/e_freqset";
-        owner   = "root";
-        group   = "root";
-        setuid  = true;        
-      }
-    ];
-
+    security.setuidPrograms = [ "e_freqset" ];
     environment.etc = singleton
       { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
         target = "X11/xkb";
diff --git a/nixos/modules/services/x11/desktop-managers/kde4.nix b/nixos/modules/services/x11/desktop-managers/kde4.nix
index 31d2ebcdf1a6..d21a1f28dca3 100644
--- a/nixos/modules/services/x11/desktop-managers/kde4.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde4.nix
@@ -131,7 +131,7 @@ in
           '';
       };
 
-    security.permissionsWrappers.setuid = singleton
+    security.wrappers.setuid = singleton
       { program = "kcheckpass";
         source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
         owner = "root";
diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix
index f886c60793d9..a4124aaefa9a 100644
--- a/nixos/modules/services/x11/desktop-managers/kde5.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde5.nix
@@ -68,7 +68,7 @@ in
         '';
       };
 
-      security.permissionsWrappers.setuid = [
+      security.wrappers.setuid = [
         {
           program = "kcheckpass";
           source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";