From 8d977ead386cf29b8b395caca536bfaec9c36efe Mon Sep 17 00:00:00 2001 From: Karn Kallio Date: Sat, 3 Sep 2016 16:42:09 -0400 Subject: setuid-wrappers : Prepare permissions for running wrappers The new setuid-wrappers in /run cannot be executed by users due to: 1) the temporary directory does not allow access 2) the /run is mounted nosuid --- nixos/modules/security/setuid-wrappers.nix | 1 + nixos/modules/tasks/filesystems.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix index e1dca477d70a..dcccd8342866 100644 --- a/nixos/modules/security/setuid-wrappers.nix +++ b/nixos/modules/security/setuid-wrappers.nix @@ -117,6 +117,7 @@ in mkdir -p /run/setuid-wrapper-dirs wrapperDir=$(mktemp --directory --tmpdir=/run/setuid-wrapper-dirs setuid-wrappers.XXXXXXXXXX) + chmod a+rx $wrapperDir ${concatMapStrings makeSetuidWrapper setuidPrograms} diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 9ab1baeacb98..a66ece1020f8 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -287,7 +287,7 @@ in boot.specialFileSystems = { "/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; }; "/sys" = { fsType = "sysfs"; options = [ "nosuid" "noexec" "nodev" ]; }; - "/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; }; + "/run" = { fsType = "tmpfs"; options = [ "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; }; "/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; }; "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; }; "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; }; -- cgit 1.4.1