2014-04-14 16:26:48 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
2009-05-20 17:43:31 +02:00
|
|
|
|
2014-04-14 16:26:48 +02:00
|
|
|
with lib;
|
2009-05-25 17:36:57 +02:00
|
|
|
|
2009-03-06 13:25:46 +01:00
|
|
|
let
|
2009-05-25 17:36:57 +02:00
|
|
|
|
2009-08-16 19:24:59 +02:00
|
|
|
inherit (config.security) wrapperDir;
|
|
|
|
|
2009-05-25 17:36:57 +02:00
|
|
|
setuidWrapper = pkgs.stdenv.mkDerivation {
|
|
|
|
name = "setuid-wrapper";
|
2015-08-23 12:36:47 +02:00
|
|
|
unpackPhase = "true";
|
|
|
|
installPhase = ''
|
2014-04-19 10:53:17 +02:00
|
|
|
mkdir -p $out/bin
|
|
|
|
cp ${./setuid-wrapper.c} setuid-wrapper.c
|
2009-08-16 23:11:04 +02:00
|
|
|
gcc -Wall -O2 -DWRAPPER_DIR=\"${wrapperDir}\" \
|
2014-04-19 10:53:17 +02:00
|
|
|
setuid-wrapper.c -o $out/bin/setuid-wrapper
|
2009-05-25 17:36:57 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2009-03-06 13:25:46 +01:00
|
|
|
in
|
2009-05-20 17:43:31 +02:00
|
|
|
|
2009-03-06 13:25:46 +01:00
|
|
|
{
|
2009-08-16 16:54:31 +02:00
|
|
|
|
|
|
|
###### interface
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
security.setuidPrograms = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.listOf types.str;
|
2009-08-16 23:11:04 +02:00
|
|
|
default = [];
|
2013-10-30 17:37:45 +01:00
|
|
|
example = ["passwd"];
|
2009-08-16 16:54:31 +02:00
|
|
|
description = ''
|
2012-03-01 21:10:46 +01:00
|
|
|
The Nix store cannot contain setuid/setgid programs directly.
|
|
|
|
For this reason, NixOS can automatically generate wrapper
|
|
|
|
programs that have the necessary privileges. This option
|
|
|
|
lists the names of programs in the system environment for
|
|
|
|
which setuid root wrappers should be created.
|
2009-08-16 16:54:31 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
security.setuidOwners = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
type = types.listOf types.attrs;
|
2009-08-16 16:54:31 +02:00
|
|
|
default = [];
|
|
|
|
example =
|
|
|
|
[ { program = "sendmail";
|
|
|
|
owner = "nobody";
|
|
|
|
group = "postdrop";
|
|
|
|
setuid = false;
|
|
|
|
setgid = true;
|
2014-04-13 12:26:29 +02:00
|
|
|
permissions = "u+rx,g+x,o+x";
|
2009-08-16 16:54:31 +02:00
|
|
|
}
|
|
|
|
];
|
|
|
|
description = ''
|
|
|
|
This option allows the ownership and permissions on the setuid
|
2013-08-10 23:07:13 +02:00
|
|
|
wrappers for specific programs to be overridden from the
|
2009-08-16 16:54:31 +02:00
|
|
|
default (setuid root, but not setgid root).
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
security.wrapperDir = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
internal = true;
|
|
|
|
type = types.path;
|
2009-08-16 16:54:31 +02:00
|
|
|
default = "/var/setuid-wrappers";
|
|
|
|
description = ''
|
|
|
|
This option defines the path to the setuid wrappers. It
|
2012-03-01 21:10:46 +01:00
|
|
|
should generally not be overriden. Some packages in Nixpkgs
|
|
|
|
expect that <option>wrapperDir</option> is
|
|
|
|
<filename>/var/setuid-wrappers</filename>.
|
2009-08-16 16:54:31 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
###### implementation
|
|
|
|
|
|
|
|
config = {
|
2009-08-16 23:11:04 +02:00
|
|
|
|
2014-09-05 14:46:36 +02:00
|
|
|
security.setuidPrograms = [ "fusermount" ];
|
2009-08-16 23:11:04 +02:00
|
|
|
|
2009-08-16 16:54:31 +02:00
|
|
|
system.activationScripts.setuid =
|
|
|
|
let
|
2009-08-16 19:24:59 +02:00
|
|
|
setuidPrograms =
|
|
|
|
(map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
|
2012-03-01 21:10:46 +01:00
|
|
|
config.security.setuidPrograms)
|
2009-08-16 19:24:59 +02:00
|
|
|
++ config.security.setuidOwners;
|
|
|
|
|
|
|
|
makeSetuidWrapper =
|
|
|
|
{ program
|
|
|
|
, source ? ""
|
|
|
|
, owner ? "nobody"
|
|
|
|
, group ? "nogroup"
|
|
|
|
, setuid ? false
|
|
|
|
, setgid ? false
|
2010-10-20 11:29:02 +02:00
|
|
|
, permissions ? "u+rx,g+x,o+x"
|
2009-08-16 19:24:59 +02:00
|
|
|
}:
|
|
|
|
|
2009-08-16 16:54:31 +02:00
|
|
|
''
|
2016-05-23 14:09:08 +02:00
|
|
|
if ! source=${if source != "" then source else "$(readlink -f $(PATH=$SETUID_PATH type -tP ${program}))"}; then
|
2009-08-16 19:24:59 +02:00
|
|
|
# If we can't find the program, fall back to the
|
|
|
|
# system profile.
|
2011-10-30 16:19:58 +01:00
|
|
|
source=/nix/var/nix/profiles/default/bin/${program}
|
2009-08-16 19:24:59 +02:00
|
|
|
fi
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2009-08-16 19:24:59 +02:00
|
|
|
cp ${setuidWrapper}/bin/setuid-wrapper ${wrapperDir}/${program}
|
|
|
|
echo -n "$source" > ${wrapperDir}/${program}.real
|
|
|
|
chmod 0000 ${wrapperDir}/${program} # to prevent races
|
|
|
|
chown ${owner}.${group} ${wrapperDir}/${program}
|
|
|
|
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${wrapperDir}/${program}
|
|
|
|
'';
|
2009-08-16 16:54:31 +02:00
|
|
|
|
2011-09-14 20:20:50 +02:00
|
|
|
in stringAfter [ "users" ]
|
2009-08-16 16:54:31 +02:00
|
|
|
''
|
2009-05-25 17:36:57 +02:00
|
|
|
# Look in the system path and in the default profile for
|
2009-08-16 19:24:59 +02:00
|
|
|
# programs to be wrapped.
|
|
|
|
SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin
|
|
|
|
|
2014-04-19 12:40:09 +02:00
|
|
|
rm -f ${wrapperDir}/* # */
|
2009-08-16 19:24:59 +02:00
|
|
|
|
|
|
|
${concatMapStrings makeSetuidWrapper setuidPrograms}
|
2010-09-13 17:41:38 +02:00
|
|
|
'';
|
2009-08-16 16:54:31 +02:00
|
|
|
|
2009-05-20 17:43:31 +02:00
|
|
|
};
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2009-03-06 13:25:46 +01:00
|
|
|
}
|