nixos: explicitely set security.wrappers ownership

This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
This commit is contained in:
rnhmjoj 2021-09-12 18:53:48 +02:00
parent 8f76a6eefc
commit fedd7cd690
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450
39 changed files with 276 additions and 72 deletions

View file

@ -22,8 +22,10 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ bandwhich ];
security.wrappers.bandwhich = {
source = "${pkgs.bandwhich}/bin/bandwhich";
owner = "root";
group = "root";
capabilities = "cap_net_raw,cap_net_admin+ep";
source = "${pkgs.bandwhich}/bin/bandwhich";
};
};
}

View file

@ -105,11 +105,15 @@ in
);
security.wrappers.udhcpc = {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.busybox}/bin/udhcpc";
};
security.wrappers.captive-browser = {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = pkgs.writeShellScript "captive-browser" ''
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"

View file

@ -81,7 +81,12 @@ in {
};
config = mkIf cfg.enable {
security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";
security.wrappers.firejail =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin pkgs.firejail}/bin/firejail";
};
environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];
};

View file

@ -56,6 +56,8 @@ in
polkit.enable = true;
wrappers = mkIf cfg.enableRenice {
gamemoded = {
owner = "root";
group = "root";
source = "${pkgs.gamemode}/bin/gamemoded";
capabilities = "cap_sys_nice+ep";
};

View file

@ -11,8 +11,10 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.iftop ];
security.wrappers.iftop = {
source = "${pkgs.iftop}/bin/iftop";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.iftop}/bin/iftop";
};
};
}

View file

@ -10,8 +10,10 @@ in {
};
config = mkIf cfg.enable {
security.wrappers.iotop = {
source = "${pkgs.iotop}/bin/iotop";
owner = "root";
group = "root";
capabilities = "cap_net_admin+p";
source = "${pkgs.iotop}/bin/iotop";
};
};
}

View file

@ -11,6 +11,11 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.kbdlight ];
security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";
security.wrappers.kbdlight =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.kbdlight.out}/bin/kbdlight";
};
};
}

View file

@ -13,8 +13,10 @@ in {
security.wrappers = mkMerge (map (
exec: {
"${exec}" = {
source = "${pkgs.liboping}/bin/${exec}";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.liboping}/bin/${exec}";
};
}
) [ "oping" "noping" ]);

View file

@ -31,8 +31,10 @@ in {
environment.systemPackages = with pkgs; [ cfg.package ];
security.wrappers.mtr-packet = {
source = "${cfg.package}/bin/mtr-packet";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${cfg.package}/bin/mtr-packet";
};
};
}

View file

@ -18,8 +18,10 @@ in {
config = mkIf cfg.enable {
security.wrappers.noisetorch = {
source = "${cfg.package}/bin/noisetorch";
owner = "root";
group = "root";
capabilities = "cap_sys_resource=+ep";
source = "${cfg.package}/bin/noisetorch";
};
};
}

View file

@ -43,6 +43,13 @@ let
'';
mkSetuidRoot = source:
{ setuid = true;
owner = "root";
group = "root";
inherit source;
};
in
{
@ -109,14 +116,14 @@ in
};
security.wrappers = {
su.source = "${pkgs.shadow.su}/bin/su";
sg.source = "${pkgs.shadow.out}/bin/sg";
newgrp.source = "${pkgs.shadow.out}/bin/newgrp";
newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
su = mkSetuidRoot "${pkgs.shadow.su}/bin/su";
sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg";
newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp";
newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap";
newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap";
} // lib.optionalAttrs config.users.mutableUsers {
chsh.source = "${pkgs.shadow.out}/bin/chsh";
passwd.source = "${pkgs.shadow.out}/bin/passwd";
chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh";
passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd";
};
};
}

View file

@ -16,7 +16,12 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ singularity ];
security.wrappers.singularity-suid.source = "${singularity}/libexec/singularity/bin/starter-suid.orig";
security.wrappers.singularity-suid =
{ setuid = true;
owner = "root";
group = "root";
source = "${singularity}/libexec/singularity/bin/starter-suid.orig";
};
systemd.tmpfiles.rules = [
"d /var/singularity/mnt/session 0770 root root -"
"d /var/singularity/mnt/final 0770 root root -"

View file

@ -21,6 +21,11 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.slock ];
security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock";
security.wrappers.slock =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.slock.out}/bin/slock";
};
};
}

View file

@ -19,8 +19,10 @@ in {
config = mkIf cfg.enable {
security.wrappers.traceroute = {
source = "${pkgs.traceroute}/bin/traceroute";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.traceroute}/bin/traceroute";
};
};
}

View file

@ -9,6 +9,11 @@ in {
options.programs.udevil.enable = mkEnableOption "udevil";
config = mkIf cfg.enable {
security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil";
security.wrappers.udevil =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin pkgs.udevil}/bin/udevil";
};
};
}

View file

@ -21,8 +21,10 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ wavemon ];
security.wrappers.wavemon = {
source = "${pkgs.wavemon}/bin/wavemon";
owner = "root";
group = "root";
capabilities = "cap_net_admin+ep";
source = "${pkgs.wavemon}/bin/wavemon";
};
};
}

View file

@ -17,6 +17,11 @@ in {
};
config = mkIf cfg.enable {
security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys";
security.wrappers.wshowkeys =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.wshowkeys}/bin/wshowkeys";
};
};
}

View file

@ -28,6 +28,11 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
security.wrappers.${sandbox.passthru.sandboxExecutableName} =
{ setuid = true;
owner = "root";
group = "root";
source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
};
};
}

View file

@ -241,9 +241,12 @@ in
}
];
security.wrappers = {
doas.source = "${doas}/bin/doas";
};
security.wrappers.doas =
{ setuid = true;
owner = "root";
group = "root";
source = "${doas}/bin/doas";
};
environment.systemPackages = [
doas

View file

@ -186,7 +186,12 @@ in
config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
environment.systemPackages = [ pkgs.duo-unix ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
security.wrappers.login_duo =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.duo-unix.out}/bin/login_duo";
};
system.activationScripts = {
login_duo = mkIf cfg.ssh.enable ''

View file

@ -32,8 +32,18 @@ in
# Make sure pmount and pumount are setuid wrapped.
security.wrappers = {
pmount.source = "${pkgs.pmount.out}/bin/pmount";
pumount.source = "${pkgs.pmount.out}/bin/pumount";
pmount =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.pmount.out}/bin/pmount";
};
pumount =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.pmount.out}/bin/pumount";
};
};
environment.systemPackages = [ pkgs.pmount ];

View file

@ -83,8 +83,18 @@ in
security.pam.services.polkit-1 = {};
security.wrappers = {
pkexec.source = "${pkgs.polkit.bin}/bin/pkexec";
polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
pkexec =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.polkit.bin}/bin/pkexec";
};
polkit-agent-helper-1 =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
};
};
systemd.tmpfiles.rules = [

View file

@ -33,12 +33,10 @@ let
};
options.owner = lib.mkOption
{ type = lib.types.str;
default = "root";
description = "The owner of the wrapper program.";
};
options.group = lib.mkOption
{ type = lib.types.str;
default = "root";
description = "The group of the wrapper program.";
};
options.permissions = lib.mkOption
@ -74,7 +72,7 @@ let
};
options.setuid = lib.mkOption
{ type = lib.types.bool;
default = true;
default = false;
description = "Whether to add the setuid bit the wrapper program.";
};
options.setgid = lib.mkOption
@ -156,13 +154,30 @@ in
default = {};
example = lib.literalExample
''
{ sendmail.source = "/nix/store/.../bin/sendmail";
ping = {
source = "${pkgs.iputils.out}/bin/ping";
owner = "nobody";
group = "nogroup";
capabilities = "cap_net_raw+ep";
};
{
# a setuid root program
doas =
{ setuid = true;
owner = "root";
group = "root";
source = "''${pkgs.doas}/bin/doas";
};
# a setgid program
locate =
{ setgid = true;
owner = "root";
group = "mlocate";
source = "''${pkgs.locate}/bin/locate";
};
# a program with the CAP_NET_RAW capability
ping =
{ owner = "root";
group = "root";
capabilities = "cap_net_raw+ep";
source = "''${pkgs.iputils.out}/bin/ping";
};
}
'';
description = ''
@ -198,13 +213,21 @@ in
}
) wrappers;
security.wrappers = {
# These are mount related wrappers that require the +s permission.
fusermount.source = "${pkgs.fuse}/bin/fusermount";
fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";
mount.source = "${lib.getBin pkgs.util-linux}/bin/mount";
umount.source = "${lib.getBin pkgs.util-linux}/bin/umount";
};
security.wrappers =
let
mkSetuidRoot = source:
{ setuid = true;
owner = "root";
group = "root";
inherit source;
};
in
{ # These are mount related wrappers that require the +s permission.
fusermount = mkSetuidRoot "${pkgs.fuse}/bin/fusermount";
fusermount3 = mkSetuidRoot "${pkgs.fuse3}/bin/fusermount3";
mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
};
boot.specialFileSystems.${parentWrapperDir} = {
fsType = "tmpfs";

View file

@ -52,8 +52,10 @@ with lib;
security.pam.services.login.enableGnomeKeyring = true;
security.wrappers.gnome-keyring-daemon = {
source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
owner = "root";
group = "root";
capabilities = "cap_ipc_lock=ep";
source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
};
};

View file

@ -104,7 +104,12 @@ in
gid = config.ids.gids.exim;
};
security.wrappers.exim.source = "${cfg.package}/bin/exim";
security.wrappers.exim =
{ setuid = true;
owner = "root";
group = "root";
source = "${cfg.package}/bin/exim";
};
systemd.services.exim = {
description = "Exim Mail Daemon";

View file

@ -45,8 +45,10 @@ in
environment.systemPackages = [ pkgs.mame ];
security.wrappers."${mame}" = {
source = "${pkgs.mame}/bin/${mame}";
owner = "root";
group = "root";
capabilities = "cap_net_admin,cap_net_raw+eip";
source = "${pkgs.mame}/bin/${mame}";
};
systemd.services.mame = {

View file

@ -52,7 +52,12 @@ in
wants = [ "network.target" ];
};
security.wrappers.screen.source = "${pkgs.screen}/bin/screen";
security.wrappers.screen =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.screen}/bin/screen";
};
};
meta.doc = ./weechat.xml;

View file

@ -71,7 +71,12 @@ in
environment.systemPackages = [ pkgs.incron ];
security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab";
security.wrappers.incrontab =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.incron}/bin/incrontab";
};
# incron won't read symlinks
environment.etc."incron.d/system" = {

View file

@ -262,7 +262,12 @@ in
};
security.wrappers = {
fping.source = "${pkgs.fping}/bin/fping";
fping =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping";
};
};
systemd.services.zabbix-proxy = {

View file

@ -278,8 +278,18 @@ in
}
];
security.wrappers = {
fping.source = "${pkgs.fping}/bin/fping";
fping6.source = "${pkgs.fping}/bin/fping6";
fping =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping";
};
fping6 =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping6";
};
};
environment.systemPackages = [ pkgs.fping ];
users.users.${cfg.user} = {

View file

@ -93,7 +93,12 @@ in
{ services.cron.enable = mkDefault (allFiles != []); }
(mkIf (config.services.cron.enable) {
security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab";
security.wrappers.crontab =
{ setuid = true;
owner = "root";
group = "root";
source = "${cronNixosPkg}/bin/crontab";
};
environment.systemPackages = [ cronNixosPkg ];
environment.etc.crontab =
{ source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

View file

@ -142,6 +142,7 @@ in
source = "${pkgs.fcron}/bin/fcronsighup";
owner = "root";
group = "fcron";
setuid = true;
};
};
systemd.services.fcron = {

View file

@ -44,8 +44,10 @@ in
security.wrappers = mkIf cfg.enableSysAdminCapability {
replay-sorcery = {
source = "${pkgs.replay-sorcery}/bin/replay-sorcery";
owner = "root";
group = "root";
capabilities = "cap_sys_admin+ep";
source = "${pkgs.replay-sorcery}/bin/replay-sorcery";
};
};

View file

@ -65,9 +65,24 @@ in
# Wrappers for programs installed by enlightenment that should be setuid
security.wrappers = {
enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";
enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";
enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";
enlightenment_ckpasswd =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";
};
enlightenment_sys =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";
};
enlightenment_system =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";
};
};
environment.etc."X11/xkb".source = xcfg.xkbDir;

View file

@ -197,12 +197,24 @@ in
};
security.wrappers = {
kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";
start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
kwin_wayland = {
source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";
capabilities = "cap_sys_nice+ep";
};
kcheckpass =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";
};
start_kdeinit =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
};
kwin_wayland =
{ owner = "root";
group = "root";
capabilities = "cap_sys_nice+ep";
source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";
};
};
# DDC support

View file

@ -7,8 +7,18 @@ with lib;
config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {
system.fsPackages = [ pkgs.ecryptfs ];
security.wrappers = {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
"mount.ecryptfs_private" =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
};
"umount.ecryptfs_private" =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
};
};
};
}

View file

@ -1133,11 +1133,16 @@ in
# kernel because we need the ambient capability
security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then {
ping = {
source = "${pkgs.iputils.out}/bin/ping";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.iputils.out}/bin/ping";
};
} else {
ping.source = "${pkgs.iputils.out}/bin/ping";
setuid = true;
owner = "root";
group = "root";
source = "${pkgs.iputils.out}/bin/ping";
};
security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
/run/wrappers/bin/ping {

View file

@ -183,6 +183,9 @@ in {
};
security.wrappers.qemu-bridge-helper = {
setuid = true;
owner = "root";
group = "root";
source = "/run/${dirName}/nix-helpers/qemu-bridge-helper";
};

View file

@ -14,9 +14,11 @@
config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {
environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions
security.wrappers.spice-client-glib-usb-acl-helper ={
source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
security.wrappers.spice-client-glib-usb-acl-helper = {
owner = "root";
group = "root";
capabilities = "cap_fowner+ep";
source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
};
};