polyunfill: remove unix_chkpwd from /run/wrappers

2024-05-25 22:25:58 +00:00 · 2024-05-25 22:25:58 +00:00 · 3353add4dd
commit 3353add4dd
parent 2c0b725573
1 changed files with 13 additions and 1 deletions
--- a/hosts/common/polyunfill.nix
+++ b/hosts/common/polyunfill.nix
@ -3,18 +3,30 @@
 { lib, ... }:
 {
  # remove a few items from /run/wrappers we don't need.
-  # these were populated by <repo:nixos/nixpkgs:nixos/modules/programs/shadow.nix>
  options.security.wrappers = lib.mkOption {
    apply = lib.filterAttrs (name: _: !(builtins.elem name [
+      # wrappers from <repo:nixos/nixpkgs:nixos/modules/programs/shadow.nix>
      "newgidmap"
      "newgrp"
      "newuidmap"
      # "sg"
      # "su"
+      # wrappers from <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
+      # may need to patch e.g. `pam` package (pam_unix) to not refer to unix_chkpwd by path
+      "unix_chkpwd"
    ]));
  };

  config = {
+    nixpkgs.overlays = [(self: super: {
+      pam = super.pam.overrideAttrs (upstream: {
+        postPatch = (if upstream.postPatch != null then upstream.postPatch else "") + ''
+          substituteInPlace modules/pam_unix/Makefile.am --replace-fail \
+            "/run/wrappers/bin/unix_chkpwd" "$out"
+        '';
+      });
+    })];
+
    # disable non-required packages like nano, perl, rsync, strace
    environment.defaultPackages = [];