polyunfill: distribute /run/wrappers/bin/unix_chkpwd without suid bit

2024-05-25 23:07:38 +00:00 · 2024-05-25 23:07:38 +00:00 · 9d9211c5fa
commit 9d9211c5fa
parent 9ce7dcd57a
1 changed files with 5 additions and 0 deletions
--- a/hosts/common/polyunfill.nix
+++ b/hosts/common/polyunfill.nix
@ -15,6 +15,11 @@
  };

  config = {
+    # from: <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
+    # removing this from /run/wrappers altogether is possible, but would require a full rebuild of pam
+    # (effectively a rebuild of the world) because it hardcodes that path
+    security.wrappers.unix_chkpwd.setuid = lib.mkForce false;
+
    # disable non-required packages like nano, perl, rsync, strace
    environment.defaultPackages = [];