From 8f76a6eefcfa0c9904e0749f04b27090527ce09f Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Thu, 10 Jun 2021 01:47:55 +0200 Subject: [PATCH] nixos: add implict security.wrappers options This is to keep the same permissions/setuid/setgid as before the change in security.wrappers defaults. --- nixos/modules/programs/ccache.nix | 2 ++ nixos/modules/programs/msmtp.nix | 2 ++ nixos/modules/programs/ssmtp.nix | 2 ++ nixos/modules/security/pam.nix | 1 + nixos/modules/services/mail/opensmtpd.nix | 5 ++++- nixos/modules/services/mail/postfix.nix | 4 ++++ nixos/modules/services/networking/x2goserver.nix | 2 ++ nixos/modules/services/scheduling/fcron.nix | 2 ++ nixos/modules/services/x11/desktop-managers/cde.nix | 5 +++-- 9 files changed, 22 insertions(+), 3 deletions(-) diff --git a/nixos/modules/programs/ccache.nix b/nixos/modules/programs/ccache.nix index d672e1da017a..35a4373f6128 100644 --- a/nixos/modules/programs/ccache.nix +++ b/nixos/modules/programs/ccache.nix @@ -28,7 +28,9 @@ in { # "nix-ccache --show-stats" and "nix-ccache --clear" security.wrappers.nix-ccache = { + owner = "nobody"; group = "nixbld"; + setuid = false; setgid = true; source = pkgs.writeScript "nix-ccache.pl" '' #!${pkgs.perl}/bin/perl diff --git a/nixos/modules/programs/msmtp.nix b/nixos/modules/programs/msmtp.nix index 217060e6b3b3..9c067bdc9695 100644 --- a/nixos/modules/programs/msmtp.nix +++ b/nixos/modules/programs/msmtp.nix @@ -78,6 +78,8 @@ in { source = "${pkgs.msmtp}/bin/sendmail"; setuid = false; setgid = false; + owner = "root"; + group = "root"; }; environment.etc."msmtprc".text = let diff --git a/nixos/modules/programs/ssmtp.nix b/nixos/modules/programs/ssmtp.nix index 8b500f0383f4..e28a14538ecd 100644 --- a/nixos/modules/programs/ssmtp.nix +++ b/nixos/modules/programs/ssmtp.nix @@ -181,6 +181,8 @@ in source = "${pkgs.ssmtp}/bin/sendmail"; setuid = false; setgid = false; + owner = "root"; + group = "root"; }; }; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 163d75d7caf2..0bc774af3a66 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -871,6 +871,7 @@ in unix_chkpwd = { source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; owner = "root"; + group = "nogroup"; setuid = true; }; }; diff --git a/nixos/modules/services/mail/opensmtpd.nix b/nixos/modules/services/mail/opensmtpd.nix index c838d3b949db..dc209e8add4e 100644 --- a/nixos/modules/services/mail/opensmtpd.nix +++ b/nixos/modules/services/mail/opensmtpd.nix @@ -103,12 +103,15 @@ in { }; security.wrappers.smtpctl = { + owner = "nobody"; group = "smtpq"; + setuid = false; setgid = true; source = "${cfg.package}/bin/smtpctl"; }; - services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail security.wrappers.smtpctl; + services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail + security.wrappers.smtpctl // { program = "sendmail"; }; systemd.tmpfiles.rules = [ "d /var/spool/smtpd 711 root - - -" diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index 9b0a5bba2feb..2b8edb9c51f8 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -673,6 +673,7 @@ in services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail { program = "sendmail"; source = "${pkgs.postfix}/bin/sendmail"; + owner = "nobody"; group = setgidGroup; setuid = false; setgid = true; @@ -681,6 +682,7 @@ in security.wrappers.mailq = { program = "mailq"; source = "${pkgs.postfix}/bin/mailq"; + owner = "nobody"; group = setgidGroup; setuid = false; setgid = true; @@ -689,6 +691,7 @@ in security.wrappers.postqueue = { program = "postqueue"; source = "${pkgs.postfix}/bin/postqueue"; + owner = "nobody"; group = setgidGroup; setuid = false; setgid = true; @@ -697,6 +700,7 @@ in security.wrappers.postdrop = { program = "postdrop"; source = "${pkgs.postfix}/bin/postdrop"; + owner = "nobody"; group = setgidGroup; setuid = false; setgid = true; diff --git a/nixos/modules/services/networking/x2goserver.nix b/nixos/modules/services/networking/x2goserver.nix index 48020fc1ceca..554e51f9d4ff 100644 --- a/nixos/modules/services/networking/x2goserver.nix +++ b/nixos/modules/services/networking/x2goserver.nix @@ -88,12 +88,14 @@ in { source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl"; owner = "x2go"; group = "x2go"; + setuid = false; setgid = true; }; security.wrappers.x2goprintWrapper = { source = "${pkgs.x2goserver}/bin/x2goprint"; owner = "x2go"; group = "x2go"; + setuid = false; setgid = true; }; diff --git a/nixos/modules/services/scheduling/fcron.nix b/nixos/modules/services/scheduling/fcron.nix index 42bed21bf25b..4f5d99ddf38f 100644 --- a/nixos/modules/services/scheduling/fcron.nix +++ b/nixos/modules/services/scheduling/fcron.nix @@ -136,9 +136,11 @@ in owner = "fcron"; group = "fcron"; setgid = true; + setuid = false; }; fcronsighup = { source = "${pkgs.fcron}/bin/fcronsighup"; + owner = "root"; group = "fcron"; }; }; diff --git a/nixos/modules/services/x11/desktop-managers/cde.nix b/nixos/modules/services/x11/desktop-managers/cde.nix index 3f1575a0ca63..24ca82fca796 100644 --- a/nixos/modules/services/x11/desktop-managers/cde.nix +++ b/nixos/modules/services/x11/desktop-managers/cde.nix @@ -49,9 +49,10 @@ in { users.groups.mail = {}; security.wrappers = { dtmail = { - source = "${pkgs.cdesktopenv}/bin/dtmail"; - group = "mail"; setgid = true; + owner = "nobody"; + group = "mail"; + source = "${pkgs.cdesktopenv}/bin/dtmail"; }; };