New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/weechat: add setuid wrapper for `screen' to ensure true multiuser capabilities #48131
Conversation
@@ -46,10 +46,12 @@ in | |||
Group = "weechat"; | |||
RemainAfterExit = "yes"; | |||
}; | |||
script = "exec ${pkgs.screen}/bin/screen -Dm -S ${cfg.sessionName} ${cfg.binary}"; | |||
script = "exec /run/wrappers/bin/screen -Dm -S ${cfg.sessionName} ${cfg.binary}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may want this to be ${config.security.wrapperDir}/bin/screen
? It appears that a lot of places hard-code the path /run/wrappers
, so not super-clear that this is a huge deal 😃
…er capabilities Previously you either had to set the setuid bit yourself or workaround `isSystemUser = true` (for a loginable shell) to access the weechat screen. `programs.screen` shouldn't do this by default to avoid taking too much assumptions about the setup, however `services.weechat` explicitly requires tihs. See NixOS#45728
d34589d
to
018573b
Compare
@andrew-d thanks, fixed!:) |
Would it be possible to make it so that it can work with tmux too ? I thought screen was not maintained anymore. |
do you have a source for that? I'm still seeing IIRC the original weechat PR had a similar discussion, in the end I used to original change and implemented some minor improvements, so feel free to add In this PR it's IMHO out of scope though. |
Are there any people against this change? Otherwise I'd merge this in about 24 hours :) |
A review and the approval of another maintainer should be fine I guess :) |
this properly fixes multi-user support, so I backported this as bfb61a7 |
Things done
Previously you either had to set the setuid bit yourself or workaround
isSystemUser = true
(for a loginable shell) to access the weechatscreen.
programs.screen
shouldn't do this by default to avoid taking too muchassumptions about the setup, however
services.weechat
explicitlyrequires tihs.
See #45728
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)