New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Setuid interface #22532
WIP: Setuid interface #22532
Conversation
Use a sane default. Who wants a setuid to "nobody" TODO: Big fat warning for breaking backward-compatibility
Automatically install the setuid wrappers for all environent.systemPackages that expose the "setuid" attribute. That "setuid" attribute must be a list of programs that need to be wrapped with the following attrset: { program , source ? "" , owner ? "root" , group ? "root" , setuid ? true , setgid ? false , permissions ? "u+rx,g+x,o+x" }
Guarantees that the wrapper is going to use the package's binary and not some other one with the same name.
👍 on this. One minor issue is the use of |
Alright, makes sense. Playing devil's advocate on my own proposal but what do you think of having the package select the uid/gid of the setuid like I implemented? I'm a bit concerned that the uid/gid list is a system concern instead. |
I would say that sometimes having some package available in the system path makes sense both with and without setuid wrapper (for different use cases), so not having a system-level override at all would be a step back. As for UID/GID management, maybe recommending the default names and allocating new ids if the names are unknown would be OK, but that requires state, because such a user name could be added to the global list of UIDs later… |
I think NixOS wrappers have gone in a slightly different direction… |
Motivation for this change
Inspired by the discussion at http://lists.science.uu.nl/pipermail/nix-dev/2017-February/022698.html I had a look and it seems that each setuid program needs to be specified by hand.
On other operating systems, the packages install their setuid themselves. I believe the package is also best placed to know which binaries he installs should setuid.
This is just a proof of concept for now, let me know what you think!
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)