Skip to content

Commit

Permalink
Merge branch 'master' into staging
Browse files Browse the repository at this point in the history 
Over 11k rebuilds on master.
  • Loading branch information
@vcunat
vcunat committed Feb 15, 2017
2 parents f228ea5 + b1bfe9d commit 35b2159
Show file tree
Hide file tree
Showing 133 changed files with 1,838 additions and 1,144 deletions.
8 changes: 3 additions & 5 deletions lib/customisation.nix
View file
Expand Up @@ -106,11 +106,9 @@ rec {
let
f = if builtins.isFunction fn then fn else import fn;
auto = builtins.intersectAttrs (builtins.functionArgs f) autoArgs;
finalArgs = auto // args;
pkgs = f finalArgs;
mkAttrOverridable = name: pkg: pkg // {
override = newArgs: mkAttrOverridable name (f (finalArgs // newArgs)).${name};
};
origArgs = auto // args;
pkgs = f origArgs;
mkAttrOverridable = name: pkg: makeOverridable (newArgs: (f newArgs).${name}) origArgs;
in lib.mapAttrs mkAttrOverridable pkgs;


Expand Down
3 changes: 2 additions & 1 deletion lib/maintainers.nix
View file
Expand Up @@ -344,6 +344,7 @@
nico202 = "Nicolò Balzarotti <anothersms@gmail.com>";
NikolaMandic = "Ratko Mladic <nikola@mandic.email>";
nixy = "Andrew R. M. <andrewmiller237@gmail.com>";
nocoolnametom = "Tom Doggett <nocoolnametom@gmail.com>";
notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
Expand Down Expand Up @@ -490,7 +491,7 @@
travisbhartwell = "Travis B. Hartwell <nafai@travishartwell.net>";
trino = "Hubert Mühlhans <muehlhans.hubert@ekodia.de>";
tstrobel = "Thomas Strobel <4ZKTUB6TEP74PYJOPWIR013S2AV29YUBW5F9ZH2F4D5UMJUJ6S@hash.domains>";
ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
ttuegel = "Thomas Tuegel <ttuegel@mailbox.org>";
tv = "Tomislav Viljetić <tv@shackspace.de>";
tvestelind = "Tomas Vestelind <tomas.vestelind@fripost.org>";
tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
Expand Down
9 changes: 9 additions & 0 deletions nixos/doc/manual/release-notes/rl-1703.xml
View file
Expand Up @@ -16,11 +16,20 @@ has the following highlights: </para>
manual</link> for more information.</para>
</listitem>

<listitem>
<para>The setuid wrapper functionality now supports setting
capabilities.</para>
</listitem>

<listitem>
<para>X.org server uses branch 1.19. Due to ABI incompatibilities,
<literal>ati_unfree</literal> keeps forcing 1.17
and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
</listitem>

<listitem>
<para>PHP now defaults to PHP 7.1</para>
</listitem>
</itemizedlist>

<para>The following new services were added since the last release:</para>
Expand Down
2 changes: 1 addition & 1 deletion nixos/modules/config/shells-environment.nix
View file
Expand Up @@ -168,7 +168,7 @@ in
${cfg.extraInit}
# The setuid wrappers override other bin directories.
# The setuid/setcap wrappers override other bin directories.
export PATH="${config.security.wrapperDir}:$PATH"
# ~/bin if it exists overrides other bin directories.
Expand Down
1 change: 0 additions & 1 deletion nixos/modules/installer/tools/nixos-generate-config.pl
View file
Expand Up @@ -347,7 +347,6 @@ sub in {

# Skip special filesystems.
next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
next if $mountPoint eq "/var/setuid-wrappers";

# Skip the optional fields.
my $n = 6; $n++ while $fields[$n] ne "-"; $n++;
Expand Down
4 changes: 2 additions & 2 deletions nixos/modules/installer/tools/nixos-install.sh
View file
Expand Up @@ -259,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate


# Ask the user to set a root password.
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then
echo "setting root password..."
chroot $mountPoint /var/setuid-wrappers/passwd
chroot $mountPoint /run/wrappers/bin/passwd
fi


Expand Down
10 changes: 6 additions & 4 deletions nixos/modules/installer/tools/nixos-rebuild.sh
View file
Expand Up @@ -15,6 +15,7 @@ origArgs=("$@")
extraBuildFlags=()
action=
buildNix=1
fast=
rollback=
upgrade=
repair=
Expand Down Expand Up @@ -52,20 +53,21 @@ while [ "$#" -gt 0 ]; do
repair=1
extraBuildFlags+=("$i")
;;
--show-trace|--no-build-hook|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q)
extraBuildFlags+=("$i")
;;
--max-jobs|-j|--cores|-I)
j="$1"; shift 1
extraBuildFlags+=("$i" "$j")
;;
--show-trace|--no-build-hook|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*)
extraBuildFlags+=("$i")
;;
--option)
j="$1"; shift 1
k="$1"; shift 1
extraBuildFlags+=("$i" "$j" "$k")
;;
--fast)
buildNix=
fast=1
extraBuildFlags+=(--show-trace)
;;
--profile-name|-p)
Expand Down Expand Up @@ -217,7 +219,7 @@ if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then
fi

# Re-execute nixos-rebuild from the Nixpkgs tree.
if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" -a -z "$fast" ]; then
if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
export _NIXOS_REBUILD_REEXEC=1
exec $p/bin/nixos-rebuild "${origArgs[@]}"
Expand Down
19 changes: 10 additions & 9 deletions nixos/modules/misc/locate.nix
View file
Expand Up @@ -103,15 +103,16 @@ in {
config = mkIf cfg.enable {
users.extraGroups = mkIf isMLocate { mlocate = {}; };

security.setuidOwners = mkIf isMLocate
[ { group = "mlocate";
owner = "root";
permissions = "u+rx,g+x,o+x";
setgid = true;
setuid = false;
program = "locate";
}
];
security.wrappers = mkIf isMLocate {
mlocate = {
group = "mlocate";
owner = "root";
permissions = "u+rx,g+x,o+x";
setgid = true;
setuid = false;
program = "locate";
};
};

nixpkgs.config = { locate.dbfile = cfg.output; };

Expand Down
2 changes: 1 addition & 1 deletion nixos/modules/module-list.nix
View file
Expand Up @@ -113,7 +113,7 @@
./security/prey.nix
./security/rngd.nix
./security/rtkit.nix
./security/setuid-wrappers.nix
./security/wrappers/default.nix
./security/sudo.nix
./services/amqp/activemq/default.nix
./services/amqp/rabbitmq.nix
Expand Down
2 changes: 1 addition & 1 deletion nixos/modules/programs/kbdlight.nix
View file
Expand Up @@ -11,6 +11,6 @@ in

config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.kbdlight ];
security.setuidPrograms = [ "kbdlight" ];
security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";
};
}
2 changes: 1 addition & 1 deletion nixos/modules/programs/light.nix
View file
Expand Up @@ -21,6 +21,6 @@ in

config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.light ];
security.setuidPrograms = [ "light" ];
security.wrappers.light.source = "${pkgs.light.out}/bin/light";
};
}
16 changes: 10 additions & 6 deletions nixos/modules/programs/shadow.nix
View file
Expand Up @@ -101,11 +101,15 @@ in
chpasswd = { rootOK = true; };
};

security.setuidPrograms = [ "su" "chfn" ]
++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
++ lib.optionals config.users.mutableUsers
[ "passwd" "sg" "newgrp" ];

security.wrappers = {
su.source = "${pkgs.shadow.su}/bin/su";
chfn.source = "${pkgs.shadow.out}/bin/chfn";
newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
} // (if config.users.mutableUsers then {
passwd.source = "${pkgs.shadow.out}/bin/passwd";
sg.source = "${pkgs.shadow.out}/bin/sg";
newgrp.source = "${pkgs.shadow.out}/bin/newgrp";
} else {});
};

}
4 changes: 3 additions & 1 deletion nixos/modules/rename.nix
View file
Expand Up @@ -10,7 +10,6 @@ with lib;
(mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ])
(mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])

(mkRenamedOptionModule [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ])
(mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
(mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])

Expand All @@ -33,6 +32,9 @@ with lib;

(mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ])

(mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
(mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")

# Old Grub-related options.
(mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
(mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
Expand Down
3 changes: 1 addition & 2 deletions nixos/modules/security/apparmor-suid.nix
View file
Expand Up @@ -19,7 +19,7 @@ with lib;
config = mkIf (cfg.confineSUIDApplications) {
security.apparmor.profiles = [ (pkgs.writeText "ping" ''
#include <tunables/global>
/var/setuid-wrappers/ping {
/run/wrappers/bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
Expand All @@ -33,7 +33,6 @@ with lib;
${pkgs.attr.out}/lib/libattr.so* mr,
${pkgs.iputils}/bin/ping mixr,
/var/setuid-wrappers/ping.real r,
#/etc/modules.conf r,
Expand Down
2 changes: 1 addition & 1 deletion nixos/modules/security/chromium-suid-sandbox.nix
View file
Expand Up @@ -27,6 +27,6 @@ in

config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
};
}
3 changes: 2 additions & 1 deletion nixos/modules/security/duosec.nix
View file
Expand Up @@ -187,7 +187,8 @@ in
];

environment.systemPackages = [ pkgs.duo-unix ];
security.setuidPrograms = [ "login_duo" ];

security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
environment.etc = loginCfgFile ++ pamCfgFile;

/* If PAM *and* SSH are enabled, then don't do anything special.
Expand Down
19 changes: 10 additions & 9 deletions nixos/modules/security/pam.nix
View file
Expand Up @@ -472,19 +472,20 @@ in
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];

security.setuidPrograms =
optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
security.wrappers = {
unix_chkpwd = {
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
};
} // (if config.security.pam.enableEcryptfs then {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
} else {});

environment.etc =
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;

security.setuidOwners = [ {
program = "unix_chkpwd";
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
} ];

security.pam.services =
{ other.text =
''
Expand Down
8 changes: 5 additions & 3 deletions nixos/modules/security/pam_usb.nix
View file
Expand Up @@ -32,10 +32,12 @@ in

config = mkIf (cfg.enable || anyUsbAuth) {

# pmount need to have a set-uid bit to make pam_usb works in user
# environment. (like su, sudo)
# Make sure pmount and pumount are setuid wrapped.
security.wrappers = {
pmount.source = "${pkgs.pmount.out}/bin/pmount";
pumount.source = "${pkgs.pmount.out}/bin/pumount";
};

security.setuidPrograms = [ "pmount" "pumount" ];
environment.systemPackages = [ pkgs.pmount ];

};
Expand Down
14 changes: 4 additions & 10 deletions nixos/modules/security/polkit.nix
View file
Expand Up @@ -83,16 +83,10 @@ in

security.pam.services.polkit-1 = {};

security.setuidPrograms = [ "pkexec" ];

security.setuidOwners = [
{ program = "polkit-agent-helper-1";
owner = "root";
group = "root";
setuid = true;
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
}
];
security.wrappers = {
pkexec.source = "${pkgs.polkit.out}/bin/pkexec";
"polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
};

system.activationScripts.polkit =
''
Expand Down
81 changes: 0 additions & 81 deletions nixos/modules/security/setuid-wrapper.c
View file

This file was deleted.

0 comments on commit 35b2159

Please sign in to comment.