New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/sway: Extend the descriptions and examples #33015
Conversation
This'll hopefully make it a bit easier to get started with Sway and make some things about the module more obvious.
@@ -70,4 +80,6 @@ in | |||
fonts.enableDefaultFonts = mkDefault true; | |||
programs.dconf.enable = mkDefault true; | |||
}; | |||
|
|||
meta.maintainers = with lib.maintainers; [ gnidorah primeos ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gnidorah Quick question: Would you like to maintain this module? And is it ok if I add myself as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@primeos Sure, thanks.
@@ -56,7 +66,7 @@ in | |||
environment.systemPackages = [ swayJoined ] ++ cfg.extraPackages; | |||
security.wrappers.sway = { | |||
program = "sway-setcap"; | |||
source = "${sway}/bin/sway"; | |||
source = "${swayPackage}/bin/sway"; | |||
capabilities = "cap_sys_ptrace,cap_sys_tty_config=eip"; | |||
owner = "root"; | |||
group = "sway"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
permissions = "u+rx,g+rx";
@Mic92 BTW is there any specific reason to require the sway
group here? Normally I would expect user=root
, group=root
and u=rx,go=x
so that every user could execute Sway. Are there any security concerns or did I miss something else?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would grant every user to get the ptrace
capability and therefor potentially control every other process regardless of uid/gid (through ptracing sway). Therefore it should be handled with care.
No description provided.