[Nix-dev] setuid wrappers permissions

Sat, 03 Sep 2016 13:46:56 -0700 

The new setuid-wrappers in /run cannot be executed by users due to:

1) the temporary directory does not allow access
2) the /run is mounted nosuid

The attached patch prepares the permissions and mount options so users
can execute the suid wrappers.

>From 145545fa79bd5d8bd6e16edb3e0eb6a0e8fd2215 Mon Sep 17 00:00:00 2001
From: Karn Kallio <[email protected]>
Date: Sat, 3 Sep 2016 16:42:09 -0400
Subject: [PATCH] setuid-wrappers : Prepare permissions for running wrappers.

---
 nixos/modules/security/setuid-wrappers.nix | 1 +
 nixos/modules/tasks/filesystems.nix        | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix
index e1dca47..dcccd83 100644
--- a/nixos/modules/security/setuid-wrappers.nix
+++ b/nixos/modules/security/setuid-wrappers.nix
@@ -117,6 +117,7 @@ in
 
           mkdir -p /run/setuid-wrapper-dirs
           wrapperDir=$(mktemp --directory --tmpdir=/run/setuid-wrapper-dirs setuid-wrappers.XXXXXXXXXX)
+          chmod a+rx $wrapperDir
 
           ${concatMapStrings makeSetuidWrapper setuidPrograms}
 
diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix
index 9ab1bae..a66ece1 100644
--- a/nixos/modules/tasks/filesystems.nix
+++ b/nixos/modules/tasks/filesystems.nix
@@ -287,7 +287,7 @@ in
     boot.specialFileSystems = {
       "/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; };
       "/sys" = { fsType = "sysfs"; options = [ "nosuid" "noexec" "nodev" ]; };
-      "/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; };
+      "/run" = { fsType = "tmpfs"; options = [ "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; };
       "/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; };
       "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; };
       "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; };
-- 
2.9.3


_______________________________________________
nix-dev mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Reply via email to