summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/setuid.nix
diff options
context:
space:
mode:
authorlassulus <lass@aidsballs.de>2016-02-16 17:15:00 +0100
committerlassulus <lass@aidsballs.de>2016-02-16 17:15:00 +0100
commit0b0b0d65ee05583529df831985580e392713d29a (patch)
tree7eb6799a996924d8e895c54633a47ea3d7a92a4c /krebs/3modules/setuid.nix
parent3d30e9cc9014ec6189410944015d3cd7d5ca95a6 (diff)
parentb7a92f63884af00eb0243ec9328be689a6c9b845 (diff)
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'krebs/3modules/setuid.nix')
-rw-r--r--krebs/3modules/setuid.nix75
1 files changed, 75 insertions, 0 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
new file mode 100644
index 000000000..1137788d8
--- /dev/null
+++ b/krebs/3modules/setuid.nix
@@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+with config.krebs.lib;
+let
+ cfg = config.krebs.setuid;
+
+ out = {
+ options.krebs.setuid = api;
+ config = imp;
+ };
+
+ api = mkOption {
+ default = {};
+ type = let
+ # TODO make wrapperDir configurable
+ inherit (config.security) wrapperDir;
+ inherit (config.users) groups users;
+ in types.attrsOf (types.submodule ({ config, ... }: {
+ options = {
+ name = mkOption {
+ type = types.filename;
+ default = config._module.args.name;
+ };
+ filename = mkOption {
+ type = mkOptionType {
+ # TODO unyuck string and merge with toC
+ name = "derivation or string";
+ check = x:
+ isDerivation x ||
+ isString x;
+ };
+ apply = toString;
+ };
+ owner = mkOption {
+ default = "root";
+ type = types.enum (attrNames users);
+ };
+ group = mkOption {
+ default = "root";
+ type = types.enum (attrNames groups);
+ };
+ mode = mkOption {
+ default = "4710";
+ type = mkOptionType {
+ # TODO admit symbolic mode
+ name = "octal mode";
+ check = x:
+ isString x &&
+ match "[0-7][0-7][0-7][0-7]" x != null;
+ };
+ };
+ activate = mkOption {
+ type = types.str;
+ visible = false;
+ readOnly = true;
+ };
+ };
+ config.activate = let
+ src = pkgs.execve config.name {
+ inherit (config) filename;
+ };
+ dst = "${wrapperDir}/${config.name}";
+ in ''
+ cp ${src} ${dst}
+ chown ${config.owner}.${config.group} ${dst}
+ chmod ${config.mode} ${dst}
+ '';
+ }));
+ };
+
+ imp = {
+ system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
+ (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
+ };
+
+in out