diff options
| author | makefu <github@syntax-fehler.de> | 2026-02-11 22:13:33 +0100 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2026-02-11 22:13:33 +0100 |
| commit | 490e66008b3e2837589d0c60ecfb3358fbfb089d (patch) | |
| tree | bea05b1e1c97dc2d74e5a871941381784e74cfba /krebs/3modules/setuid.nix | |
| parent | dce904dd1a33c8a2ca9f56b0f33f85f493eda499 (diff) | |
| parent | 0122ded2137e568e771e753c0c3a17b1b20d9ca7 (diff) | |
Merge remote-tracking branch 'github/master'
Diffstat (limited to 'krebs/3modules/setuid.nix')
| -rw-r--r-- | krebs/3modules/setuid.nix | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index ce41548ae..d13fcccaa 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -33,7 +33,7 @@ let }; capabilities = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf types.str; # TODO }; owner = mkOption { default = "root"; @@ -52,6 +52,8 @@ let merge = mergeOneOption; }; }; + # TODO clear non-standard wrapperDirs + # TODO? allow only wrapperDirs below /run/wrappers? wrapperDir = mkOption { default = config.security.wrapperDir; type = types.absolute-pathname; @@ -73,13 +75,16 @@ let chown ${cfg.owner}:${cfg.group} ${dst} chmod ${cfg.mode} ${dst} ${optionalString (cfg.capabilities != []) /* sh */ '' + set -x ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst} + set +x ''} ''; })); }; imp = { + # run after "wrappers" so config.security.wrapperDir can be hijacked. systemd.services."krebs.setuid" = { wantedBy = [ "suid-sgid-wrappers.service" ]; after = [ "suid-sgid-wrappers.service" ]; |