summaryrefslogtreecommitdiffstats
path: root/tv/2configs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-02-14 13:26:37 +0100
committertv <tv@krebsco.de>2016-02-14 13:26:37 +0100
commite890eb244af82ba678e894a84983db5057fbb60a (patch)
treeb902427fc2651d134d7ba8daf0d38ff4a94a968b /tv/2configs
parentc1a9a89c9a211b48bb04f1862a216bb5d444c3a2 (diff)
krebs.setuid: init
Diffstat (limited to 'tv/2configs')
-rw-r--r--tv/2configs/xu-qemu0.nix44
1 files changed, 14 insertions, 30 deletions
diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix
index 9962ca56a..df35f5c3f 100644
--- a/tv/2configs/xu-qemu0.nix
+++ b/tv/2configs/xu-qemu0.nix
@@ -79,7 +79,7 @@ with lib;
${pkgs.kvm}/bin/qemu-img create "$img" 10G
fi
exec ${pkgs.kvm}/bin/qemu-kvm \
- -monitor unix:$HOME/tmp/xu-qemu0.sock,server,nowait \
+ -monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \
-boot order=cd \
-cdrom ${pkgs.fetchurl {
url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
@@ -95,36 +95,20 @@ with lib;
};
};
- system.activationScripts."krebs.setuid.xu-qemu0-monitor" = stringAfter [ "setuid" ] ''
- src=${pkgs.execve "xu-qemu0-monitor" {
- # TODO toC should handle derivation, then we don't have to "${...}" here
- filename = "${pkgs.writeDash "xu-qemu0-monitor" ''
- exec ${pkgs.socat}/bin/socat \
- stdio \
- UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0.sock \
- ''}";
- }}
- dst=${config.security.wrapperDir}/xu-qemu0-monitor
- cp "$src" "$dst"
- chown xu-qemu0.tv "$dst"
- chmod 4710 "$dst"
- '';
+ krebs.setuid.xu-qemu0-monitor = {
+ filename = pkgs.writeDash "xu-qemu0-monitor" ''
+ exec ${pkgs.socat}/bin/socat \
+ stdio \
+ UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \
+ '';
+ owner = "xu-qemu0";
+ group = "tv";
+ };
- #TODO krebs.setuid.qemu-bridge-helper = {
- # filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
- # owner = "root";
- # group = "qemu-users";
- # mode = "4710";
- #};
- system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] ''
- src=${pkgs.execve "qemu-bridge-helper" {
- filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
- }}
- dst=${config.security.wrapperDir}/qemu-bridge-helper
- cp "$src" "$dst"
- chown root.qemu-users "$dst"
- chmod 4710 "$dst"
- '';
+ krebs.setuid.qemu-bridge-helper = {
+ filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
+ group = "qemu-users";
+ };
users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq";