From 2d7616fb3070fc5aeb2b3f5cc7082dcf21714a6f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 20 Feb 2017 22:39:19 +0100 Subject: Fix setuid-wrappers path --- custom/tinc/def.nix | 2 +- custom/uucp.nix | 6 +++--- hel.nix | 10 +++++----- hel/recv-media.nix | 3 ++- ymir.nix | 8 ++++---- 5 files changed, 15 insertions(+), 14 deletions(-) diff --git a/custom/tinc/def.nix b/custom/tinc/def.nix index 58c5237c..a3bb00a0 100644 --- a/custom/tinc/def.nix +++ b/custom/tinc/def.nix @@ -18,7 +18,7 @@ in networks = mkOption { default = { }; - type = types.loaOf types.optionSet; + type = types.loaOf types.submodule; description = '' Defines the tinc networks which will be started. Each network invokes a different daemon. diff --git a/custom/uucp.nix b/custom/uucp.nix index c69d15c5..0b4b1306 100644 --- a/custom/uucp.nix +++ b/custom/uucp.nix @@ -237,7 +237,7 @@ in { choices as appropriate. */ #if 1 -#define MAIL_PROGRAM "/usr/lib/sendmail -t" - +#define MAIL_PROGRAM "/var/setuid-wrappers/sendmail -t" + +#define MAIL_PROGRAM "${config.security.wrapperDir}/sendmail -t" /* #define MAIL_PROGRAM "/usr/sbin/sendmail -t" */ #define MAIL_PROGRAM_TO_BODY 1 #define MAIL_PROGRAM_SUBJECT_BODY 1 @@ -256,7 +256,7 @@ in { *) from="$from@$relay";; esac - exec /var/setuid-wrappers/sendmail -G -i -f "$from" -- "$@" + exec ${config.security.wrapperDir}/sendmail -G -i -f "$from" -- "$@" ''; }; @@ -264,6 +264,6 @@ in { uucp ]; - services.cron.systemCronJobs = (map (name: "${config.services.uucp.interval} /var/setuid-wrappers/uucico -D -S ${name}") (if (config.services.uucp.interval != null) then config.services.uucp.remoteNodes else [])); + services.cron.systemCronJobs = (map (name: "${config.services.uucp.interval} ${config.security.wrapperDir}/uucico -D -S ${name}") (if (config.services.uucp.interval != null) then config.services.uucp.remoteNodes else [])); }; } diff --git a/hel.nix b/hel.nix index 4e528bba..a7b34fe4 100644 --- a/hel.nix +++ b/hel.nix @@ -176,8 +176,8 @@ nodeName = "hel"; remoteNodes = ["isaac" "ymir"]; # legacy name for odin sshUser = { - openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir'' - ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico /var/setuid-wrappers/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin'' + openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir'' + ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico ${config.security.wrapperDir}/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin'' ]; }; sshConfig = '' @@ -188,7 +188,7 @@ Hostname ymir.niflheim.yggdrasil IdentityFile ~/.ssh/ymir ''; - commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" "/var/setuid-wrappers/" ]; + commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" config.security.wrapperDir ]; defaultCommands = []; commands = { "isaac" = ["recv-media" "notify-gkleen"]; @@ -209,7 +209,7 @@ relayHost = "uucp:ymir"; recipientDelimiter = "+"; extraMasterConf = '' - uucp unix - n n - - pipe flags=Fqhu user=uucp argv=/var/setuid-wrappers/uux -z -a $sender - $nexthop!rmail ($recipient) + uucp unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient) sshsendmail unix - n n - - pipe flags=Fq user=postfix_ssh argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient ''; transport = '' @@ -361,7 +361,7 @@ setgid = true; setuid = true; permissions = "u+rx,g+x,o+x"; - source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; }}/bin/notify-gkleen''; + source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; inherit (config.security) wrapperDir}}/bin/notify-gkleen''; }; }; diff --git a/hel/recv-media.nix b/hel/recv-media.nix index 52d5bae6..a074e76b 100644 --- a/hel/recv-media.nix +++ b/hel/recv-media.nix @@ -6,6 +6,7 @@ , showTitle ? true , ffmpeg ? null , gnused ? null +, wrapperDir ? "/run/wrappers/bin" }: assert showTitle -> ffmpeg != null && gnused != null && notifyUser != null; @@ -15,7 +16,7 @@ writeScriptBin "recv-media" '' pid=$? - PATH=${eject}/bin:${coreutils}/bin:${if showTitle then ''${ffmpeg}/bin:${gnused}/bin:'' else ""}/var/setuid-wrappers + PATH=${eject}/bin:${coreutils}/bin:${if showTitle then ''${ffmpeg}/bin:${gnused}/bin:'' else ""}${wrapperDir} exec 1> >(logger --id=$pid -t recv-media -p user.notice) exec 2> >(logger --id=$pid -t recv-media -p user.error) diff --git a/ymir.nix b/ymir.nix index a6967749..5dfa265e 100644 --- a/ymir.nix +++ b/ymir.nix @@ -500,7 +500,7 @@ in rec { recipient_canonical_classes= envelope_recipient,header_recipient ''; extraMasterConf = '' - uucp unix - n n - - pipe flags=Fqhu user=uucp argv=/var/setuid-wrappers/uux -z -a $sender - $nexthop!rmail ($recipient) + uucp unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient) mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L /var/spool/lists/''${user} mlmmj-subs unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj-exposed}/bin/mlmmj-exposed /var/spool/lists/''${user} ''${extension} policy-spf unix - n n - - spawn user=nobody argv=${pkgs.pythonPackages.pypolicyd-spf}/bin/policyd-spf ${./ymir/spf.conf} @@ -551,7 +551,7 @@ in rec { selector = "ymir"; configFile = builtins.toFile "opendkim.conf" '' Syslog true - MTACommand /var/setuid-wrappers/sendmail + MTACommand ${config.security.wrapperDir}/sendmail LogResults true ''; }; @@ -692,8 +692,8 @@ in rec { nodeName = "ymir"; remoteNodes = ["isaac" "hel"]; # legacy name for odin sshUser = { - openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin'' - ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWBybBQKbPucqBgULQ1phv7IKFWl1Xc4drkCx3D5mIz uucp@hel'' + openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin'' + ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWBybBQKbPucqBgULQ1phv7IKFWl1Xc4drkCx3D5mIz uucp@hel'' ]; }; sshConfig = '' -- cgit v1.2.3