summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/setuid.nix
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-02-15 17:07:48 +0100
committermakefu <github@syntax-fehler.de>2016-02-15 17:07:48 +0100
commit3ceff0ec29a36119ea83f02c8943752d91b250e9 (patch)
tree7b179bc972ea01c9305ea64697e14237346885d8 /krebs/3modules/setuid.nix
parent9a4071b66ff45e99a30e9a314eb43c6efc7e921f (diff)
parent372f2d77f301719e396a6f943657325e2f8b2cf4 (diff)
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'krebs/3modules/setuid.nix')
-rw-r--r--krebs/3modules/setuid.nix75
1 files changed, 75 insertions, 0 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
new file mode 100644
index 000000000..1137788d8
--- /dev/null
+++ b/krebs/3modules/setuid.nix
@@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+with config.krebs.lib;
+let
+ cfg = config.krebs.setuid;
+
+ out = {
+ options.krebs.setuid = api;
+ config = imp;
+ };
+
+ api = mkOption {
+ default = {};
+ type = let
+ # TODO make wrapperDir configurable
+ inherit (config.security) wrapperDir;
+ inherit (config.users) groups users;
+ in types.attrsOf (types.submodule ({ config, ... }: {
+ options = {
+ name = mkOption {
+ type = types.filename;
+ default = config._module.args.name;
+ };
+ filename = mkOption {
+ type = mkOptionType {
+ # TODO unyuck string and merge with toC
+ name = "derivation or string";
+ check = x:
+ isDerivation x ||
+ isString x;
+ };
+ apply = toString;
+ };
+ owner = mkOption {
+ default = "root";
+ type = types.enum (attrNames users);
+ };
+ group = mkOption {
+ default = "root";
+ type = types.enum (attrNames groups);
+ };
+ mode = mkOption {
+ default = "4710";
+ type = mkOptionType {
+ # TODO admit symbolic mode
+ name = "octal mode";
+ check = x:
+ isString x &&
+ match "[0-7][0-7][0-7][0-7]" x != null;
+ };
+ };
+ activate = mkOption {
+ type = types.str;
+ visible = false;
+ readOnly = true;
+ };
+ };
+ config.activate = let
+ src = pkgs.execve config.name {
+ inherit (config) filename;
+ };
+ dst = "${wrapperDir}/${config.name}";
+ in ''
+ cp ${src} ${dst}
+ chown ${config.owner}.${config.group} ${dst}
+ chmod ${config.mode} ${dst}
+ '';
+ }));
+ };
+
+ imp = {
+ system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
+ (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
+ };
+
+in out