summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/setuid.nix
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-02-14 13:26:37 +0100
committertv <tv@krebsco.de>2016-02-14 13:26:37 +0100
commite890eb244af82ba678e894a84983db5057fbb60a (patch)
treeb902427fc2651d134d7ba8daf0d38ff4a94a968b /krebs/3modules/setuid.nix
parentc1a9a89c9a211b48bb04f1862a216bb5d444c3a2 (diff)
krebs.setuid: init
Diffstat (limited to 'krebs/3modules/setuid.nix')
-rw-r--r--krebs/3modules/setuid.nix75
1 files changed, 75 insertions, 0 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
new file mode 100644
index 000000000..22123c926
--- /dev/null
+++ b/krebs/3modules/setuid.nix
@@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+ cfg = config.krebs.setuid;
+
+ out = {
+ options.krebs.setuid = api;
+ config = imp;
+ };
+
+ api = mkOption {
+ default = {};
+ type = let
+ # TODO make wrapperDir configurable
+ inherit (config.security) wrapperDir;
+ inherit (config.users) groups users;
+ in types.attrsOf (types.submodule ({ config, ... }: {
+ options = {
+ name = mkOption {
+ type = types.filename;
+ default = config._module.args.name;
+ };
+ filename = mkOption {
+ type = mkOptionType {
+ # TODO unyuck string and merge with toC
+ name = "derivation or string";
+ check = x:
+ isDerivation x ||
+ isString x;
+ };
+ apply = toString;
+ };
+ owner = mkOption {
+ default = "root";
+ type = types.enum (attrNames users);
+ };
+ group = mkOption {
+ default = "root";
+ type = types.enum (attrNames groups);
+ };
+ mode = mkOption {
+ default = "4710";
+ type = mkOptionType {
+ # TODO admit symbolic mode
+ name = "octal mode";
+ check = x:
+ isString x &&
+ match "[0-7][0-7][0-7][0-7]" x != null;
+ };
+ };
+ activate = mkOption {
+ type = types.str;
+ visible = false;
+ readOnly = true;
+ };
+ };
+ config.activate = let
+ src = pkgs.execve config.name {
+ inherit (config) filename;
+ };
+ dst = "${wrapperDir}/${config.name}";
+ in ''
+ cp ${src} ${dst}
+ chown ${config.owner}.${config.group} ${dst}
+ chmod ${config.mode} ${dst}
+ '';
+ }));
+ };
+
+ imp = {
+ system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
+ (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
+ };
+
+in out