diff options
author | tv <tv@krebsco.de> | 2016-05-25 11:29:20 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-05-25 11:29:20 +0200 |
commit | 8ec65b04dc5010f910bf67f1db8a78bd844202b0 (patch) | |
tree | edfdd043de9259a7cf4c349794e0ecb04729cd3a /tv | |
parent | 6370d2c2e2249f04202b88b35d0c945ce38b5fb8 (diff) |
tv ff: use abspath to sudo
Diffstat (limited to 'tv')
-rw-r--r-- | tv/2configs/xserver/default.nix | 2 | ||||
-rw-r--r-- | tv/5pkgs/ff/default.nix | 10 |
2 files changed, 8 insertions, 4 deletions
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix index a4f2499ff..965c3bbe1 100644 --- a/tv/2configs/xserver/default.nix +++ b/tv/2configs/xserver/default.nix @@ -18,7 +18,7 @@ in { pkgs.xlibs.fontschumachermisc ]; - # TODO dedicated group, i.e. with a single user + # TODO dedicated group, i.e. with a single user [per-user-setuid] # TODO krebs.setuid.slock.path vs /var/setuid-wrappers krebs.setuid.slock = { filename = "${pkgs.slock}/bin/slock"; diff --git a/tv/5pkgs/ff/default.nix b/tv/5pkgs/ff/default.nix index 2db404030..b1d2c579a 100644 --- a/tv/5pkgs/ff/default.nix +++ b/tv/5pkgs/ff/default.nix @@ -1,8 +1,12 @@ { pkgs, ... }: -pkgs.writeScriptBin "ff" '' - #! ${pkgs.bash}/bin/bash - exec sudo -u ff -i <<EOF +# TODO use krebs.setuid +# This requires that we can create setuid executables that can only be accessed +# by a single user. [per-user-setuid] + +# using bash for %q +pkgs.writeBashBin "ff" '' + exec /var/setuid-wrappers/sudo -u ff -i <<EOF exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@") EOF '' |