[Nix-dev] Re: What about introducing security.packages?

Yury G. Kudryashov urkud.urkud at gmail.com
Sat Aug 20 17:53:22 CEST 2011 

Marc Weber wrote:

> Excerpts from Yury G. Kudryashov's message of Sat Aug 20 16:18:27 +0200
> 2011:
>> We have quite a few *.packages variables in NixOS: udev.packages,
>> hal.packages, dbus.packages etc.
>  
>> I see only one reason for separating these packages from system.packages:
> 
> system.packages? Am I outdated or are you talking about
> environment.systemPackages?
Yes, you're right.
>> programs/config files/... supplied by these packages are likely to be
>> executed/readed by a daemon running under root priveledges.
>  
>> I propose to merge these variables into one variable (say,
>> security.packages). If nobody objects, I'll start working on this.

> What exactly are you trying to do?
My goal is to avoid the situation when someone adds a package to 
dbus.packages but not to udev.packages.

> Eg in the "dbus" case I had the
> understanding that services.dbus.packages is a list of packages
> providing dbus services. Because the relation between services and
> packages providing service configurations is n:m I don't see
> that your solution is going to improve anything?
> 
> I mean if a package provides two services having security.packages will
> not allow you to use one only (Not sure if you need this feature at
> all).
Using dbus.packages does not allow me to achieve this goal as well. 
Theoretically, one can create a package that will symlink only one of these 
packages, and add this package (with one symlink) to security.packages.

>> Also I'd like to change the way /var/setuid-wrappers list is generated.
>> I propose the following way: packages in nixpkgs advertise that they need
>> given binary to be wrapped as setuid. For each package in
>> security.packages, we create all wrappers requested by these packages.

> Which will change "opt-in" to "opt-in automatically if condition" where
> condition means something like "package has been added to
> environment.systemPackages" ?
Condition is "package has been added to security.packages, i.e. marked as a 
trusted package".
Advantages are:

 * No more broken wrappers in /var/setuid-wrappers.
E.g., I have no wodim in systemPackages but I have /var/setuid-
wrappers/wodim.

 * If someone changes a package in nixpkgs so that the location of a binary 
is changes, he sees that he should change 'suid request' accordingly.
-- 
Yury G. Kudryashov,
mailto: urkud at mccme.ru

More information about the nix-dev mailing list