[Nix-dev] Re: What about introducing security.packages?
Yury G. Kudryashov
urkud.urkud at gmail.com
Sat Aug 20 17:53:22 CEST 2011
Marc Weber wrote:
> Excerpts from Yury G. Kudryashov's message of Sat Aug 20 16:18:27 +0200
> 2011:
>> We have quite a few *.packages variables in NixOS: udev.packages,
>> hal.packages, dbus.packages etc.
>
>> I see only one reason for separating these packages from system.packages:
>
> system.packages? Am I outdated or are you talking about
> environment.systemPackages?
Yes, you're right.
>> programs/config files/... supplied by these packages are likely to be
>> executed/readed by a daemon running under root priveledges.
>
>> I propose to merge these variables into one variable (say,
>> security.packages). If nobody objects, I'll start working on this.
> What exactly are you trying to do?
My goal is to avoid the situation when someone adds a package to
dbus.packages but not to udev.packages.
> Eg in the "dbus" case I had the
> understanding that services.dbus.packages is a list of packages
> providing dbus services. Because the relation between services and
> packages providing service configurations is n:m I don't see
> that your solution is going to improve anything?
>
> I mean if a package provides two services having security.packages will
> not allow you to use one only (Not sure if you need this feature at
> all).
Using dbus.packages does not allow me to achieve this goal as well.
Theoretically, one can create a package that will symlink only one of these
packages, and add this package (with one symlink) to security.packages.
>> Also I'd like to change the way /var/setuid-wrappers list is generated.
>> I propose the following way: packages in nixpkgs advertise that they need
>> given binary to be wrapped as setuid. For each package in
>> security.packages, we create all wrappers requested by these packages.
> Which will change "opt-in" to "opt-in automatically if condition" where
> condition means something like "package has been added to
> environment.systemPackages" ?
Condition is "package has been added to security.packages, i.e. marked as a
trusted package".
Advantages are:
* No more broken wrappers in /var/setuid-wrappers.
E.g., I have no wodim in systemPackages but I have /var/setuid-
wrappers/wodim.
* If someone changes a package in nixpkgs so that the location of a binary
is changes, he sees that he should change 'suid request' accordingly.
--
Yury G. Kudryashov,
mailto: urkud at mccme.ru
More information about the nix-dev
mailing list