[Nix-dev] Re: What about introducing security.packages?
Eelco Dolstra
e.dolstra at tudelft.nl
Sat Aug 20 18:03:28 CEST 2011
Hi,
On 08/20/2011 05:53 PM, Yury G. Kudryashov wrote:
>> Excerpts from Yury G. Kudryashov's message of Sat Aug 20 16:18:27 +0200
>> 2011:
>>> We have quite a few *.packages variables in NixOS: udev.packages,
>>> hal.packages, dbus.packages etc.
>>
>>> I see only one reason for separating these packages from system.packages:
>>
>> system.packages? Am I outdated or are you talking about
>> environment.systemPackages?
> Yes, you're right.
FWIW, packages in environment.systemPackages and root's profile also end
up in the DBus search path (but not, IIRC, the udev and polkit paths).
Maybe this should not be the case.
> * No more broken wrappers in /var/setuid-wrappers.
> E.g., I have no wodim in systemPackages but I have /var/setuid-
> wrappers/wodim.
>
> * If someone changes a package in nixpkgs so that the location of a binary
> is changes, he sees that he should change 'suid request' accordingly.
Yes, this would be great. It could be done by creating a file
$out/nix-support/setuid-binaries specifying a list of packages that need
to be setuid/setgid <whatever>.
--
Eelco Dolstra | http://www.st.ewi.tudelft.nl/~dolstra/
More information about the nix-dev
mailing list