[Nix-dev] What about introducing security.packages?
Nicolas Pierron
nicolas.b.pierron at gmail.com
Sun Aug 21 16:19:47 CEST 2011
Hi Yury,
On Sat, Aug 20, 2011 at 16:18, Yury G. Kudryashov
<urkud.urkud at gmail.com> wrote:
> We have quite a few *.packages variables in NixOS: udev.packages,
> hal.packages, dbus.packages etc.
>
> I see only one reason for separating these packages from system.packages:
> programs/config files/... supplied by these packages are likely to be
> executed/readed by a daemon running under root priveledges.
>
> I propose to merge these variables into one variable (say,
> security.packages). If nobody objects, I'll start working on this.
You propose to replace udev.packages, hal.packages and dbus.packages
by one list of packages. I consider this merge as being unneeded and
non-modular. Each module should only use its own option definitions
and declare options of its dependencies, thus udev daemon module
*must* provide packages option. Thus users can define only this one
(and I don't want to know why). Sadly the module system does not
enforce that yet.
If you want to provide an abstraction layer over the 3 options, go
ahead, the expression will look like that:
{ config, pkgs, ... }:
{
options = {
security.packages = pkgs.lib.MkOption { ... };
};
config = {
services.udev.packages = config.security.packages;
services.hal.packages = config.security.packages;
services.dbus.packages = config.security.packages;
};
}
> Also I'd like to change the way /var/setuid-wrappers list is generated.
> I propose the following way: packages in nixpkgs advertise that they need
> given binary to be wrapped as setuid. For each package in security.packages,
> we create all wrappers requested by these packages. This will solve the
> problem of setuid-wrappers that point to a non-existent binary in "default"
> profile.
This is a good idea and a good default, but you *must* keep the
ability to define setuid-wrapper out-side of the default scope. As
Marc Weber, you can do the same for udev, hal, and dbus.
--
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/
More information about the nix-dev
mailing list