cba92bbdf1
program. The Nix store cannot directly support setuid binaries for a number of reasons: - Builds are generally not performed as root (and they shouldn't be), so the builder cannot chown/chmod executables to the right setuid ownership. - Unpacking a NAR archive containing a setuid binary would only work when Nix is run as root. - Worst of all, setuid binaries don't fit in the purely functional model: if a security bug is discovered in a setuid binary, that binary should be removed from the system to prevent users from calling it. But we cannot garbage collect it unless all references to it are gone, which might never happen. Of course, we could just remove setuid permission, but that would also be impure. So the solution is to keep setuid-ness out of the Nix store. Rather, for programs that we want to execute as setuid, we generate wrapper programs (as root) that are setuid and do an execve() to call the real, non-setuid program in the Nix store. That's what setuid-wrapper does. It determines its own name (e.g., /var/setuid-wrappers/passwd), reads the name of the wrapped program from <self>.real (e.g., /var/setuid-wrappers/passwd.real, which might contain /nix/var/nix/profiles/system/bin/passwd), and executes it. Thus, the non-setuid passwd in the Nix store would be executed with the effective user set to root. Setuid-wrapper also performs a few security checks to prevent it from reading a fake <self>.real file through hard-linking tricks. svn path=/nixos/trunk/; revision=7157 |
||
---|---|---|
.. | ||
setuid | ||
isolinux.cfg | ||
make-iso9660-image.nix | ||
make-iso9660-image.sh | ||
modules-closure.nix | ||
modules-closure.sh | ||
paths-from-graph.sh | ||
unpack-theme.nix | ||
unpack-theme.sh |