nathan/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2026-06-05 21:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/shadow: use file capabilities for newuidmap/newgidmap (#510829)

Browse Source
This commit is contained in:
Grimmauld
2026-06-01 19:11:38 +00:00
committed by GitHub
parent 6f4bb4ae90 1ac3c5dc99
commit 439204f05d
2 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2611.section.md
View File

@@ -26,4 +26,4 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Create the first release note entry in this section!
- The `newuidmap` and `newgidmap` security wrappers are now installed with `cap_setuid`/`cap_setgid` file capabilities instead of the setuid-root bit, matching shadow's `--with-fcaps` install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via `/etc/subuid` (which NixOS never configures by default) additionally requires `cap_setfcap`; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with `security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";`.

13
nixos/modules/programs/shadow.nix
View File

@@ -267,13 +267,22 @@ in
group = "root";
inherit source;
};
mkCapRoot = capabilities: source: {
inherit capabilities source;
owner = "root";
group = "root";
};
in
{
su = mkSetuidRoot "${config.security.shadow.su.package}/bin/su";
sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
# File capabilities instead of setuid root, mirroring shadow's
# own --with-fcaps install mode and what Arch/Fedora/Debian ship.
# The kernel only requires CAP_SETUID/CAP_SETGID over the parent
# userns to write a multi-line /proc/<pid>/[ug]id_map.
newuidmap = mkCapRoot "cap_setuid+ep" "${cfg.package.out}/bin/newuidmap";
newgidmap = mkCapRoot "cap_setgid+ep" "${cfg.package.out}/bin/newgidmap";
}
// lib.optionalAttrs config.users.mutableUsers {
chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";