nathan/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2026-06-05 21:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/security/wrappers: add more context to enableWrappers description

Browse Source
This commit is contained in:
nikstur
2026-06-04 14:22:37 +02:00
parent 697f978c33
commit f59623d121
1 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
nixos/modules/security/wrappers/default.nix
View File

@@ -181,8 +181,23 @@ in
###### interface
options = {
security.enableWrappers = lib.mkEnableOption "SUID/SGID wrappers" // {
security.enableWrappers = lib.mkEnableOption "" // {
default = true;
description = ''
Whether to enable SUID/SGID wrappers.
::: {.warning}
ONLY DISABLE THIS OPTION IF YOU KNOW WHAT YOU'RE DOING.
:::
A normal interactive NixOS system requires SUID/SGID wrappers (e.g. for
PAM and sudo). Disabling them, thus will lock you out from your system.
Disabling the SUID/SGID binaries is useful for non-interactive systems
(like a firewall appliance) to minimize the attack surface. In the
future, this might become available for interactive systems as well
(e.g. with systemd's [run0](https://www.freedesktop.org/software/systemd/man/latest/run0)).
'';
};
security.wrappers = lib.mkOption {