nathan/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2026-06-05 21:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
nixpkgs/nixos/modules/programs
History
r-vdp 1ac3c5dc99 nixos/shadow: use file capabilities for newuidmap/newgidmap 
Writing a multi-line /proc/<pid>/[ug]id_map only requires
CAP_SETUID/CAP_SETGID over the parent user namespace, not full root.
shadow's own --with-fcaps install mode (70971457b761) sets exactly
cap_setuid+ep / cap_setgid+ep, and Arch, Fedora and Debian have shipped
these binaries with file capabilities instead of setuid for years.

The setuid variant already drops to the same single capability before
the uid_map write (see lib/idmapping.c), so the privilege at the point
attacker-controlled data reaches the kernel is unchanged. The reduction
is in the startup window: with file capabilities the process never has
euid 0 and never holds the full capability set during NSS lookups,
/etc/subuid parsing and /proc/<pid> opening.

The only functional difference is that mapping host uid 0 into a child
namespace additionally needs CAP_SETFCAP, which the setuid path got
implicitly. NixOS never puts uid 0 into auto-allocated subuid ranges,
and granting it manually is a deliberate root-equivalent configuration;
the release notes document the override for that case.

nixosTests.{shadow,podman,docker-rootless} pass; the latter two
exercise newuidmap/newgidmap via rootless containers.

Supersedes #461172.

Co-authored-by: Rasheeq Azad <rasheeqhere@gmail.com>
2026-06-01 00:18:28 +03:00
..
bash
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
command-not-found
nixos/command-not-found: set enable default with module system
2026-05-19 11:50:38 -04:00
digitalbitbox
maintainers: drop vidbina
2025-12-02 16:34:27 +01:00
foot
nixos/foot: move mkIf outside .source option
2026-03-14 16:43:46 +01:00
wayland
termite: remove broken package with no live upstream
2026-05-22 15:29:27 +03:00
xscreensaver
nixos/programs/xscreensaver: init
2026-03-13 20:20:19 +00:00
zsh
zsh: unbreak nixos module build for dynamic dhcp hostname
2026-01-30 06:24:02 +00:00
_1password-gui.nix
nixos/_1password-gui: remove extraneous whitespace
2025-11-03 16:41:17 -05:00
_1password.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
alvr.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
amnezia-vpn.nix
amnezia-vpn: fix openvpn; refactor install and fixup
2025-04-02 23:22:46 +03:00
appgate-sdp.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
appimage.nix
nixos/appimage: minor fix eval
2024-07-22 07:47:00 +08:00
arp-scan.nix
nixos/{arp-scan,iftop,tcpdump,traceroute}: format
2024-11-18 16:47:56 +01:00
atop.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
atuin.nix
nixos/atuin: add system-wide atuin program option
2026-04-23 09:33:52 +02:00
ausweisapp.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
autoenv.nix
autoenv: init at 2024-10-16
2024-12-19 10:06:55 +01:00
autojump.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
bandwhich.nix
maintainers: drop Br1ght0ne
2025-12-09 21:05:56 +01:00
bash-my-aws.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
bat.nix
nixos/*: remove unused let bindings
2026-05-01 20:39:14 -04:00
bazecor.nix
treewide: Remove amesgen from maintainers, take over some
2026-03-30 20:24:52 +02:00
bcc.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
benchexec.nix
nixos/pqos-wrapper: remove broken wrapper
2026-05-13 23:16:54 +03:00
browserpass.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
calls.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
captive-browser.nix
nixos/captive-browser: remove the udhcpc setcap wrapper fallback
2026-02-06 14:29:16 -08:00
ccache.nix
wxwidgets_3_{1,2}: rename from wxGTK3{1,2}
2026-02-27 10:56:33 +01:00
cdemu.nix
treewide: run nixfmt 1.0.0
2025-07-24 13:55:40 +02:00
cfs-zen-tweaks.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
chromium.nix
nixos/treewide: clean up Plasma 5 references
2025-08-21 22:31:56 +03:00
chrysalis.nix
nixos/chrysalis: init module
2025-05-23 13:02:18 -06:00
clash-verge.nix
nixos/clash-verge: change maintainers
2026-03-01 13:43:54 +08:00
cnping.nix
nixos/cnping: fix setcap wrapper
2025-03-31 16:25:04 +03:30
coolercontrol.nix
coolercontrol: 2.1.0 -> 3.0.1
2025-10-26 00:06:21 +02:00
corefreq.nix
nixos/corefreq: add program defining both the daemon service and its kernel module
2024-10-19 21:23:55 -04:00
cpu-energy-meter.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
criu.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
dconf.nix
fix: typo Tommorow -> Tomorrow in dconf.nix
2026-03-01 14:00:36 +08:00
direnv.nix
nixos/direnv: remove obsolete finalPackage
2026-01-01 20:14:16 +01:00
dmrconfig.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
droidcam.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
dsearch.nix
Reapply "ci: module maintainer review requests; nixos/modules: init meta.teams"
2026-03-13 16:53:28 +01:00
dublin-traceroute.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
ente-auth.nix
nixos/ente-auth: add maintainer gepbird
2025-12-26 14:21:49 +01:00
environment.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
envision.nix
android-udev-rules: drop
2025-10-22 00:13:25 +02:00
evince.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
extra-container.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
fcast-receiver.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
feedbackd.nix
treewide: run nixfmt 1.0.0
2025-07-24 13:55:40 +02:00
firefox.nix
fix: typo modifiying -> modifying in firefox.nix
2026-03-01 14:00:36 +08:00
firejail.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
fish_completion-generator.patch
fish.nix
nixos/fish: fix documentation eval error
2026-04-29 17:39:44 -06:00
flashprog.nix
nixos/flashprog: Enable libjaylink and libftdi modules
2025-04-19 00:13:02 +02:00
flashrom.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
flexoptix-app.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
freetds.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
fuse.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
fzf.nix
fzf: fix fish integration in nixos/modules/programs/fzf.nix
2025-09-01 09:58:42 +08:00
gamemode.nix
nixos/gamemode: add package option
2026-05-24 17:01:12 +02:00
gamescope.nix
gamescope: feature option enableWsi
2026-05-27 19:33:33 +02:00
gdk-pixbuf.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
geary.nix
Reapply "ci: module maintainer review requests; nixos/modules: init meta.teams"
2026-03-13 16:53:28 +01:00
ghidra.nix
nixos/ghidra: init
2025-02-18 09:53:01 +01:00
git-worktree-switcher.nix
git-worktree-switcher: add package option
2025-10-03 21:18:33 -03:00
git.nix
nixos/git: support system-wide gitattributes
2026-02-26 07:45:43 -08:00
gnome-disks.nix
Reapply "ci: module maintainer review requests; nixos/modules: init meta.teams"
2026-03-13 16:53:28 +01:00
gnome-terminal.nix
Reapply "ci: module maintainer review requests; nixos/modules: init meta.teams"
2026-03-13 16:53:28 +01:00
gnupg.nix
nixos/treewide: clean up Plasma 5 references
2025-08-21 22:31:56 +03:00
gpaste.nix
nixos/gnome & nixos/gdm: move out of x11
2025-05-28 13:27:36 +02:00
gphoto2.nix
treewide: Format all Nix files
2025-04-01 20:10:43 +02:00
gpu-screen-recorder.nix
nixos/gpu-screen-recorder: install gpu-screen-recorder to system
2026-02-06 22:01:39 +01:00
haguichi.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
hamster.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
htop.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
i3lock.nix
nixos/pam: rename u2fAuth -> u2f.enable
2026-04-11 22:07:56 -04:00
iay.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
idescriptor.nix
nixos/programs/idescriptor: init
2026-01-26 14:02:57 +01:00
iftop.nix
nixos/{arp-scan,iftop,tcpdump,traceroute}: format
2024-11-18 16:47:56 +01:00
iio-hyprland.nix
nixos/iio-hyprland: init module
2024-08-18 01:18:23 +05:30
immersed.nix
nixos/programs.immersed-vr: rename to programs.immersed
2024-10-08 11:38:55 -07:00
iotop.nix
nixos/iotop: make package overridable
2025-04-11 12:21:35 +00:00
java.nix
nixos/java: No bashisms in environment.shellInit script (#294121)
2024-11-30 17:19:13 -08:00
joycond-cemuhook.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
k3b.nix
Revert "nixos/k3b: remove module as obsolete"
2025-05-04 20:46:53 -07:00
k40-whisperer.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
kbdlight.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
kclock.nix
Fix programs.kclock pointing to a non existing package
2025-11-23 22:34:04 +01:00
kde-pim.nix
nixos/kde-pim: include kcontacts for merkuro's widgets
2025-05-11 16:53:44 +00:00
kdeconnect.nix
nixos/kdeconnect: fix eval
2025-10-18 12:01:19 +03:00
kubeswitch.nix
various: use mkPackageOption
2025-09-22 02:46:54 +02:00
ladybird.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
lazygit.nix
treewide: Fix links in module documentation
2025-08-25 12:55:11 -04:00
less.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
liboping.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
librepods.nix
nixos/librepods: init
2026-04-13 14:22:11 +02:00
lix.nix
nixos/lix: load tun kmod for pasta
2026-05-25 23:45:07 +02:00
localsend.nix
nixos/localsend: allow udp port
2024-08-09 23:31:24 +08:00
mdevctl.nix
mdevctl: fix script dir location
2025-02-18 15:02:34 +01:00
mepo.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
mininet.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
minipro.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
miriway.nix
miriway: 24.11.1 -> 25.02
2025-02-26 22:24:17 +01:00
mosh.nix
nixos/mosh: make package overridable (#383643)
2025-02-20 18:49:45 +05:30
mouse-actions.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
msmtp.nix
nixos/msmtp: add package option
2025-07-15 20:41:31 +02:00
mtr.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
nano.nix
treewide: Format all Nix files
2025-04-01 20:10:43 +02:00
nautilus-open-any-terminal.nix
treewide: Fix links in module documentation
2025-08-25 12:55:11 -04:00
nbd.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
neovim.nix
programs.neovim: disable python3 and ruby providers by default
2026-04-03 21:32:52 +05:30
nethoscope.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
nexttrace.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
nh.nix
nixos/nh: allow independent nh clean service
2026-04-28 05:29:17 +07:00
nix-index.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
nix-ld.nix
treewide: apply nixfmt 1.2.0
2026-01-22 18:37:56 -03:00
nix-required-mounts.nix
programs.nix-required-mounts: make onFeatures attrset similar to nvidia
2026-05-10 20:04:55 +02:00
nixbit.nix
nixos/nixbit: init module
2025-10-29 20:50:20 +01:00
nm-applet.nix
Reapply "ci: module maintainer review requests; nixos/modules: init meta.teams"
2026-03-13 16:53:28 +01:00
nncp.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
noisetorch.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
npm.nix
nixos/npm: update npm package reference
2026-03-03 00:59:35 +01:00
ns-usbloader.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
nvrs.nix
maintainers: rename adamperkowski to koi, update upstream references
2026-01-12 15:02:35 +01:00
nxdumpclient.nix
nixos/programs/nxdumpclient: init
2026-04-23 16:06:25 -04:00
oblogout.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
obs-studio.nix
nixos/obs-studio: nullable package
2024-11-18 11:33:43 -05:00
oddjobd.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
opengamepadui.nix
treewide: run nixfmt 1.0.0
2025-07-24 13:55:40 +02:00
openvpn3.nix
maintainers: drop shamilton
2026-01-22 00:00:18 +01:00
partition-manager.nix
nixos/partition-manager: switch to qt6
2025-08-10 10:19:20 +03:00
pay-respects.nix
treewide: remove deprecated lib functions that had warning for more than 2 years
2025-10-24 06:30:16 +03:00
plotinus.md
treewide: run treefmt with mdcr/nixfmt
2025-07-24 13:52:31 +02:00
plotinus.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
pmount.nix
nixos/pmount: init module
2025-10-10 01:56:08 +02:00
projecteur.nix
maintainers: drop drupol
2025-08-20 17:54:38 +02:00
proxychains.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
pulseview.nix
nixos/pulseview: init module
2024-09-18 23:20:57 +02:00
qdmr.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
qgroundcontrol.nix
treewide: Format all Nix files
2025-04-01 20:10:43 +02:00
qt5ct.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
quark-goldleaf.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
regreet.nix
nixos/regreet: enable accounts-daemon service
2026-05-12 16:04:19 +03:00
rog-control-center.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
rush.nix
nixos/rush: init module
2025-04-19 19:45:05 +02:00
rust-motd.nix
nixos/rust-motd: Add fail2ban to path (#433471)
2025-10-16 21:03:35 +00:00
ryzen-monitor-ng.nix
treewide: Fix links in module documentation
2025-08-25 12:55:11 -04:00
schroot.nix
treewide: run nixfmt 1.0.0
2025-07-24 13:55:40 +02:00
screen.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
seahorse.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
sedutil.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
shadow.nix
nixos/shadow: use file capabilities for newuidmap/newgidmap
2026-06-01 00:18:28 +03:00
sharing.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
singularity.nix
apptainer, singularity: add argument systemBinPaths
2024-06-03 07:53:21 +08:00
skim.nix
skim: Move shell completions to package
2025-09-21 18:47:05 +02:00
slock.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
sniffnet.nix
treewide: drop figsoda as maintainer (part 1)
2025-11-02 20:16:11 -05:00
soundmodem.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
ssh.nix
nixos: remove references to the xorg namespace
2026-01-25 22:58:40 +01:00
starship.nix
nixos/starship: fix '$' escaping for bash and zsh
2026-05-22 15:28:21 +01:00
steam.nix
nixos/steam: remove unnecessary bwrap wrapper
2026-05-28 16:05:14 +02:00
streamcontroller.nix
streamcontroller module: Add kdotools when using plasma
2025-03-21 15:32:45 +01:00
streamdeck-ui.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
sysdig.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
system-config-printer.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
systemtap.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
tcpdump.nix
nixos/{arp-scan,iftop,tcpdump,traceroute}: format
2024-11-18 16:47:56 +01:00
television.nix
nixos/television: use pre-generated completions with keybindings
2025-12-20 10:22:30 +08:00
throne.nix
throne: 1.0.13 -> 1.1.1-unstable-2026-03-28
2026-03-29 17:36:37 +02:00
thunar.nix
Reapply "ci: module maintainer review requests; nixos/modules: init meta.teams"
2026-03-13 16:53:28 +01:00
thunderbird.nix
nixos/thunderbird: init module
2024-05-22 14:55:16 +09:00
tmux.nix
nixos/tmux: use idempotent new-session to avoid duplicate sessions
2025-12-06 07:02:22 +00:00
traceroute.nix
nixos/{arp-scan,iftop,tcpdump,traceroute}: format
2024-11-18 16:47:56 +01:00
trippy.nix
treewide: drop figsoda as maintainer (part 1)
2025-11-02 20:16:11 -05:00
tsm-client.nix
tsm-client: 8.1.27.1 -> 8.2.1.0
2026-03-27 19:31:06 +01:00
turbovnc.nix
treewide: fix typos
2025-06-02 16:07:07 +02:00
udevil.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
usbtop.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
vim.nix
nixos/{vim,neovim,vscode,emacs}: prefer environment.sessionVariables.EDITOR
2025-09-18 16:22:46 +00:00
virt-manager.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
virtualbox.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
vivid.nix
nixos/vivid: correct meta.maintainer
2025-06-02 02:48:30 +02:00
vscode.nix
nixos/{vim,neovim,vscode,emacs}: prefer environment.sessionVariables.EDITOR
2025-09-18 16:22:46 +00:00
wavemon.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
weylus.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
whois.nix
nixos/whois: init module
2026-03-31 18:33:50 +08:00
winbox.nix
nixos/winbox: add udp/20561 to open ports for MAC connections
2026-04-29 21:44:14 +01:00
wireshark.nix
nixos/wireshark: usbmon permissions
2025-03-07 19:34:27 +01:00
wshowkeys.nix
treewide: remove unused with
2025-10-05 10:50:41 +02:00
xastir.nix
maintainers: drop melling
2025-12-11 23:54:41 +01:00
xfconf.nix
Reapply "ci: module maintainer review requests; nixos/modules: init meta.teams"
2026-03-13 16:53:28 +01:00
xfs_quota.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
xonsh.nix
treewide: Format all Nix files
2025-04-01 20:10:43 +02:00
xppen.nix
nixos/xppen: init
2025-08-08 10:09:50 +02:00
xss-lock.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
xwayland.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
yazi.nix
nixos/yazi: refactor settings (#475151)
2026-01-05 00:36:45 +00:00
ydotool.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
yubikey-manager.nix
nixos/yubikey-manager: add missing package option
2025-09-04 00:44:52 +02:00
yubikey-touch-detector.nix
nixos: remove optional builtins prefixes from prelude functions
2026-01-15 16:07:55 +01:00
zmap.nix
treewide: format all inactive Nix files
2024-12-10 20:26:33 +01:00
zoom-us.nix
nixos/zoom-us: fix compatibility issue with pipewire
2025-11-05 06:22:54 +00:00
zoxide.nix
nixos/zoxide: init module
2025-03-26 22:08:23 +02:00