diff --git a/modules/module-list.nix b/modules/module-list.nix index 4ff6ac249780..095ac35e8387 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -38,7 +38,7 @@ ./security/pam.nix ./security/pam_usb.nix ./security/policykit.nix - #./security/polkit.nix # Currently disabled; using the old policykit. + ./security/polkit.nix ./security/setuid-wrappers.nix ./security/sudo.nix ./services/audio/alsa.nix diff --git a/modules/security/polkit.nix b/modules/security/polkit.nix index ed0496485cbf..2c726128d959 100644 --- a/modules/security/polkit.nix +++ b/modules/security/polkit.nix @@ -2,23 +2,63 @@ with pkgs.lib; +let + pkWrapper = pkgs.stdenv.mkDerivation { + name = "polkit-wrapper"; + helper = "polkit-agent-helper-1"; + buildInputs = [ pkgs.xorg.lndir ]; + + builder = pkgs.writeScript "pkwrap-builder" '' + source $stdenv/setup + + mkdir -p $out + lndir ${pkgs.polkit} $out + new=$out/libexec/$helper + + mv $new $out/libexec/.$helper.orig + echo "exec ${config.security.wrapperDir}/$helper \"\$@\"" > $new + chmod +x $new + ''; + }; +in + { config = { - environment.systemPackages = [ pkgs.polkit ]; + environment = { + systemPackages = [ pkWrapper ]; + pathsToLink = [ "/share/polkit-1" "/etc/polkit-1" ]; + etc = [ + { + source = "${config.system.path}/etc/polkit-1"; + target = "polkit-1"; + } + ]; + }; - services.dbus.packages = [ pkgs.polkit ]; + services.dbus.packages = [ pkWrapper ]; - security.pam.services = [ { name = "polkit-1"; } ]; + security = { + pam.services = [ { name = "polkit-1"; } ]; + setuidPrograms = [ "pkexec" ]; - security.setuidPrograms = [ "pkexec" ]; + setuidOwners = [ + { + program = pkWrapper.helper; + owner = "root"; + group = "root"; + setuid = true; + source = pkWrapper + "/libexec/." + pkWrapper.helper + ".orig"; + } + ]; + }; system.activationScripts.policyKit = pkgs.stringsWithDeps.noDepEntry '' mkdir -p /var/lib/polkit-1 + chmod 700 /var/lib/polkit-1 ''; - }; }