Adapting everything for the merged permissions wrappers work.

2025-06-12 20:55:31 +03:00 · 2016-09-01 19:06:21 -05:00 · 2016-09-01 19:06:21 -05:00 · 98c058a1ee
commit 98c058a1ee
parent 390ab0b3ef
55 changed files with 162 additions and 131 deletions
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@ -169,7 +169,7 @@ in
         ${cfg.extraInit}
         # The setuid wrappers override other bin directories.
-         export PATH="${config.security.wrapperDir}:$PATH"
+         export PATH="${config.security.permissionsWrapperDir}:$PATH"
         # ~/bin if it exists overrides other bin directories.
         export PATH="$HOME/bin:$PATH"
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@ -262,7 +262,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 # Ask the user to set a root password.
 if [ -z "$noRootPasswd" ] && [ -x $mountPoint/var/setuid-wrappers/passwd ] && [ -t 0 ]; then
    echo "setting root password..."
-    chroot $mountPoint /var/setuid-wrappers/passwd
+    chroot $mountPoint /var/permissions-wrappers/passwd
 fi
--- a/nixos/modules/programs/kbdlight.nix
+++ b/nixos/modules/programs/kbdlight.nix
@ -15,7 +15,7 @@ in
    security.permissionsWrappers.setuid =
    [ { program = "kbdlight";
        source  = "${pkgs.kbdlight.out}/bin/kbdlight";
-        user    = "root";
+        owner   = "root";
        group   = "root";
        setuid  = true;        
    }];
--- a/nixos/modules/programs/light.nix
+++ b/nixos/modules/programs/light.nix
@ -25,7 +25,7 @@ in
    security.permissionsWrappers.setuid =
    [ { program = "light";
        source  = "${pkgs.light.out}/bin/light";
-        user    = "root";
+        owner   = "root";
        group   = "root";
        setuid  = true;        
    }];
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@ -102,18 +102,18 @@ in
        chgpasswd = { rootOK = true; };
      };
-    security.setuidPrograms = 
+    security.permissionsWrappers.setuid = 
    [
      { program = "su";
        source  = "${pkgs.shadow.su}/bin/su";
-        user    = "root";
+        owner   = "root";
        group   = "root";
        setuid  = true;        
      }
      { program = "chfn";
        source  = "${pkgs.shadow.out}/bin/chfn";
-        user    = "root";
+        owner   = "root";
        group   = "root";
        setuid  = true;
      }
--- a/nixos/modules/programs/unity3d.nix
+++ b/nixos/modules/programs/unity3d.nix
@ -0,0 +1,25 @@
 { config, lib, pkgs, ... }:
 with lib;
 let cfg = config.programs.unity3d;
 in {
  options = {
    programs.unity3d.enable = mkEnableOption "Unity3D, a game development tool";
  };
  config = mkIf cfg.enable {
    security.permissionsWrappers.setuid = [{
      program = "unity-chrome-sandbox";
      source = "${pkgs.unity3d.sandbox}/bin/unity-chrome-sandbox";
      owner = "root";
      #group = "root";
      setuid = true;
      #setgid = true;
    }];
    environment.systemPackages = [ pkgs.unity3d ];
  };
 }
--- a/nixos/modules/security/apparmor-suid.nix
+++ b/nixos/modules/security/apparmor-suid.nix
@ -19,7 +19,7 @@ with lib;
  config = mkIf (cfg.confineSUIDApplications) {
    security.apparmor.profiles = [ (pkgs.writeText "ping" ''
      #include <tunables/global>
-      /var/setuid-wrappers/ping {
+      /var/permissions-wrappers/ping {
        #include <abstractions/base>
        #include <abstractions/consoles>
        #include <abstractions/nameservice>
@ -33,7 +33,7 @@ with lib;
        ${pkgs.attr.out}/lib/libattr.so* mr,
        ${pkgs.iputils}/bin/ping mixr,
-        /var/setuid-wrappers/ping.real r,
+        /var/permissions-wrappers/ping.real r,
        #/etc/modules.conf r,
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@ -198,7 +198,7 @@ in
     [
       { program = "login_duo";
         source  = "${pkgs.duo-unix.out}/bin/login_duo";
-         user    = "root";
+         owner   = "root";
         group   = "root";
         setuid  = true;
       }
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -444,34 +444,35 @@ in
    security.permissionsWrappers.setuid =
      [
-        (optionals config.security.pam.enableEcryptfs
+        { program = "unix_chkpwd";
-          { program = "mount.ecryptfs_private"
+          source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
-            source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
+          owner = "root";
-            user    = "root";
+          group = "root";
-            group   = "root";
+          setuid = true;
-            setuid  = true;
+        }
-          })
+
-        (optionals config.security.pam.enableEcryptfs
+      ] ++ (optional config.security.pam.enableEcryptfs 
-          { program = "umount.ecryptfs_private";
+        { program = "umount.ecryptfs_private";
-            source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
+          source  = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
-            user    = "root";
+          owner   = "root";
-            group   = "root";
+          group   = "root";
-            setuid  = true;
+          setuid  = true;
-          })
+        }
-      ]
+      ) ++ (optional config.security.pam.enableEcryptfs
        { program = "mount.ecryptfs_private";
          source  = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
          owner   = "root";
          group   = "root";
          setuid  = true;
        }
      );
    environment.etc =
      mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
    security.setuidOwners = [ {
      program = "unix_chkpwd";
      source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
      owner = "root";
      setuid = true;
    } ];
    security.pam.services =
      { other.text =
          ''
--- a/nixos/modules/security/pam_usb.nix
+++ b/nixos/modules/security/pam_usb.nix
@ -37,20 +37,19 @@ in
      [
        { program = "pmount";
          source  = "${pkgs.pmount.out}/bin/pmount";
-          user    = "root";
+          owner   = "root";
          group   = "root";
          setuid  = true;
        }
        { program = "pumount";
          source  = "${pkgs.pmount.out}/bin/pumount";
-          user    = "root";
+          owner   = "root";
          group   = "root";
          setuid  = true;
        }
      ];
 setuidPrograms = [ "pmount" "pumount" ];
    environment.systemPackages = [ pkgs.pmount ];
  };
--- a/nixos/modules/security/permissions-wrappers/default.nix
+++ b/nixos/modules/security/permissions-wrappers/default.nix
@ -3,10 +3,17 @@ let
  inherit (config.security) permissionsWrapperDir;
  isNotNull = v: if v != null then true else false;
  cfg = config.security.permissionsWrappers;
-  setcapWrappers = import ./setcap-wrapper-drv.nix { };
+  setcapWrappers = import ./setcap-wrapper-drv.nix {
-  setuidWrappers = import ./setuid-wrapper-drv.nix { };
+    inherit config lib pkgs;
  };
  setuidWrappers = import ./setuid-wrapper-drv.nix {
    inherit config lib pkgs;
  };
  ###### Activation script for the setcap wrappers
  configureSetcapWrapper =
@ -16,8 +23,7 @@ let
    , owner  ? "nobody"
    , group  ? "nogroup"
    , setcap ? false
-    }:
+    }: ''
    ''
      cp ${setcapWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
      # Prevent races
@ -43,22 +49,22 @@ let
    '';
  ###### Activation script for the setuid wrappers
-  makeSetuidWrapper =
+  configureSetuidWrapper =
    { program
    , source ? null
    , owner  ? "nobody"
    # Legacy code I can't find :(
    , user   ? null
    , group  ? "nogroup"
    , setuid ? false
    , setgid ? false
    , permissions ? "u+rx,g+x,o+x"
-    }:
+    }: ''
    ''
      cp ${setuidWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program}
      # Prevent races
      chmod 0000 ${permissionsWrapperDir}/${program}
-      chown ${owner}.${group} ${permissionsWrapperDir}/${program}
+      chown ${if user != null then user else owner}.${group} ${permissionsWrapperDir}/${program}
      chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program}
    '';
@ -68,12 +74,12 @@ in
  ###### interface
  options = {
-    security.permissionsWrappers.setcap = mkOption {
+    security.permissionsWrappers.setcap = lib.mkOption {
-      type    = types.listOf types.attrs;
+      type    = lib.types.listOf lib.types.attrs;
      default = [];
      example =
        [ { program = "ping";
-            source  = "${pkgs.iputils.out}/bin/ping"
+            source  = "${pkgs.iputils.out}/bin/ping";
            owner   = "nobody";
            group   = "nogroup";
            setcap  = true;
@ -106,12 +112,12 @@ in
      '';
    };
-    security.permissionsWrappers.setuid = mkOption {
+    security.permissionsWrappers.setuid = lib.mkOption {
-      type = types.listOf types.attrs;
+      type = lib.types.listOf lib.types.attrs;
      default = [];
      example =
        [ { program = "sendmail";
-            source = "${pkgs.sendmail.bin}/bin/sendmail";
+            source = "/nix/store/.../bin/sendmail";
            owner = "nobody";
            group = "postdrop";
            setuid = false;
@ -126,8 +132,8 @@ in
      '';
    };
-    security.permissionsWrapperDir = mkOption {
+    security.permissionsWrapperDir = lib.mkOption {
-      type        = types.path;
+      type        = lib.types.path;
      default     = "/var/permissions-wrappers";
      internal    = true;
      description = ''
@ -152,7 +158,7 @@ in
    ###### setcap activation script
    system.activationScripts.setcap =
-      stringAfter [ "users" ]
+      lib.stringAfter [ "users" ]
        ''
          # Look in the system path and in the default profile for
          # programs to be wrapped.
@ -168,12 +174,12 @@ in
          # Concatenate the generated shell slices to configure
          # wrappers for each program needing specialized capabilities.
-          ${concatMapStrings configureSetcapWrapper cfg.setcap}
+          ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
        '';
    ###### setuid activation script
    system.activationScripts.setuid =
-      stringAfter [ "users" ]
+      lib.stringAfter [ "users" ]
        ''
          # Look in the system path and in the default profile for
          # programs to be wrapped.
@ -189,7 +195,7 @@ in
          # Concatenate the generated shell slices to configure
          # wrappers for each program needing specialized capabilities.
-          ${concatMapStrings configureSetuidWrapper cfg.setuid}
+          ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
        '';
  };
--- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix
@ -13,7 +13,7 @@ let
             source=/nix/var/nix/profiles/default/bin/${program}
         fi
-         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \
+         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
       '';
 in
@ -32,6 +32,6 @@ pkgs.stdenv.mkDerivation {
    # Concat together all of our shell splices to compile
    # binary wrapper programs for all configured setcap programs.
-    ${concatMapStrings mkSetcapWrapper cfg.setcap}
+    ${lib.concatMapStrings mkSetcapWrapper cfg.setcap}
  '';
-};
+}
--- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
+++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
@ -13,7 +13,7 @@ let
             source=/nix/var/nix/profiles/default/bin/${program}
         fi
-         gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${cfg.permissionsWrapperDir}\" \
+         gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
       '';
 in
@ -31,6 +31,6 @@ pkgs.stdenv.mkDerivation {
    # Concat together all of our shell splices to compile
    # binary wrapper programs for all configured setcap programs.
-    ${concatMapStrings mkSetuidWrapper cfg.setuid}
+    ${lib.concatMapStrings mkSetuidWrapper cfg.setuid}
  '';
-};
+}
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@ -87,20 +87,18 @@ in
      [
        { program = "pkexec";
          source  = "${pkgs.polkit.out}/bin/pkexec";
-          user    = "root";
+          owner   = "root";
          group   = "root";
          setuid  = true;
        }
      ];
-    security.setuidOwners = [
+        { program = "polkit-agent-helper-1";
-      { program = "polkit-agent-helper-1";
+          owner = "root";
-        owner = "root";
+          group = "root";
-        group = "root";
+          setuid = true;
-        setuid = true;
+          source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
-        source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
+        }
-      }
+      ];
    ];
    system.activationScripts.polkit =
      ''
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@ -85,14 +85,14 @@ in
     [
       { program = "sudo";
         source  = "${pkgs.sudo.out}/bin/sudo";
-         user    = "root";
+         owner   = "root";
         group   = "root";
         setuid  = true;
       }
-       { program = "sudoedit"
+       { program = "sudoedit";
-         source  = "${pkgs.sudo.out}/bin/sudo";
+         source  = "${pkgs.sudo.out}/bin/sudoedit";
-         user    = "root";
+         owner   = "root";
         group   = "root";
         setuid  = true;
       }
--- a/nixos/modules/services/logging/logcheck.nix
+++ b/nixos/modules/services/logging/logcheck.nix
@ -29,8 +29,8 @@ let
    };
  cronJob = ''
-    @reboot   logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
+    @reboot   logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
-    2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
+    2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
  '';
  writeIgnoreRule = name: {level, regex, ...}:
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@ -13,7 +13,7 @@ let
    ''
      base_dir = ${baseDir}
      protocols = ${concatStringsSep " " cfg.protocols}
-      sendmail_path = /var/setuid-wrappers/sendmail
+      sendmail_path = /var/permissions-wrappers/sendmail
    ''
    (if isNull cfg.sslServerCert then ''
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@ -70,7 +70,7 @@ in
      etc."exim.conf".text = ''
        exim_user = ${cfg.user}
        exim_group = ${cfg.group}
-        exim_path = /var/setuid-wrappers/exim
+        exim_path = /var/permissions-wrappers/exim
        spool_directory = ${cfg.spoolDir}
        ${cfg.config}
      '';
@ -93,11 +93,11 @@ in
    [
      { program = "exim";
        source  = "${pkgs.exim.out}/bin/exim";
-        user    = "root";
+        owner   = "root";
        group   = "root";
        setuid  = true;
      }
-    ]
+    ];
    systemd.services.exim = {
      description = "Exim Mail Daemon";
--- a/nixos/modules/services/mail/mail.nix
+++ b/nixos/modules/services/mail/mail.nix
@ -26,7 +26,7 @@ with lib;
  config = mkIf (config.services.mail.sendmailSetuidWrapper != null) {
-    security.setuidOwners = [ config.services.mail.sendmailSetuidWrapper ];
+    security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
  };
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@ -34,7 +34,7 @@ let
        cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
        wrapProgram $file \
-          --set PATH "/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
+          --set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
          --set MUNIN_LIBDIR "${pkgs.munin}/lib" \
          --set MUNIN_PLUGSTATE "/var/run/munin"
@ -182,7 +182,7 @@ in
        mkdir -p /etc/munin/plugins
        rm -rf /etc/munin/plugins/*
-        PATH="/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
+        PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
      '';
      serviceConfig = {
        ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
--- a/nixos/modules/services/monitoring/smartd.nix
+++ b/nixos/modules/services/monitoring/smartd.nix
@ -124,7 +124,7 @@ in
          };
          mailer = mkOption {
-            default = "/var/setuid-wrappers/sendmail";
+            default = "/var/permissions-wrappers/sendmail";
            type = types.path;
            description = ''
              Sendmail-compatible binary to be used to send the messages.
--- a/nixos/modules/services/network-filesystems/samba.nix
+++ b/nixos/modules/services/network-filesystems/samba.nix
@ -30,7 +30,7 @@ let
    ''
      [ global ]
      security = ${cfg.securityType}
-      passwd program = /var/setuid-wrappers/passwd %u
+      passwd program = /var/permissions-wrappers/passwd %u
      pam password change = ${smbToString cfg.syncPasswordsByPam}
      invalid users = ${smbToString cfg.invalidUsers}
--- a/nixos/modules/services/networking/gale.nix
+++ b/nixos/modules/services/networking/gale.nix
@ -141,7 +141,7 @@ in
         setgid = false;
       };
-       security.setuidOwners = [ cfg.setuidWrapper ];
+       security.permissionsWrappers.setuid = [ cfg.setuidWrapper ];
       systemd.services.gale-galed = {
         description = "Gale messaging daemon";
--- a/nixos/modules/services/networking/prayer.nix
+++ b/nixos/modules/services/networking/prayer.nix
@ -18,7 +18,7 @@ let
    var_prefix = "${stateDir}"
    prayer_user = "${prayerUser}"
    prayer_group = "${prayerGroup}"
-    sendmail_path = "/var/setuid-wrappers/sendmail"
+    sendmail_path = "/var/permissions-wrappers/sendmail"
    use_http_port ${cfg.port}
--- a/nixos/modules/services/scheduling/atd.nix
+++ b/nixos/modules/services/scheduling/atd.nix
@ -42,8 +42,10 @@ in
  config = mkIf cfg.enable {
-    security.setuidOwners = map (program: {
+    security.permissionsWrappers.setuid = map (program: {
      inherit program;
      source = "${pkgs.atd}/bin/${program}";
      owner = "atd";
      group = "atd";
      setuid = true;
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@ -20,7 +20,7 @@ let
  cronNixosPkg = pkgs.cron.override {
    # The mail.nix nixos module, if there is any local mail system enabled,
    # should have sendmail in this path.
-    sendmailPath = "/var/setuid-wrappers/sendmail";
+    sendmailPath = "/var/permissions-wrappers/sendmail";
  };
  allFiles =
@ -61,7 +61,7 @@ in
          A list of Cron jobs to be appended to the system-wide
          crontab.  See the manual page for crontab for the expected
          format. If you want to get the results mailed you must setuid
-          sendmail. See <option>security.setuidOwners</option>
+          sendmail. See <option>security.permissionsWrappers.setuid</option>
          If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
          will is allowed to have its own crontab file. The /var/cron/cron.deny file
@ -99,7 +99,7 @@ in
      [
        { program = "crontab";
          source  = "${pkgs.cronNixosPkg.out}/bin/crontab";
-          user    = "root";
+          owner   = "root";
          group   = "root";
          setuid  = true;        
        }
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@ -96,7 +96,7 @@ in
            fcronallow  =       /etc/fcron.allow
            fcrondeny   =       /etc/fcron.deny
            shell       =       /bin/sh
-            sendmail    =       /var/setuid-wrappers/sendmail
+            sendmail    =       /var/permissions-wrappers/sendmail
            editor      =       /run/current-system/sw/bin/vi
          '';
          target = "fcron.conf";
@ -110,7 +110,7 @@ in
    [
      { program = "fcrontab";
        source  = "${pkgs.fcron.out}/bin/fcrontab";
-        user    = "root";
+        owner   = "root";
        group   = "root";
        setuid  = true;        
      }
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@ -30,7 +30,7 @@ let
      mkdir -p $out
      sed '${./dbus-system-local.conf.in}' \
-        -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
+        -e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \
        -e 's,@extra@,${systemExtraxml},' \
        > "$out/system-local.conf"
@ -102,9 +102,9 @@ in
    systemd.packages = [ pkgs.dbus.daemon ];
-    security.setuidOwners = singleton
+    security.permissionsWrappers.setuid = singleton
      { program = "dbus-daemon-launch-helper";
-        source = "${pkgs.dbus_daemon.out}/libexec/dbus-daemon-launch-helper";
+        source = "${pkgs.dbus_daemon}/libexec/dbus-daemon-launch-helper";
        owner = "root";
        group = "messagebus";
        setuid = true;
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@ -66,7 +66,7 @@ in
    [
      { program = "e_freqset";
        source  = "${e.enlightenment.out}/bin/e_freqset";
-        user    = "root";
+        owner   = "root";
        group   = "root";
        setuid  = true;        
      }
--- a/nixos/modules/services/x11/desktop-managers/kde4.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde4.nix
@ -119,7 +119,7 @@ in
          '';
      };
-    security.setuidOwners = singleton
+    security.permissionsWrappers.setuid = singleton
      { program = "kcheckpass";
        source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
        owner = "root";
--- a/nixos/modules/services/x11/desktop-managers/kde5.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde5.nix
@ -47,7 +47,7 @@ in
      '';
    };
-    security.setuidOwners = [
+    security.permissionsWrappers.setuid = [
      {
        program = "kcheckpass";
        source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";
--- a/nixos/modules/virtualisation/virtualbox-host.nix
+++ b/nixos/modules/virtualisation/virtualbox-host.nix
@ -63,7 +63,7 @@ in
    boot.extraModulePackages = [ virtualbox ];
    environment.systemPackages = [ virtualbox ];
-    security.setuidOwners = let
+    security.permissionsWrappers.setuid = let
      mkSuid = program: {
        inherit program;
        source = "${virtualbox}/libexec/virtualbox/${program}";
--- a/pkgs/applications/editors/sublime3/default.nix
+++ b/pkgs/applications/editors/sublime3/default.nix
@ -1,5 +1,5 @@
 { fetchurl, stdenv, glib, xorg, cairo, gtk, pango, makeWrapper, openssl, bzip2,
-  pkexecPath ? "/var/setuid-wrappers/pkexec", libredirect,
+  pkexecPath ? "/var/permissions-wrappers/pkexec", libredirect,
  gksuSupport ? false, gksu}:
 assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";
--- a/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
+++ b/pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644
 +	is_nixos=no
 +fi
 +
-+if [ -u /var/setuid-wrappers/gksign ]; then
+if [ -u /var/permissions-wrappers/gksign ]; then
 +	cat <<EOM
 +
 +Gale appears to have already been set up via the NixOS module system (check
--- a/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch
+++ b/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch
@ -4,7 +4,7 @@ Date: Thu, 26 Nov 2015 21:03:35 +0100
 Subject: [PATCH] Lookup dumpcap in PATH
 NixOS patch: Look for dumpcap in PATH first, because there may be a
-dumpcap setuid-wrapper that we want to use instead of the default
+dumpcap permissions-wrapper that we want to use instead of the default
 non-setuid dumpcap binary.
 Also change execv() to execvp() because we've set argv[0] to "dumpcap"
@ -27,7 +27,7 @@ index 970688e..49914d5 100644
 -    exename = g_strdup_printf("%s/dumpcap", progfile_dir);
 +    /*
 +     * NixOS patch: Look for dumpcap in PATH first, because there may be a
-+     * dumpcap setuid-wrapper that we want to use instead of the default
+     * dumpcap permissions-wrapper that we want to use instead of the default
 +     * non-setuid dumpcap binary.
 +     */
 +    if (system("command -v dumpcap >/dev/null") == 0) {
--- a/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
+++ b/pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644
 -  # #   arguments: '-i -t'
 -  # # }
 +  config.action_mailer.sendmail_settings = {
-+    location: '/var/setuid-wrappers/sendmail',
+    location: '/var/permissions-wrappers/sendmail',
 +    arguments: '-i -t'
 +  }
   config.action_mailer.perform_deliveries = true
--- a/pkgs/applications/virtualization/virtualbox/hardened.patch
+++ b/pkgs/applications/virtualization/virtualbox/hardened.patch
@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644
     /* get the path to the executable */
     char szPath[RTPATH_MAX];
 -    RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
-+    RTStrCopy(szPath, sizeof(szPath) - 1, "/var/setuid-wrappers");
+    RTStrCopy(szPath, sizeof(szPath) - 1, "/var/permissions-wrappers");
     size_t cchBufLeft = strlen(szPath);
     szPath[cchBufLeft++] = RTPATH_DELIMITER;
     szPath[cchBufLeft] = 0;
@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644
 +RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)
 +{
-+    return RTStrCopy(pszPath, cchPath, "/var/setuid-wrappers");
+    return RTStrCopy(pszPath, cchPath, "/var/permissions-wrappers");
 +}
 +
 +
@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644
 + * will cut off everything after the rightmost / as this function is analogous
 + * to RTProcGetExecutablePath().
 + */
-+#define SUIDDIR "/var/setuid-wrappers/"
+#define SUIDDIR "/var/permissions-wrappers/"
 +
 +RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)
 +{
--- a/pkgs/build-support/build-fhs-userenv/env.nix
+++ b/pkgs/build-support/build-fhs-userenv/env.nix
@ -51,7 +51,7 @@ let
    export PS1='${name}-chrootenv:\u@\h:\w\$ '
    export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
    export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
-    export PATH='/var/setuid-wrappers:/usr/bin:/usr/sbin'
+    export PATH='/var/permissions-wrappers:/usr/bin:/usr/sbin'
    export PKG_CONFIG_PATH=/usr/lib/pkgconfig
    # Force compilers to look in default search paths
--- a/pkgs/development/libraries/libgksu/default.nix
+++ b/pkgs/development/libraries/libgksu/default.nix
@ -57,8 +57,8 @@ stdenv.mkDerivation rec {
    # Fix some binary paths
    sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c
-    sed -i -e 's|/usr/bin/sudo|/var/setuid-wrappers/sudo|g' libgksu/libgksu.c
+    sed -i -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|g' libgksu/libgksu.c
-    sed -i -e 's|/bin/su\([^d]\)|/var/setuid-wrappers/su\1|g' libgksu/libgksu.c
+    sed -i -e 's|/bin/su\([^d]\)|/var/permissions-wrappers/su\1|g' libgksu/libgksu.c
    touch NEWS README
  '';
--- a/pkgs/development/libraries/polkit/default.nix
+++ b/pkgs/development/libraries/polkit/default.nix
@ -5,7 +5,7 @@
 let
  system = "/var/run/current-system/sw";
-  setuid = "/var/setuid-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
+  setuid = "/var/permissions-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
  foolVars = {
    SYSCONF = "/etc";
--- a/pkgs/development/tools/unity3d/default.nix
+++ b/pkgs/development/tools/unity3d/default.nix
@ -94,7 +94,7 @@ in stdenv.mkDerivation rec {
    unitydir="$out/opt/Unity/Editor"
    mkdir -p $unitydir
    mv Editor/* $unitydir
-    ln -sf /var/setuid-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
+    ln -sf /var/permissions-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
    mkdir -p $out/share/applications
    sed "/^Exec=/c\Exec=$out/bin/unity-editor" \
--- a/pkgs/os-specific/linux/fuse/default.nix
+++ b/pkgs/os-specific/linux/fuse/default.nix
@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
      # Ensure that FUSE calls the setuid wrapper, not
      # $out/bin/fusermount. It falls back to calling fusermount in
      # $PATH, so it should also work on non-NixOS systems.
-      export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/setuid-wrappers\""
+      export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/permissions-wrappers\""
      sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c
    '';
--- a/pkgs/os-specific/linux/mdadm/default.nix
+++ b/pkgs/os-specific/linux/mdadm/default.nix
@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
  preConfigure = ''
    sed -e 's@/lib/udev@''${out}/lib/udev@' \
        -e 's@ -Werror @ @' \
-        -e 's@/usr/sbin/sendmail@/var/setuid-wrappers/sendmail@' -i Makefile
+        -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
  '';
  meta = {
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
  postInstall = ''
    mv -v $out/sbin/unix_chkpwd{,.orig}
-    ln -sv /var/setuid-wrappers/unix_chkpwd $out/sbin/unix_chkpwd
+    ln -sv /var/permissions-wrappers/unix_chkpwd $out/sbin/unix_chkpwd
  ''; /*
    rm -rf $out/etc
    mkdir -p $modules/lib
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
    --enable-last
    --enable-mesg
    --disable-use-tty-group
-    --enable-fs-paths-default=/var/setuid-wrappers:/var/run/current-system/sw/bin:/sbin
+    --enable-fs-paths-default=/var/permissions-wrappers:/var/run/current-system/sw/bin:/sbin
    ${if ncurses == null then "--without-ncurses" else ""}
    ${if systemd == null then "" else ''
      --with-systemd
--- a/pkgs/servers/interlock/default.nix
+++ b/pkgs/servers/interlock/default.nix
@ -30,7 +30,7 @@ buildGoPackage rec {
      -e 's|/bin/chown|${coreutils}/bin/chown|' \
      -e 's|/bin/date|${coreutils}/bin/date|' \
      -e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \
-      -e 's|/usr/bin/sudo|/var/setuid-wrappers/sudo|' \
+      -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|' \
      -e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|'
  '';
 }
--- a/pkgs/servers/mail/petidomo/default.nix
+++ b/pkgs/servers/mail/petidomo/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/setuid-wrappers/sendmail" }:
+{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
 stdenv.mkDerivation rec {
  name = "petidomo-4.3";
--- a/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
+++ b/pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
@ -16,8 +16,8 @@ stdenv.mkDerivation rec {
  # configured on the build machine).
  preConfigure= "
    configureFlagsArray=(
-      --with-ping-command='/var/setuid-wrappers/ping -n -U -w %d -c %d %s'
+      --with-ping-command='/var/permissions-wrappers/ping -n -U -w %d -c %d %s'
-      --with-ping6-command='/var/setuid-wrappers/ping6 -n -U -w %d -c %d %s'
+      --with-ping6-command='/var/permissions-wrappers/ping6 -n -U -w %d -c %d %s'
    )
  ";
--- a/pkgs/tools/X11/x11vnc/default.nix
+++ b/pkgs/tools/X11/x11vnc/default.nix
@ -20,10 +20,10 @@ stdenv.mkDerivation rec {
    configureFlags="--mandir=$out/share/man"
    substituteInPlace x11vnc/unixpw.c \
-        --replace '"/bin/su"' '"/var/setuid-wrappers/su"' \
+        --replace '"/bin/su"' '"/var/permissions-wrappers/su"' \
        --replace '"/bin/true"' '"${coreutils}/bin/true"'
-    sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/setuid-wrappers/su|g' x11vnc/ssltools.h
+    sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/permissions-wrappers/su|g' x11vnc/ssltools.h
  '';
  meta = {
--- a/pkgs/tools/admin/certbot/default.nix
+++ b/pkgs/tools/admin/certbot/default.nix
@ -29,7 +29,7 @@ pythonPackages.buildPythonApplication rec {
  buildInputs = [ dialog ] ++ (with pythonPackages; [ nose mock gnureadline ]);
  patchPhase = ''
-    substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/setuid-wrappers/sendmail"
+    substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/permissions-wrappers/sendmail"
    substituteInPlace certbot/le_util.py --replace "sw_vers" "/usr/bin/sw_vers"
  '';
--- a/pkgs/tools/misc/debian-devscripts/default.nix
+++ b/pkgs/tools/misc/debian-devscripts/default.nix
@ -2,7 +2,7 @@
 , FileDesktopEntry, libxslt, docbook_xsl, makeWrapper
 , python3Packages
 , perlPackages, curl, gnupg, diffutils
-, sendmailPath ? "/var/setuid-wrappers/sendmail"
+, sendmailPath ? "/var/permissions-wrappers/sendmail"
 }:
 let
--- a/pkgs/tools/security/ecryptfs/default.nix
+++ b/pkgs/tools/security/ecryptfs/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
  };
  # TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir;
-  wrapperDir = "/var/setuid-wrappers";
+  wrapperDir = "/var/permissions-wrappers";
  postPatch = ''
    FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"
--- a/pkgs/tools/security/sudo/default.nix
+++ b/pkgs/tools/security/sudo/default.nix
@ -1,5 +1,5 @@
 { stdenv, fetchurl, coreutils, pam, groff
-, sendmailPath ? "/var/setuid-wrappers/sendmail"
+, sendmailPath ? "/var/permissions-wrappers/sendmail"
 , withInsults ? false
 }:
--- a/pkgs/tools/system/at/default.nix
+++ b/pkgs/tools/system/at/default.nix
@ -1,4 +1,4 @@
-{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/setuid-wrappers/sendmail" }:
+{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
 stdenv.mkDerivation {
  name = "at-3.1.16";
--- a/pkgs/tools/system/ts/default.nix
+++ b/pkgs/tools/system/ts/default.nix
@ -1,5 +1,5 @@
 {stdenv, fetchurl,
-sendmailPath ? "/var/setuid-wrappers/sendmail" }:
+sendmailPath ? "/var/permissions-wrappers/sendmail" }:
 stdenv.mkDerivation rec {