[Nix-dev] Setuid wrapper for bash script
Daniel Hlynskyi
abcz2.uprola at gmail.com
Thu Sep 15 21:10:39 CEST 2016
Actually, I found a way to do what I need without setuid and sudoers, just
polkit rules
let
restartScript = pkgs.writeScriptBin "defenders" ''
#!${pkgs.bash}/bin/bash
[[ -z "$1" ]] && echo Specify operation: start, stop, restart, status
&& exit 0
systemctl "$1" defenders.service
'';
allowService = service: group: ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
if (action.lookup("unit") == "${service}.service"
&& subject.isInGroup("${group}")) {
var verb = action.lookup("verb");
if (verb == "start" || verb == "stop" || verb == "restart" ||
verb == "status") {
return polkit.Result.YES;
}
}
}
});
'';
in {
users.groups.defenders_grp = { };
environment.systemPackages = [
restartScript
];
security.polkit.extraConfig = ''
${allowService "defenders" "defenders_grp"}
'';
}
2016-09-15 11:46 GMT+00:00 Roger Qiu <roger.qiu at matrix.ai>:
>
> IRC discussion shows that NixOS doesn't have the ability to specify custom
> action files atm. The only way is through a package. So for now you might
> be stuck until this functionality arrives. Only rule files can be specified.
> --
>
> Founder of Matrix AIhttps://matrix.ai/+61420925975
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160915/7fd8f5d4/attachment.html>
More information about the nix-dev
mailing list