Linux capabilities and wrappers

Help
1

Hello there :wave:t5:

I’ve been experimenting with GNU Rush on NixOS and found that I could only get it working through a wrapper, since it requires setgid capabilities.

In this module, I configured it to reuse the value of config.security.enableWrappers by default, assuming that simply setting this to false would make wrappers unnecessary. However, even with that security option disabled, I haven’t been able to grant the binary the necessary capabilities to run without a wrapper.

Is there a way to grant Linux capabilities (like setgid) to binaries without using wrappers on NixOS?

Thanks in advance!

2

Not really, no, since the binaries are built by nix. If this were possible, arbitrary users could elevate their privileges by building stuff. You could copy the whole binary at runtime instead, but at that point you might as well use a wrapper.

Why are you trying to do this without a wrapper anyway? The default doesn’t have setgid, but that’s super trivial to override:

security.wrappers.rush.setgid = true;

… though perhaps the lib.mkDefault at the top level requires setting all the other values too.

2 Likes