Make /var/empty immutable

Fixes #14910 and #18358 Deployed to an existing server, restarted sshd and polkit to verify they don't fail.
2024-11-16 14:54:29 +01:00 · 2016-09-06 17:14:50 +02:00 · 2016-09-06 17:14:50 +02:00 · 3877ec5b2f
commit 3877ec5b2f
parent 9ab141ce27
1 changed files with 13 additions and 5 deletions
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@ -12,11 +12,14 @@ let
    '';
  });

-  path = map getBin
-    [ pkgs.coreutils pkgs.gnugrep pkgs.findutils
-      pkgs.glibc # needed for getent
-      pkgs.shadow
-      pkgs.nettools # needed for hostname
+  path = with pkgs; map getBin
+    [ coreutils
+      gnugrep
+      findutils
+      glibc # needed for getent
+      shadow
+      nettools # needed for hostname
+      e2fsprogs # needed for chattr
    ];

 in
@ -137,8 +140,13 @@ in

        mkdir -m 1777 -p /var/tmp

+        # Make sure it's really empty
+        chattr -i /var/empty
+        rm -rf /var/empty
+
        # Empty, read-only home directory of many system accounts.
        mkdir -m 0555 -p /var/empty
+        chattr +i /var/empty
      '';

    system.activationScripts.usrbinenv = if config.environment.usrbinenv != null