From e04c3506eb24eb6e08d0938cc469aa140b4ea165 Mon Sep 17 00:00:00 2001 From: Markus Mueller Date: Mon, 18 Jul 2016 13:20:21 +0000 Subject: [PATCH 1/4] ldap: Add option for login PAM integration --- nixos/modules/config/ldap.nix | 6 ++++++ nixos/modules/security/pam.nix | 9 +++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 7064ef64b4c8..7cbcc39412ea 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -62,6 +62,12 @@ in description = "Whether to enable authentication against an LDAP server."; }; + loginPam = mkOption { + type = types.bool; + default = true; + description = "Whether to include authentication against LDAP in login PAM"; + }; + server = mkOption { example = "ldap://ldap.example.org/"; description = "The URL of the LDAP server."; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 231a1890e0c0..77815cd6dcc1 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -221,7 +221,7 @@ let ('' # Account management. account sufficient pam_unix.so - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} @@ -261,7 +261,7 @@ let "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} ${optionalString config.krb5.enable '' auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass @@ -276,7 +276,7 @@ let "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} ${optionalString cfg.pamMount "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} @@ -296,7 +296,7 @@ let "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} ${optionalString config.security.pam.enableEcryptfs "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - ${optionalString config.users.ldap.enable + ${optionalString use_ldap "session optional ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable "session optional ${pam_krb5}/lib/security/pam_krb5.so"} @@ -322,6 +322,7 @@ let inherit (pkgs) pam_krb5 pam_ccreds; + use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam); pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; # Create a limits.conf(5) file. From 07c44b81c3c50ac55fdde82aa7a761aa6e758fd6 Mon Sep 17 00:00:00 2001 From: Markus Mueller Date: Mon, 18 Jul 2016 13:24:21 +0000 Subject: [PATCH 2/4] ldap: Add option for NSS integration --- nixos/modules/config/ldap.nix | 6 ++++++ nixos/modules/config/nsswitch.nix | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/nixos/modules/config/ldap.nix b/nixos/modules/config/ldap.nix index 7cbcc39412ea..da875d6e4821 100644 --- a/nixos/modules/config/ldap.nix +++ b/nixos/modules/config/ldap.nix @@ -68,6 +68,12 @@ in description = "Whether to include authentication against LDAP in login PAM"; }; + nsswitch = mkOption { + type = types.bool; + default = true; + description = "Whether to include lookup against LDAP in NSS"; + }; + server = mkOption { example = "ldap://ldap.example.org/"; description = "The URL of the LDAP server."; diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index a39c2895bf84..f30136be44e1 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -8,7 +8,7 @@ let inherit (config.services.avahi) nssmdns; inherit (config.services.samba) nsswins; - ldap = config.users.ldap.enable; + ldap = (config.users.ldap.enable && config.users.ldap.nsswitch); in From 76223aa4b2cc7ebda27a93f00829bd447701740a Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Tue, 23 Aug 2016 19:18:22 +0300 Subject: [PATCH 3/4] qutebrowser: add pdfjs support --- .../browsers/qutebrowser/default.nix | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/networking/browsers/qutebrowser/default.nix b/pkgs/applications/networking/browsers/qutebrowser/default.nix index bb7e66a94bea..490823860b10 100644 --- a/pkgs/applications/networking/browsers/qutebrowser/default.nix +++ b/pkgs/applications/networking/browsers/qutebrowser/default.nix @@ -1,13 +1,30 @@ -{ stdenv, fetchurl, buildPythonApplication, makeQtWrapper, wrapGAppsHook +{ stdenv, fetchurl, unzip, buildPythonApplication, makeQtWrapper, wrapGAppsHook , qtbase, pyqt5, jinja2, pygments, pyyaml, pypeg2, glib_networking , asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2, libxslt , gst-plugins-base, gst-plugins-good, gst-plugins-bad, gst-plugins-ugly, gst-libav , qtwebkit-plugins }: -let version = "0.8.2"; in +let + pdfjs = stdenv.mkDerivation rec { + name = "pdfjs-${version}"; + version = "1.4.20"; -buildPythonApplication rec { + src = fetchurl { + url = "https://github.com/mozilla/pdf.js/releases/download/v${version}/${name}-dist.zip"; + sha256 = "1ca1fzyc5qnan6gavcd8bnfqriqqvgdsf4m8ka4nayf50k64xxj9"; + }; + + nativeBuildInputs = [ unzip ]; + + buildCommand = '' + mkdir $out + unzip -d $out $src + ''; + }; + +in buildPythonApplication rec { name = "qutebrowser-${version}"; + version = "0.8.2"; namePrefix = ""; src = fetchurl { @@ -34,6 +51,7 @@ buildPythonApplication rec { postPatch = '' sed -i "s,/usr/share/qutebrowser,$out/share/qutebrowser,g" qutebrowser/utils/standarddir.py + sed -i "s,/usr/share/pdf.js,${pdfjs},g" qutebrowser/browser/pdfjs.py ''; postBuild = '' From 8576aea57c1d23d7f65bf3b4f1cace2d656a960a Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 10:59:52 +0200 Subject: [PATCH 4/4] cc-wrapper: fix detection of unsupported linker flags --- pkgs/build-support/cc-wrapper/add-hardening.sh | 10 ++-------- pkgs/build-support/cc-wrapper/default.nix | 11 ++++++++--- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 60e62ffad608..b98833b3513b 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -4,17 +4,11 @@ hardeningCFlags=() hardeningLDFlags=() hardeningDisable=${hardeningDisable:-""} -if [[ -z "@ld_supports_bindnow@" ]]; then - hardeningDisable+=" bindnow" -fi - -if [[ -z "@ld_supports_relro@" ]]; then - hardeningDisable+=" relro" -fi +hardeningDisable+=" @hardening_unsupported_flags@" if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi -if [[ ! $hardeningDisable == "all" ]]; then +if [[ ! $hardeningDisable =~ "all" ]]; then if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi for flag in "${hardeningFlags[@]}" do diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 08ca8195b68b..8a746ea016ef 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -237,9 +237,14 @@ stdenv.mkDerivation { cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook rm $out/nix-support/setup-hook.tmp - # some linkers on some platforms don't support -z - export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]]) - export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]]) + # some linkers on some platforms don't support specific -z flags + hardening_unsupported_flags="" + if [[ "$($ldPath/ld -z now 2>&1 || true)" =~ "unknown option" ]]; then + hardening_unsupported_flags+=" bindnow" + fi + if [[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "unknown option" ]]; then + hardening_unsupported_flags+=" relro" + fi substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh