Skip to content

Wrappers

security.wrappers.<name>.capabilities

A comma-separated list of capability clauses to be given to the wrapper program. The format for capability clauses is described in the “TEXTUAL REPRESENTATION” section of the {manpage}cap_from_text(3) manual page. For a list of capabilities supported by the system, check the {manpage}capabilities(7) manual page.

::: {.note} cap_setpcap, which is required for the wrapper program to be able to raise caps into the Ambient set is NOT raised to the Ambient set so that the real program cannot modify its own capabilities!! This may be too restrictive for cases in which the real program needs cap_setpcap but it at least leans on the side security paranoid vs. too relaxed. :::

Type: strings concatenated with ","

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix

security.wrappers.<name>.group

The group of the wrapper program. Type: string

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix

security.wrappers.<name>.owner

The owner of the wrapper program. Type: string

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix

security.wrappers.<name>.permissions

The permissions of the wrapper program. The format is that of a symbolic or numeric file mode understood by {command}chmod.

Type: file mode string

Default

"u+rx,g+x,o+x"

Example

"a+rx"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix

security.wrappers.<name>.program

The name of the wrapper program. Defaults to the attribute name.

Type: null or string

Default

"‹name›"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix

security.wrappers.<name>.setgid

Whether to add the setgid bit the wrapper program. Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix

security.wrappers.<name>.setuid

Whether to add the setuid bit the wrapper program. Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix

security.wrappers.<name>.source

The absolute path to the program to be wrapped. Type: path

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix