lukego/asroot.c

## asroot.c
/* asroot.c -- execute provided command in setuid-friendly way. */

#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv)
{
  if (argc >= 2) {
    execv(argv[1], argv+1);
    perror(argv[1]);
  } else {
    fprintf(stderr, "usage: %s <command> [arg...]\n", argv[0]);
    fprintf(stderr, "\n");
    fprintf(stderr, "Execute a command after inheriting setuid mode (if set.)\n");
    fprintf(stderr, "Command must be a fully-qualified path on the filesystem.\n");
  }
  return 1;
}

## asroot.nix
# asroot.nix - make /run/wrappers/bin/asroot <cmd> [arg..] run as root

# This module creates the 'asroot' executable that executes its
# argument with root privileges and can be called within a sandbox.
#
# asroot is...
# ... statically linked so it can be passed into a sandbox as a single file;
# ... setuid-root so it inherits root privileges automatically;
# ... designed to exec another command so that you can run *that* as root.

{ config, pkgs, lib, ... }:

let musl64pkgs =
      import <nixpkgs> {
        crossSystem = (import <nixpkgs/lib>).systems.examples.musl64; };
    asroot =
      # Cross-compile asroot with musl libc so that it can be
      # statically linked and won't have dependencies that can't be
      # met inside a sandbox (e.g. specific glibc version.)
      musl64pkgs.stdenv.mkDerivation {
        name = "asroot";
        src = ./asroot.c;
        buildCommand = "$CC -static -o $out $src";
      };
in

{
  config.boot.specialFileSystems."/run/as" = {
    fsType = "tmpfs";
    options = [ "nodev" ];
  };

  config.nix.sandboxPaths = [
    "/run/as"
  ];

  config.nix.extraOptions = ''
    allow-new-privileges = true
  '';

  config.system.activationScripts.asroot = ''
    cp ${asroot} /run/as/root
    chown root.root /run/as/root
    chmod ug+s /run/as/root
  '';
}
	/* asroot.c -- execute provided command in setuid-friendly way. */

	#include <stdio.h>
	#include <unistd.h>

	int main(int argc, char **argv)
	{
	if (argc >= 2) {
	execv(argv[1], argv+1);
	perror(argv[1]);
	} else {
	fprintf(stderr, "usage: %s <command> [arg...]\n", argv[0]);
	fprintf(stderr, "\n");
	fprintf(stderr, "Execute a command after inheriting setuid mode (if set.)\n");
	fprintf(stderr, "Command must be a fully-qualified path on the filesystem.\n");
	}
	return 1;
	}
	# asroot.nix - make /run/wrappers/bin/asroot <cmd> [arg..] run as root

	# This module creates the 'asroot' executable that executes its
	# argument with root privileges and can be called within a sandbox.
	#
	# asroot is...
	# ... statically linked so it can be passed into a sandbox as a single file;
	# ... setuid-root so it inherits root privileges automatically;
	# ... designed to exec another command so that you can run that as root.

	{ config, pkgs, lib, ... }:

	let musl64pkgs =
	import <nixpkgs> {
	crossSystem = (import <nixpkgs/lib>).systems.examples.musl64; };
	asroot =
	# Cross-compile asroot with musl libc so that it can be
	# statically linked and won't have dependencies that can't be
	# met inside a sandbox (e.g. specific glibc version.)
	musl64pkgs.stdenv.mkDerivation {
	name = "asroot";
	src = ./asroot.c;
	buildCommand = "$CC -static -o $out $src";
	};
	in

	{
	config.boot.specialFileSystems."/run/as" = {
	fsType = "tmpfs";
	options = [ "nodev" ];
	};

	config.nix.sandboxPaths = [
	"/run/as"
	];

	config.nix.extraOptions = ''
	allow-new-privileges = true
	'';

	config.system.activationScripts.asroot = ''
	cp ${asroot} /run/as/root
	chown root.root /run/as/root
	chmod ug+s /run/as/root
	'';
	}