This option effectively allows adding setuid/setgid bits, capabilities, changing file ownership and permissions of a program without directly modifying it. This works by creating a wrapper program under the security.wrapperDir directory, which is then added to the shell PATH.
Declarations
Type
attribute set of (submodule)Default
{ }Example
{
# a setuid root program
doas =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.doas}/bin/doas";
};
# a setgid program
locate =
{ setgid = true;
owner = "root";
group = "mlocate";
source = "${pkgs.locate}/bin/locate";
};
# a program with the CAP_NET_RAW capability
ping =
{ owner = "root";
group = "root";
capabilities = "cap_net_raw+ep";
source = "${pkgs.iputils.out}/bin/ping";
};
}