#!/nix/store/izpf49b74i15pcr9708s3xdwyqs4jxwl-bash-5.2p32/bin/bash
set -e
chmod 755 "/run/wrappers"

# We want to place the tmpdirs for the wrappers to the parent dir.
wrapperDir=$(mktemp --directory --tmpdir="/run/wrappers" wrappers.XXXXXXXXXX)
chmod a+rx "$wrapperDir"

cp /nix/store/q2fvgasspwwjmdgcjj4d229hv85hfnpb-security-wrapper-chsh-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/chsh"

# Prevent races
chmod 0000 "$wrapperDir/chsh"
chown root:root "$wrapperDir/chsh"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/chsh"

cp /nix/store/p7hddzjvg5mj2hh3qmwkyflhg0wk4n2s-security-wrapper-dbus-daemon-launch-helper-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/dbus-daemon-launch-helper"

# Prevent races
chmod 0000 "$wrapperDir/dbus-daemon-launch-helper"
chown root:messagebus "$wrapperDir/dbus-daemon-launch-helper"

chmod "u+s,g-s,u+rx,g+rx,o-rx" "$wrapperDir/dbus-daemon-launch-helper"

cp /nix/store/g5rmw8gx9rm7d179px2nz5fgsy02vh9j-security-wrapper-fusermount-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/fusermount"

# Prevent races
chmod 0000 "$wrapperDir/fusermount"
chown root:root "$wrapperDir/fusermount"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/fusermount"

cp /nix/store/gpydvcldjpd3xiam4rmdf7ziiyy9j612-security-wrapper-fusermount3-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/fusermount3"

# Prevent races
chmod 0000 "$wrapperDir/fusermount3"
chown root:root "$wrapperDir/fusermount3"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/fusermount3"

cp /nix/store/q9dfyk0wcjl342mfk7vai8n5gx24ifj8-security-wrapper-mount-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/mount"

# Prevent races
chmod 0000 "$wrapperDir/mount"
chown root:root "$wrapperDir/mount"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/mount"

cp /nix/store/bncfpbqljlkqwqqn9y2mp7867mjqh187-security-wrapper-newgidmap-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/newgidmap"

# Prevent races
chmod 0000 "$wrapperDir/newgidmap"
chown root:root "$wrapperDir/newgidmap"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/newgidmap"

cp /nix/store/wjmzzwjfc5pwric1wriqzkjqdr5m2whg-security-wrapper-newgrp-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/newgrp"

# Prevent races
chmod 0000 "$wrapperDir/newgrp"
chown root:root "$wrapperDir/newgrp"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/newgrp"

cp /nix/store/sa9kpi15l3vdqxdqa8myw3qv3p2vkm1d-security-wrapper-newuidmap-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/newuidmap"

# Prevent races
chmod 0000 "$wrapperDir/newuidmap"
chown root:root "$wrapperDir/newuidmap"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/newuidmap"

cp /nix/store/hk0i7w0aa5c3ply44zfx22cl6s7njnv1-security-wrapper-passwd-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/passwd"

# Prevent races
chmod 0000 "$wrapperDir/passwd"
chown root:root "$wrapperDir/passwd"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/passwd"

cp /nix/store/rsffxw7b5bb2f323dfh5bijj0jwhaqsy-security-wrapper-ping-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/ping"

# Prevent races
chmod 0000 "$wrapperDir/ping"
chown root:root "$wrapperDir/ping"

# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
/nix/store/kvdx856lrixa6ggk7x9dgxmm1cyhn649-libcap-2.70/bin/setcap "cap_setpcap,cap_net_raw+p" "$wrapperDir/ping"

# Set the executable bit
chmod u+rx,g+x,o+x "$wrapperDir/ping"

cp /nix/store/w23n6j9r5177hlwk6bxdaqllq18dmqs4-security-wrapper-sg-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/sg"

# Prevent races
chmod 0000 "$wrapperDir/sg"
chown root:root "$wrapperDir/sg"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/sg"

cp /nix/store/0xz0g2icqrdjm18br93nsa0sikzqa45x-security-wrapper-su-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/su"

# Prevent races
chmod 0000 "$wrapperDir/su"
chown root:root "$wrapperDir/su"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/su"

cp /nix/store/5hn267k00nm3wgqv0s82pavacwhw4mhm-security-wrapper-sudo-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/sudo"

# Prevent races
chmod 0000 "$wrapperDir/sudo"
chown root:root "$wrapperDir/sudo"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/sudo"

cp /nix/store/nb4qhjd5wjbw2zw0zx6iwa44bvz2kh90-security-wrapper-sudoedit-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/sudoedit"

# Prevent races
chmod 0000 "$wrapperDir/sudoedit"
chown root:root "$wrapperDir/sudoedit"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/sudoedit"

cp /nix/store/jbslqnp6lk7902nbavlrpdp9q30z8apj-security-wrapper-umount-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/umount"

# Prevent races
chmod 0000 "$wrapperDir/umount"
chown root:root "$wrapperDir/umount"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/umount"

cp /nix/store/nlgc6z812z5skbf8sb98gphn0hicjry7-security-wrapper-unix_chkpwd-x86_64-unknown-linux-musl/bin/security-wrapper "$wrapperDir/unix_chkpwd"

# Prevent races
chmod 0000 "$wrapperDir/unix_chkpwd"
chown root:root "$wrapperDir/unix_chkpwd"

chmod "u+s,g-s,u+rx,g+x,o+x" "$wrapperDir/unix_chkpwd"


if [ -L /run/wrappers/bin ]; then
  # Atomically replace the symlink
  # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
  old=$(readlink -f /run/wrappers/bin)
  if [ -e "/run/wrappers/bin-tmp" ]; then
    rm --force --recursive "/run/wrappers/bin-tmp"
  fi
  ln --symbolic --force --no-dereference "$wrapperDir" "/run/wrappers/bin-tmp"
  mv --no-target-directory "/run/wrappers/bin-tmp" "/run/wrappers/bin"
  rm --force --recursive "$old"
else
  # For initial setup
  ln --symbolic "$wrapperDir" "/run/wrappers/bin"
fi


