mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-21 21:23:06 +00:00
* activate-configuration.sh: make sure that we're running on a NixOS
installation to prevent horrible accidents. * Add the kernel parameters to isolinux.cfg. * Use useradd/groupadd to create users/groups; use Glibc's getent to check for existence. * Create the root account properly. svn path=/nixos/trunk/; revision=7357
This commit is contained in:
parent
8f21b0119c
commit
3e7f4280df
boot
configuration
helpers
installer
instances
upstart-jobs
@ -69,6 +69,7 @@ mount -t tmpfs -o "mode=0755" none /dev
|
||||
needWritableDir /tmp 01777
|
||||
needWritableDir /var 0755
|
||||
needWritableDir /nix/var 0755
|
||||
needWritableDir /root 0700
|
||||
|
||||
|
||||
# Miscellaneous boot time cleanup.
|
||||
@ -77,6 +78,7 @@ rm -rf /var/run
|
||||
|
||||
# Create the minimal device nodes needed before we run udev.
|
||||
mknod -m 0666 /dev/null c 1 3
|
||||
mknod -m 0644 /dev/urandom c 1 9 # needed for passwd
|
||||
|
||||
|
||||
# Run the script that performs all configuration activation that does
|
||||
|
@ -1,7 +1,7 @@
|
||||
#! @shell@
|
||||
|
||||
export PATH=/empty
|
||||
for i in @path@; do PATH=$PATH:$i/bin; done
|
||||
for i in @path@; do PATH=$PATH:$i/bin:$i/sbin; done
|
||||
|
||||
|
||||
# Set up the statically computed bits of /etc.
|
||||
@ -35,41 +35,42 @@ chmod 664 /var/run/utmp
|
||||
mkdir -m 0755 -p /var/log
|
||||
|
||||
|
||||
# Enable a password-less root login.
|
||||
source @accounts@
|
||||
|
||||
# If there is no password file yet, create a root account with an
|
||||
# empty password.
|
||||
if ! test -e /etc/passwd; then
|
||||
if test -n "@readOnlyRoot@"; then
|
||||
rootHome=/
|
||||
else
|
||||
rootHome=/home/root
|
||||
mkdir -p $rootHome
|
||||
fi
|
||||
createUser root '' 0 0 'System administrator' $rootHome/var/empty @shell@
|
||||
fi
|
||||
|
||||
if ! test -e /etc/group; then
|
||||
echo "root:*:0" > /etc/group
|
||||
rootHome=/root
|
||||
touch /etc/passwd; chmod 0755 /etc/passwd
|
||||
touch /etc/group; chmod 0755 /etc/passwd
|
||||
touch /etc/shadow; chmod 0700 /etc/passwd
|
||||
# Can't use useradd, since it complain that it doesn't know us
|
||||
# (bootstrap problem!).
|
||||
echo "root:x:0:0:System administrator:$rootHome:@shell@" >> /etc/passwd
|
||||
echo "root::::::::" >> /etc/shadow
|
||||
groupadd -g 0 root
|
||||
echo | passwd --stdin root
|
||||
fi
|
||||
|
||||
|
||||
# Set up Nix accounts.
|
||||
if test -z "@readOnlyRoot@"; then
|
||||
|
||||
if ! getent group nixbld > /dev/null; then
|
||||
groupadd -g 30000 nixbld
|
||||
fi
|
||||
|
||||
if ! getent group nogroup > /dev/null; then
|
||||
groupadd -g 65534 nogroup
|
||||
fi
|
||||
|
||||
for i in $(seq 1 10); do
|
||||
account=nixbld$i
|
||||
if ! userExists $account; then
|
||||
createUser $account x \
|
||||
$((i + 30000)) 30000 \
|
||||
'Nix build user' /var/empty /noshell
|
||||
if ! getent passwd $account > /dev/null; then
|
||||
useradd -u $((i + 30000)) -g nogroup -G nixbld \
|
||||
-d /var/empty -s /noshell \
|
||||
-c "Nix build user $i" $account
|
||||
fi
|
||||
accounts="$accounts${accounts:+,}$account"
|
||||
done
|
||||
|
||||
if ! grep -q "^nixbld:" /etc/group; then
|
||||
echo "nixbld:*:30000:$accounts" >> /etc/group
|
||||
fi
|
||||
|
||||
mkdir -p /nix/etc/nix
|
||||
cat > /nix/etc/nix/nix.conf <<EOF
|
||||
build-users-group = nixbld
|
||||
@ -108,9 +109,6 @@ mkdir -m 0755 -p /nix/var/nix/temproots
|
||||
|
||||
ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
|
||||
|
||||
chown root.nixbld /nix/store
|
||||
chmod 1775 /nix/store
|
||||
|
||||
|
||||
# Make a few setuid programs work.
|
||||
wrapperDir=@wrapperDir@
|
||||
|
@ -66,10 +66,11 @@ import ../helpers/make-etc.nix {
|
||||
)
|
||||
[
|
||||
"login"
|
||||
"sshd"
|
||||
"passwd"
|
||||
"useradd"
|
||||
"other"
|
||||
"passwd"
|
||||
"shadow"
|
||||
"sshd"
|
||||
"useradd"
|
||||
]
|
||||
);
|
||||
}
|
@ -1,4 +1,4 @@
|
||||
auth required @pam_unix2@/lib/security/pam_unix2.so
|
||||
auth required @pam_unix2@/lib/security/pam_unix2.so nullok
|
||||
account required @pam_unix2@/lib/security/pam_unix2.so
|
||||
password required @pam_unix2@/lib/security/pam_unix2.so nullok
|
||||
session required @pam_unix2@/lib/security/pam_unix2.so
|
||||
|
6
configuration/etc/pam.d/shadow
Normal file
6
configuration/etc/pam.d/shadow
Normal file
@ -0,0 +1,6 @@
|
||||
# Used by groupadd etc.
|
||||
auth sufficient pam_rootok.so
|
||||
auth required pam_permit.so
|
||||
account required pam_permit.so
|
||||
password required pam_permit.so
|
||||
session required pam_deny.so
|
@ -5,6 +5,11 @@ export PATH=/empty
|
||||
for i in @path@; do PATH=$PATH:$i/bin; done
|
||||
action="$1"
|
||||
|
||||
if ! test -e /etc/NIXOS; then
|
||||
echo "This is not a NixOS installation (/etc/NIXOS) is missing!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test -z "$action"; then
|
||||
cat <<EOF
|
||||
Usage: $0 [switch|boot|test]
|
||||
|
@ -174,9 +174,12 @@ rec {
|
||||
readOnlyRoot = config.get ["boot" "readOnlyRoot"];
|
||||
hostName = config.get ["networking" "hostname"];
|
||||
wrapperDir = setuidWrapper.wrapperDir;
|
||||
accounts = ../helpers/accounts.sh;
|
||||
|
||||
path = [pkgs.coreutils pkgs.gnugrep pkgs.findutils];
|
||||
path = [
|
||||
pkgs.coreutils pkgs.gnugrep pkgs.findutils
|
||||
pkgs.glibc # needed for getent
|
||||
pkgs.pwdutils
|
||||
];
|
||||
|
||||
# We don't want to put all of `startPath' and `path' in $PATH, since
|
||||
# then we get an embarrassingly long $PATH. So use the user
|
||||
|
@ -1,6 +0,0 @@
|
||||
default linux
|
||||
prompt 1
|
||||
timeout 60
|
||||
label linux
|
||||
kernel vmlinuz
|
||||
append initrd=initrd selinux=0 apm=on acpi=on
|
@ -128,6 +128,11 @@ chroot $mountPoint @nix@/bin/nix-env \
|
||||
echo "$targetDevice / somefs rw 0 0" > $mountPoint/etc/mtab
|
||||
|
||||
|
||||
# Mark the target as a NixOS installation, otherwise
|
||||
# switch-to-configuration will chicken out.
|
||||
touch $mountPoint/etc/NIXOS
|
||||
|
||||
|
||||
# Switch to the new system configuration. This will install Grub with
|
||||
# a menu default pointing at the kernel/initrd/etc of the new
|
||||
# configuration.
|
||||
|
@ -32,7 +32,7 @@ rec {
|
||||
cdMountPoints = pkgs.runCommand "mount-points" {} "
|
||||
ensureDir $out
|
||||
cd $out
|
||||
mkdir proc sys tmp etc dev var mnt nix nix/var
|
||||
mkdir proc sys tmp etc dev var mnt nix nix/var root
|
||||
touch $out/${configuration.boot.rootLabel}
|
||||
";
|
||||
|
||||
@ -64,6 +64,18 @@ rec {
|
||||
};
|
||||
|
||||
|
||||
# The configuration file for isolinux.
|
||||
isolinuxCfg = pkgs.writeText "isolinux.cfg" "
|
||||
default linux
|
||||
prompt 1
|
||||
timeout 60
|
||||
label linux
|
||||
kernel vmlinuz
|
||||
append initrd=initrd ${toString (system.config.get ["boot" "kernelParams"])}
|
||||
";
|
||||
|
||||
|
||||
|
||||
# Create an ISO image containing the isolinux boot loader, the
|
||||
# kernel, the initrd produced above, and the closure of the stage 2
|
||||
# init.
|
||||
@ -75,7 +87,7 @@ rec {
|
||||
{ source = pkgs.syslinux + "/lib/syslinux/isolinux.bin";
|
||||
target = "isolinux/isolinux.bin";
|
||||
}
|
||||
{ source = ../helpers/isolinux.cfg;
|
||||
{ source = isolinuxCfg;
|
||||
target = "isolinux/isolinux.cfg";
|
||||
}
|
||||
{ source = pkgs.kernel + "/vmlinuz";
|
||||
|
@ -32,7 +32,9 @@ start script
|
||||
# Kill udev, let Upstart restart and monitor it. (This is nasty,
|
||||
# but we have to run udevtrigger first. Maybe we can use
|
||||
# Upstart's `binary' keyword, but it isn't implemented yet.)
|
||||
${procps}/bin/pkill -u root '^udevd$'
|
||||
if ${procps}/bin/pkill -u root '^udevd$'; then
|
||||
echo \"couldn't stop udevd\"
|
||||
fi
|
||||
end script
|
||||
|
||||
respawn ${udev}/sbin/udevd
|
||||
|
Loading…
Reference in New Issue
Block a user