Don't set an initial null root password for Amazon / VirtualBox images

A null password allows logging into local PAM services such as "login" (agetty) and KDM. That's not actually a security problem for EC2 machines, since they do not have "local" logins; for VirtualBox machines, if you local access, you can do anything anyway. But it's better to be on the safe side and disable password-based logins for root.
2024-11-22 23:13:19 +00:00 · 2013-11-01 14:45:56 +01:00 · 2013-11-01 14:45:56 +01:00 · 4ba7dfde5b
commit 4ba7dfde5b
parent 8352df8d66
3 changed files with 25 additions and 1 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -188,6 +188,20 @@ in
      options = [ groupOpts ];
    };

+    security.initialRootPassword = mkOption {
+      type = types.str;
+      default = "";
+      example = "!";
+      description = ''
+        The (hashed) password for the root account set on initial
+        installation.  The empty string denotes that root can login
+        locally without a password (but not via remote services such
+        as SSH, or indirectly via <command>su</command> or
+        <command>sudo</command>).  The string <literal>!</literal>
+        prevents root from logging in using a password.
+      '';
+    };
+
  };


@ -240,7 +254,7 @@ in
            # Can't use useradd, since it complains that it doesn't know us
            # (bootstrap problem!).
            echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
-            echo "root::::::::" >> /etc/shadow
+            echo "root:${config.security.initialRootPassword}:::::::" >> /etc/shadow
        fi
      '';

--- a/nixos/modules/virtualisation/amazon-image.nix
+++ b/nixos/modules/virtualisation/amazon-image.nix
@ -160,4 +160,9 @@ with pkgs.lib;
  environment.systemPackages = [ pkgs.cryptsetup ];

  boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
+
+  # Prevent logging in as root without a password.  This doesn't really matter,
+  # since the only PAM services that allow logging in with a null
+  # password are local ones that are inaccessible on EC2 machines.
+  security.initialRootPassword = "!";
 }
--- a/nixos/modules/virtualisation/virtualbox-image.nix
+++ b/nixos/modules/virtualisation/virtualbox-image.nix
@ -107,4 +107,9 @@ with pkgs.lib;
  boot.loader.grub.device = "/dev/sda";

  services.virtualbox.enable = true;
+
+  # Prevent logging in as root without a password.  For NixOps, we
+  # don't need this because the user can login via SSH, and for the
+  # demo images, there is a demo user account that can sudo to root.
+  security.initialRootPassword = "!";
 }