* On the CD or on a newly installed system, create the root account

with an empty password, rather than with a hashed empty password. The latter is a security risk, because it allows remote root logins if a user enables sshd before setting a proper root password. * Allow empty passwords for login and slim, but nothing else. svn path=/nixos/trunk/; revision=17833
2025-01-29 16:24:10 +00:00 · 2009-10-15 14:41:59 +00:00 · 2009-10-15 14:41:59 +00:00 · 5dfaf565bf
commit 5dfaf565bf
parent 77ec877a8c
3 changed files with 14 additions and 4 deletions
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -32,6 +32,14 @@ let
    , # Whether to forward XAuth keys between users.  Mostly useful
      # for "su".
      forwardXAuth ? false
+    , # Whether to allow logging into accounts that have no password
+      # set (i.e., have an empty password field in /etc/passwd or
+      # /etc/group).  This does not enable logging into disabled
+      # accounts (i.e., that have the password field set to `!').
+      # Note that regardless of what the pam_unix2 documentation says,
+      # accounts with hashed empty passwords are always allowed to log
+      # in.
+      allowNullPassword ? false
    }:

    { source = pkgs.writeText "${name}.pam"
@ -49,7 +57,8 @@ let
              "auth sufficient pam_rootok.so"}
          ${optionalString config.users.ldap.enable
              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
-          auth sufficient ${pam_unix2}/lib/security/pam_unix2.so
+          auth sufficient ${pam_unix2}/lib/security/pam_unix2.so ${
+            optionalString allowNullPassword "nullok"}
          auth required   pam_deny.so

          # Password management.
@ -139,7 +148,7 @@ in
        { name = "useradd"; rootOK = true; }
        # Used by groupadd etc.
        { name = "shadow"; rootOK = true; }
-        { name = "login"; ownDevices = true; }
+        { name = "login"; ownDevices = true; allowNullPassword = true; }
      ];

  };
--- a/modules/services/x11/display-managers/slim.nix
+++ b/modules/services/x11/display-managers/slim.nix
@ -104,7 +104,9 @@ in
        execCmd = "${pkgs.slim}/bin/slim";
      };

-    security.pam.services = [ { name = "slim"; } ];
+    # Allow null passwords so that the user can login as root on the
+    # installation CD.
+    security.pam.services = [ { name = "slim"; allowNullPassword = true; } ];

  };

--- a/modules/system/activation/activation-script.nix
+++ b/modules/system/activation/activation-script.nix
@ -112,7 +112,6 @@ let
          # (bootstrap problem!).
          echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
          echo "root::::::::" >> /etc/shadow
-          echo | passwd --stdin root
      fi
    '' [
      "defaultPath" # path to touch & passwd