From 5dfaf565bf4f257121df6c4c19b590bee935605d Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 15 Oct 2009 14:41:59 +0000
Subject: [PATCH] * On the CD or on a newly installed system, create the root
 account   with an empty password, rather than with a hashed empty password.  
 The latter is a security risk, because it allows remote root logins   if a
 user enables sshd before setting a proper root password. * Allow empty
 passwords for login and slim, but nothing else.

svn path=/nixos/trunk/; revision=17833
---
 modules/security/pam.nix                        | 13 +++++++++++--
 modules/services/x11/display-managers/slim.nix  |  4 +++-
 modules/system/activation/activation-script.nix |  1 -
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index c8090ed691e7..904cf438bffb 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -32,6 +32,14 @@ let
     , # Whether to forward XAuth keys between users.  Mostly useful
       # for "su".
       forwardXAuth ? false
+    , # Whether to allow logging into accounts that have no password
+      # set (i.e., have an empty password field in /etc/passwd or
+      # /etc/group).  This does not enable logging into disabled
+      # accounts (i.e., that have the password field set to `!').
+      # Note that regardless of what the pam_unix2 documentation says,
+      # accounts with hashed empty passwords are always allowed to log
+      # in.
+      allowNullPassword ? false
     }:
 
     { source = pkgs.writeText "${name}.pam"
@@ -49,7 +57,8 @@ let
               "auth sufficient pam_rootok.so"}
           ${optionalString config.users.ldap.enable
               "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
-          auth sufficient ${pam_unix2}/lib/security/pam_unix2.so
+          auth sufficient ${pam_unix2}/lib/security/pam_unix2.so ${
+            optionalString allowNullPassword "nullok"}
           auth required   pam_deny.so
 
           # Password management.
@@ -139,7 +148,7 @@ in
         { name = "useradd"; rootOK = true; }
         # Used by groupadd etc.
         { name = "shadow"; rootOK = true; }
-        { name = "login"; ownDevices = true; }
+        { name = "login"; ownDevices = true; allowNullPassword = true; }
       ];
 
   };
diff --git a/modules/services/x11/display-managers/slim.nix b/modules/services/x11/display-managers/slim.nix
index 2f1e8c8e21a7..af15e0df5e60 100644
--- a/modules/services/x11/display-managers/slim.nix
+++ b/modules/services/x11/display-managers/slim.nix
@@ -104,7 +104,9 @@ in
         execCmd = "${pkgs.slim}/bin/slim";
       };
 
-    security.pam.services = [ { name = "slim"; } ];
+    # Allow null passwords so that the user can login as root on the
+    # installation CD.
+    security.pam.services = [ { name = "slim"; allowNullPassword = true; } ];
 
   };
 
diff --git a/modules/system/activation/activation-script.nix b/modules/system/activation/activation-script.nix
index 34b222435c25..a62120363f25 100644
--- a/modules/system/activation/activation-script.nix
+++ b/modules/system/activation/activation-script.nix
@@ -112,7 +112,6 @@ let
           # (bootstrap problem!).
           echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
           echo "root::::::::" >> /etc/shadow
-          echo | passwd --stdin root
       fi
     '' [
       "defaultPath" # path to touch & passwd