nixos/shadow: introduce security.shadow.enable

Allow users to disable the shadow authentication suite.

My primary motivation is to reduce the attack surface via setuid
binaries, which shadow understandably introduces many. I realised,
however, that I don't use any of these.

The test demonstrates login working without needing the shadow suite.

nixos/modules/programs/shadow.nix

@@ -5,6 +5,17 @@ let
 in
 {
   options = with lib.types; {
+
+    security.shadow.enable = lib.mkEnableOption "" // {
+      default = true;
+      description = ''
+        Enable the shadow authentication suite, which provides critical programs such as su, login, passwd.
+
+        Note: This is currently experimental. Only disable this if you're
+        confident that you can recover your system if it breaks.
+      '';
+    };
+
     security.loginDefs = {
       package = lib.mkPackageOption pkgs "shadow" { };
 
@@ -138,101 +149,111 @@ in
 
   ###### implementation
 
-  config = {
+  config = lib.mkMerge [
-    assertions = [
+    {
-      {
+      assertions = [
-        assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
+        {
-        message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX";
+          assertion = config.security.shadow.enable || config.services.greetd.enable;
-      }
+          message = "You must enable at least one VT login method, either security.shadow.enable or services.greetd.enable";
-      {
+        }
-        assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX;
+      ];
-        message = "UID_MIN must be less than or equal to UID_MAX";
+    }
-      }
+    (lib.mkIf config.security.shadow.enable {
-      {
+      assertions = [
-        assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX;
+        {
-        message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX";
+          assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
-      }
+          message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX";
-      {
+        }
-        assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX;
+        {
-        message = "GID_MIN must be less than or equal to GID_MAX";
+          assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX;
-      }
+          message = "UID_MIN must be less than or equal to UID_MAX";
-    ];
+        }
+        {
+          assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX;
+          message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX";
+        }
+        {
+          assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX;
+          message = "GID_MIN must be less than or equal to GID_MAX";
+        }
+      ];
 
-    security.loginDefs.settings.CHFN_RESTRICT =
+      security.loginDefs.settings.CHFN_RESTRICT =
-      lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
+        lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
 
-    environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
+      environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
-      ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
+                                   ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
-      ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
+                                   ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
 
-    environment.etc =
+      environment.etc =
-      # Create custom toKeyValue generator
+        # Create custom toKeyValue generator
-      # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification
+        # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification
-      let
+        let
-        toKeyValue = lib.generators.toKeyValue {
+          toKeyValue = lib.generators.toKeyValue {
-          mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
+            mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
-        };
+          };
-      in
+        in
-      {
+          {
-        # /etc/login.defs: global configuration for pwdutils.
+            # /etc/login.defs: global configuration for pwdutils.
-        # You cannot login without it!
+            # You cannot login without it!
-        "login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
+            "login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
 
-        # /etc/default/useradd: configuration for useradd.
+            # /etc/default/useradd: configuration for useradd.
-        "default/useradd".source = pkgs.writeText "useradd" ''
+            "default/useradd".source = pkgs.writeText "useradd" ''
           GROUP=100
           HOME=/home
           SHELL=${utils.toShellPath config.users.defaultUserShell}
         '';
-      };
+          };
 
-    security.pam.services = {
+      security.pam.services = {
-      chsh = { rootOK = true; };
+        chsh = { rootOK = true; };
-      chfn = { rootOK = true; };
+        chfn = { rootOK = true; };
-      su = {
+        su = {
-        rootOK = true;
+          rootOK = true;
-        forwardXAuth = true;
+          forwardXAuth = true;
-        logFailures = true;
+          logFailures = true;
-      };
-      passwd = { };
-      # Note: useradd, groupadd etc. aren't setuid root, so it
-      # doesn't really matter what the PAM config says as long as it
-      # lets root in.
-      useradd.rootOK = true;
-      usermod.rootOK = true;
-      userdel.rootOK = true;
-      groupadd.rootOK = true;
-      groupmod.rootOK = true;
-      groupmems.rootOK = true;
-      groupdel.rootOK = true;
-      login = {
-        startSession = true;
-        allowNullPassword = true;
-        showMotd = true;
-        updateWtmp = true;
-      };
-      chpasswd = { rootOK = true; };
-    };
-
-    security.wrappers =
-      let
-        mkSetuidRoot = source: {
-          setuid = true;
-          owner = "root";
-          group = "root";
-          inherit source;
         };
-      in
+        passwd = { };
-      {
+        # Note: useradd, groupadd etc. aren't setuid root, so it
-        su = mkSetuidRoot "${cfg.package.su}/bin/su";
+        # doesn't really matter what the PAM config says as long as it
-        sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
+        # lets root in.
-        newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
+        useradd.rootOK = true;
-        newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
+        usermod.rootOK = true;
-        newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
+        userdel.rootOK = true;
-      }
+        groupadd.rootOK = true;
-      // lib.optionalAttrs config.users.mutableUsers {
+        groupmod.rootOK = true;
-        chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
+        groupmems.rootOK = true;
-        passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
+        groupdel.rootOK = true;
+        login = {
+          startSession = true;
+          allowNullPassword = true;
+          showMotd = true;
+          updateWtmp = true;
+        };
+        chpasswd = { rootOK = true; };
       };
-  };
+
+      security.wrappers =
+        let
+          mkSetuidRoot = source: {
+            setuid = true;
+            owner = "root";
+            group = "root";
+            inherit source;
+          };
+        in
+          {
+            su = mkSetuidRoot "${cfg.package.su}/bin/su";
+            sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
+            newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
+            newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
+            newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
+          }
+          // lib.optionalAttrs config.users.mutableUsers {
+            chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
+            passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
+          };
+    })
+  ];
 }

nixos/tests/all-tests.nix

@@ -380,6 +380,7 @@ in {
   grafana-agent = handleTest ./grafana-agent.nix {};
   graphite = handleTest ./graphite.nix {};
   graylog = handleTest ./graylog.nix {};
+  greetd-no-shadow = handleTest ./greetd-no-shadow.nix {};
   grocy = handleTest ./grocy.nix {};
   grow-partition = runTest ./grow-partition.nix;
   grub = handleTest ./grub.nix {};

nixos/tests/greetd-no-shadow.nix

@@ -0,0 +1,49 @@
+import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... }:
+{
+  name = "greetd-no-shadow";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ ];
+  };
+
+  nodes.machine =
+    { pkgs, lib, ... }: {
+
+      users.users.alice = {
+        isNormalUser = true;
+        group = "alice";
+        password = "foobar";
+      };
+      users.groups.alice = {};
+
+      # This means login(1) breaks, so we must use greetd/agreety instead.
+      security.shadow.enable = false;
+
+      services.greetd = {
+        enable = true;
+        settings = {
+          default_session = {
+            command = "${pkgs.greetd.greetd}/bin/agreety --cmd bash";
+          };
+        };
+      };
+    };
+
+  testScript = ''
+      machine.start()
+
+      machine.wait_for_unit("multi-user.target")
+      machine.wait_until_succeeds("pgrep -f 'agretty.*tty1'")
+      machine.screenshot("postboot")
+
+      with subtest("Log in as alice on a virtual console"):
+          machine.wait_until_tty_matches("1", "login: ")
+          machine.send_chars("alice\n")
+          machine.wait_until_tty_matches("1", "login: alice")
+          machine.wait_until_succeeds("pgrep login")
+          machine.wait_until_tty_matches("1", "Password: ")
+          machine.send_chars("foobar\n")
+          machine.wait_until_succeeds("pgrep -u alice bash")
+          machine.send_chars("touch done\n")
+          machine.wait_for_file("/home/alice/done")
+  '';
+})