nixos/shadow: introduce security.shadow.enable

Allow users to disable the shadow authentication suite. My primary motivation is to reduce the attack surface via setuid binaries, which shadow understandably introduces many. I realised, however, that I don't use any of these. The test demonstrates login working without needing the shadow suite.
2024-11-25 16:33:15 +00:00 · 2024-05-16 22:09:13 +10:00 · 2024-05-16 22:09:13 +10:00 · 725777250b
commit 725777250b
parent 8c931d0ab0
3 changed files with 157 additions and 86 deletions
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@ -5,6 +5,17 @@ let
 in
 {
  options = with lib.types; {
+
+    security.shadow.enable = lib.mkEnableOption "" // {
+      default = true;
+      description = ''
+        Enable the shadow authentication suite, which provides critical programs such as su, login, passwd.
+
+        Note: This is currently experimental. Only disable this if you're
+        confident that you can recover your system if it breaks.
+      '';
+    };
+
    security.loginDefs = {
      package = lib.mkPackageOption pkgs "shadow" { };

@ -138,7 +149,16 @@ in

  ###### implementation

-  config = {
+  config = lib.mkMerge [
+    {
+      assertions = [
+        {
+          assertion = config.security.shadow.enable || config.services.greetd.enable;
+          message = "You must enable at least one VT login method, either security.shadow.enable or services.greetd.enable";
+        }
+      ];
+    }
+    (lib.mkIf config.security.shadow.enable {
      assertions = [
        {
          assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
@ -234,5 +254,6 @@ in
            chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
            passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
          };
-  };
+    })
+  ];
 }
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -380,6 +380,7 @@ in {
  grafana-agent = handleTest ./grafana-agent.nix {};
  graphite = handleTest ./graphite.nix {};
  graylog = handleTest ./graylog.nix {};
+  greetd-no-shadow = handleTest ./greetd-no-shadow.nix {};
  grocy = handleTest ./grocy.nix {};
  grow-partition = runTest ./grow-partition.nix;
  grub = handleTest ./grub.nix {};
--- a/nixos/tests/greetd-no-shadow.nix
+++ b/nixos/tests/greetd-no-shadow.nix
@ -0,0 +1,49 @@
+import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... }:
+{
+  name = "greetd-no-shadow";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ ];
+  };
+
+  nodes.machine =
+    { pkgs, lib, ... }: {
+
+      users.users.alice = {
+        isNormalUser = true;
+        group = "alice";
+        password = "foobar";
+      };
+      users.groups.alice = {};
+
+      # This means login(1) breaks, so we must use greetd/agreety instead.
+      security.shadow.enable = false;
+
+      services.greetd = {
+        enable = true;
+        settings = {
+          default_session = {
+            command = "${pkgs.greetd.greetd}/bin/agreety --cmd bash";
+          };
+        };
+      };
+    };
+
+  testScript = ''
+      machine.start()
+
+      machine.wait_for_unit("multi-user.target")
+      machine.wait_until_succeeds("pgrep -f 'agretty.*tty1'")
+      machine.screenshot("postboot")
+
+      with subtest("Log in as alice on a virtual console"):
+          machine.wait_until_tty_matches("1", "login: ")
+          machine.send_chars("alice\n")
+          machine.wait_until_tty_matches("1", "login: alice")
+          machine.wait_until_succeeds("pgrep login")
+          machine.wait_until_tty_matches("1", "Password: ")
+          machine.send_chars("foobar\n")
+          machine.wait_until_succeeds("pgrep -u alice bash")
+          machine.send_chars("touch done\n")
+          machine.wait_for_file("/home/alice/done")
+  '';
+})