mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-25 16:33:15 +00:00
nixos/shadow: introduce security.shadow.enable
Allow users to disable the shadow authentication suite. My primary motivation is to reduce the attack surface via setuid binaries, which shadow understandably introduces many. I realised, however, that I don't use any of these. The test demonstrates login working without needing the shadow suite.
This commit is contained in:
parent
8c931d0ab0
commit
725777250b
@ -5,6 +5,17 @@ let
|
||||
in
|
||||
{
|
||||
options = with lib.types; {
|
||||
|
||||
security.shadow.enable = lib.mkEnableOption "" // {
|
||||
default = true;
|
||||
description = ''
|
||||
Enable the shadow authentication suite, which provides critical programs such as su, login, passwd.
|
||||
|
||||
Note: This is currently experimental. Only disable this if you're
|
||||
confident that you can recover your system if it breaks.
|
||||
'';
|
||||
};
|
||||
|
||||
security.loginDefs = {
|
||||
package = lib.mkPackageOption pkgs "shadow" { };
|
||||
|
||||
@ -138,101 +149,111 @@ in
|
||||
|
||||
###### implementation
|
||||
|
||||
config = {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
|
||||
message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX";
|
||||
}
|
||||
{
|
||||
assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX;
|
||||
message = "UID_MIN must be less than or equal to UID_MAX";
|
||||
}
|
||||
{
|
||||
assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX;
|
||||
message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX";
|
||||
}
|
||||
{
|
||||
assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX;
|
||||
message = "GID_MIN must be less than or equal to GID_MAX";
|
||||
}
|
||||
];
|
||||
config = lib.mkMerge [
|
||||
{
|
||||
assertions = [
|
||||
{
|
||||
assertion = config.security.shadow.enable || config.services.greetd.enable;
|
||||
message = "You must enable at least one VT login method, either security.shadow.enable or services.greetd.enable";
|
||||
}
|
||||
];
|
||||
}
|
||||
(lib.mkIf config.security.shadow.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
|
||||
message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX";
|
||||
}
|
||||
{
|
||||
assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX;
|
||||
message = "UID_MIN must be less than or equal to UID_MAX";
|
||||
}
|
||||
{
|
||||
assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX;
|
||||
message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX";
|
||||
}
|
||||
{
|
||||
assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX;
|
||||
message = "GID_MIN must be less than or equal to GID_MAX";
|
||||
}
|
||||
];
|
||||
|
||||
security.loginDefs.settings.CHFN_RESTRICT =
|
||||
lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
|
||||
security.loginDefs.settings.CHFN_RESTRICT =
|
||||
lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
|
||||
|
||||
environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
|
||||
++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
|
||||
++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
|
||||
environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
|
||||
++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
|
||||
++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
|
||||
|
||||
environment.etc =
|
||||
# Create custom toKeyValue generator
|
||||
# see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification
|
||||
let
|
||||
toKeyValue = lib.generators.toKeyValue {
|
||||
mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
|
||||
};
|
||||
in
|
||||
{
|
||||
# /etc/login.defs: global configuration for pwdutils.
|
||||
# You cannot login without it!
|
||||
"login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
|
||||
environment.etc =
|
||||
# Create custom toKeyValue generator
|
||||
# see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification
|
||||
let
|
||||
toKeyValue = lib.generators.toKeyValue {
|
||||
mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
|
||||
};
|
||||
in
|
||||
{
|
||||
# /etc/login.defs: global configuration for pwdutils.
|
||||
# You cannot login without it!
|
||||
"login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
|
||||
|
||||
# /etc/default/useradd: configuration for useradd.
|
||||
"default/useradd".source = pkgs.writeText "useradd" ''
|
||||
# /etc/default/useradd: configuration for useradd.
|
||||
"default/useradd".source = pkgs.writeText "useradd" ''
|
||||
GROUP=100
|
||||
HOME=/home
|
||||
SHELL=${utils.toShellPath config.users.defaultUserShell}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
security.pam.services = {
|
||||
chsh = { rootOK = true; };
|
||||
chfn = { rootOK = true; };
|
||||
su = {
|
||||
rootOK = true;
|
||||
forwardXAuth = true;
|
||||
logFailures = true;
|
||||
};
|
||||
passwd = { };
|
||||
# Note: useradd, groupadd etc. aren't setuid root, so it
|
||||
# doesn't really matter what the PAM config says as long as it
|
||||
# lets root in.
|
||||
useradd.rootOK = true;
|
||||
usermod.rootOK = true;
|
||||
userdel.rootOK = true;
|
||||
groupadd.rootOK = true;
|
||||
groupmod.rootOK = true;
|
||||
groupmems.rootOK = true;
|
||||
groupdel.rootOK = true;
|
||||
login = {
|
||||
startSession = true;
|
||||
allowNullPassword = true;
|
||||
showMotd = true;
|
||||
updateWtmp = true;
|
||||
};
|
||||
chpasswd = { rootOK = true; };
|
||||
};
|
||||
|
||||
security.wrappers =
|
||||
let
|
||||
mkSetuidRoot = source: {
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
inherit source;
|
||||
security.pam.services = {
|
||||
chsh = { rootOK = true; };
|
||||
chfn = { rootOK = true; };
|
||||
su = {
|
||||
rootOK = true;
|
||||
forwardXAuth = true;
|
||||
logFailures = true;
|
||||
};
|
||||
in
|
||||
{
|
||||
su = mkSetuidRoot "${cfg.package.su}/bin/su";
|
||||
sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
|
||||
newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
|
||||
newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
|
||||
newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
|
||||
}
|
||||
// lib.optionalAttrs config.users.mutableUsers {
|
||||
chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
|
||||
passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
|
||||
passwd = { };
|
||||
# Note: useradd, groupadd etc. aren't setuid root, so it
|
||||
# doesn't really matter what the PAM config says as long as it
|
||||
# lets root in.
|
||||
useradd.rootOK = true;
|
||||
usermod.rootOK = true;
|
||||
userdel.rootOK = true;
|
||||
groupadd.rootOK = true;
|
||||
groupmod.rootOK = true;
|
||||
groupmems.rootOK = true;
|
||||
groupdel.rootOK = true;
|
||||
login = {
|
||||
startSession = true;
|
||||
allowNullPassword = true;
|
||||
showMotd = true;
|
||||
updateWtmp = true;
|
||||
};
|
||||
chpasswd = { rootOK = true; };
|
||||
};
|
||||
};
|
||||
|
||||
security.wrappers =
|
||||
let
|
||||
mkSetuidRoot = source: {
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
inherit source;
|
||||
};
|
||||
in
|
||||
{
|
||||
su = mkSetuidRoot "${cfg.package.su}/bin/su";
|
||||
sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
|
||||
newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
|
||||
newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
|
||||
newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
|
||||
}
|
||||
// lib.optionalAttrs config.users.mutableUsers {
|
||||
chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
|
||||
passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
||||
|
@ -380,6 +380,7 @@ in {
|
||||
grafana-agent = handleTest ./grafana-agent.nix {};
|
||||
graphite = handleTest ./graphite.nix {};
|
||||
graylog = handleTest ./graylog.nix {};
|
||||
greetd-no-shadow = handleTest ./greetd-no-shadow.nix {};
|
||||
grocy = handleTest ./grocy.nix {};
|
||||
grow-partition = runTest ./grow-partition.nix;
|
||||
grub = handleTest ./grub.nix {};
|
||||
|
49
nixos/tests/greetd-no-shadow.nix
Normal file
49
nixos/tests/greetd-no-shadow.nix
Normal file
@ -0,0 +1,49 @@
|
||||
import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... }:
|
||||
{
|
||||
name = "greetd-no-shadow";
|
||||
meta = with pkgs.lib.maintainers; {
|
||||
maintainers = [ ];
|
||||
};
|
||||
|
||||
nodes.machine =
|
||||
{ pkgs, lib, ... }: {
|
||||
|
||||
users.users.alice = {
|
||||
isNormalUser = true;
|
||||
group = "alice";
|
||||
password = "foobar";
|
||||
};
|
||||
users.groups.alice = {};
|
||||
|
||||
# This means login(1) breaks, so we must use greetd/agreety instead.
|
||||
security.shadow.enable = false;
|
||||
|
||||
services.greetd = {
|
||||
enable = true;
|
||||
settings = {
|
||||
default_session = {
|
||||
command = "${pkgs.greetd.greetd}/bin/agreety --cmd bash";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
machine.start()
|
||||
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
machine.wait_until_succeeds("pgrep -f 'agretty.*tty1'")
|
||||
machine.screenshot("postboot")
|
||||
|
||||
with subtest("Log in as alice on a virtual console"):
|
||||
machine.wait_until_tty_matches("1", "login: ")
|
||||
machine.send_chars("alice\n")
|
||||
machine.wait_until_tty_matches("1", "login: alice")
|
||||
machine.wait_until_succeeds("pgrep login")
|
||||
machine.wait_until_tty_matches("1", "Password: ")
|
||||
machine.send_chars("foobar\n")
|
||||
machine.wait_until_succeeds("pgrep -u alice bash")
|
||||
machine.send_chars("touch done\n")
|
||||
machine.wait_for_file("/home/alice/done")
|
||||
'';
|
||||
})
|
Loading…
Reference in New Issue
Block a user