Commit Graph

66 Commits

Author SHA1 Message Date
Peter Simons
a025e848e0 modules/security/sudo.nix: added 'wheelNeedsPassword' option (default: true)
Change this setting to 'false' to allow users in the 'wheel' group to execute
commands as super user without entering a password.
2012-08-13 14:37:32 +02:00
Florian Friesdorf
14a8532ee0 add NIX_CONF_DIR to sudo env_keep variables (suggested by Eelco Dolstra)
this enables nix-collect-garbage under sudo to respect nix.conf, e.g.:

    gc-keep-outputs = true
    gc-keep-derivations = true
2012-07-27 12:25:11 +02:00
Your Name
4549bad2f4 AppArmor: packaged 2012-07-22 16:31:49 +03:00
Mathijs Kwik
26bf696350 Revert "allow out-of-tree nixos modules"
This reverts commit b609ff4fcf.

It turns out this can just be done using "require".
2012-07-21 18:30:58 +02:00
Mathijs Kwik
b609ff4fcf allow out-of-tree nixos modules
The environment variable "NIXOS_EXTRA_MODULES" is now checked to
contain a path to a file similar to modules/module-list.nix.

This gives the ability to include nixos modules that are not in the
nixos source tree.

This can be useful for modules that are still experimental, or which
aren't useful for other nixos users. Of course, this was already
possible to do this using a forked nixos tree, but with this
functionality, you can just rely on the nixos channel, easing things a
lot.
2012-07-21 17:35:50 +02:00
Peter Simons
4553a27a92 modules/security/pam.nix: add xscreensaver to the list of services 2012-07-17 13:01:09 +02:00
Eelco Dolstra
63517eca1b * Actually use the security.pam.enableSSHAgentAuth option.
http://hydra.nixos.org/build/2698800

svn path=/nixos/trunk/; revision=34483
2012-06-12 20:21:15 +00:00
Eelco Dolstra
03653d43eb * Add support for sudo authentication using the SSH agent. This
allows password-less servers.

svn path=/nixos/trunk/; revision=34474
2012-06-11 22:41:07 +00:00
Peter Simons
51b5da4023 modules/security/pam.nix: sort security.pam.services alphabetically
svn path=/nixos/trunk/; revision=34437
2012-06-11 07:12:41 +00:00
Peter Simons
5c3593be46 Add PAM configuration for vlock.
svn path=/nixos/trunk/; revision=34436
2012-06-11 07:12:39 +00:00
Peter Simons
4c54fcaf45 pam security for i3lock
svn path=/nixos/trunk/; revision=34435
2012-06-11 07:10:25 +00:00
Eelco Dolstra
801cd7402c * Don't use ‘chown user.group’ since that syntax is not officially
supported (you're supposed to say ‘chown user:group’).

svn path=/nixos/trunk/; revision=34161
2012-05-17 19:43:32 +00:00
Florian Friesdorf
5115e6a1d0 keep NIX_PATH in sudo env
fixes:
file `nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I)

svn path=/nixos/trunk/; revision=32973
2012-03-10 16:11:40 +00:00
Eelco Dolstra
a6f410f144 * Obsolete security.extraSetuidPrograms.
svn path=/nixos/trunk/; revision=32723
2012-03-01 20:10:46 +00:00
Florian Friesdorf
0862ca9fa7 sudoers: LOCALE_ARCHIVE, TERMINFO_DIRS for root and %wheel
svn path=/nixos/trunk/; revision=31491
2012-01-12 07:54:14 +00:00
Peter Simons
20b364f4de Reverting revisions 30103-30106: "always set nixpkgs.config.{state,store}Dir", etc.
After the change from revision 30103, nixos-rebuild suddenly consumed
freaky amounts of memory. I had to abort the process after it had
allocated well in excess of 30GB(!) of RAM. I'm not sure what is causing
this behavior, but undoing that assignment fixes the problem. The other
two commits needed to be revoked, too, because they depend on 30103.

svn path=/nixos/trunk/; revision=30127
2011-10-30 15:19:58 +00:00
Shea Levy
09cf6ce70c find modules | fgrep .nix | fgrep -v .svn | fgrep -v nixpkgs.nix | xargs sed -i -e 's|/nix/var|${config.nixpkgs.config.nix.stateDir}|g' -e 's|/nix/store|${config.nixpkgs.config.nix.storeDir}|g'
Don't assume /nix/store or /nix/var in NixOS modules, this is configurable

svn path=/nixos/trunk/; revision=30104
2011-10-29 21:03:57 +00:00
Peter Simons
eb6e1310b8 strip trailing whitespace; no functional change
svn path=/nixos/trunk/; revision=29285
2011-09-14 18:20:50 +00:00
Eelco Dolstra
64340dc03c * Set OPENSSL_X509_CERT_FILE.
svn path=/nixos/trunk/; revision=29225
2011-09-12 17:01:43 +00:00
Eelco Dolstra
d1ae2c2ac1 * Polkit: remove the wrapper since it's no longer needed (and didn't
really work as far as I can tell).

svn path=/nixos/trunk/; revision=28734
2011-08-22 11:46:32 +00:00
Eelco Dolstra
7980c71d9c * Add some options to allow setting PolKit permissions.
svn path=/nixos/trunk/; revision=28729
2011-08-21 20:38:45 +00:00
Eelco Dolstra
44725e50f0 * Apply the resource limits set by security.pam.loginLimits to all PAM
services (rather than just login(1)).  It's rather unexpected if
  resource limits are not applied to (say) users logged in via SSH or
  X11.

svn path=/nixos/trunk/; revision=28105
2011-08-01 10:17:18 +00:00
Eelco Dolstra
7d69a82b55 * Put the CA certificate bundle in /etc/ssl/certs because Qt expects
them there.

svn path=/nixos/trunk/; revision=28009
2011-07-29 19:06:27 +00:00
Eelco Dolstra
aa5f5ed2e5 * I should test first.
svn path=/nixos/trunk/; revision=27964
2011-07-26 14:19:06 +00:00
Eelco Dolstra
645205b600 * Add a module for rtkit. The PulseAudio module enables rtkit to
acquire real-time priority.

svn path=/nixos/trunk/; revision=27963
2011-07-26 14:14:10 +00:00
Eelco Dolstra
2aaff3aa06 * Restart polkitd in the activation script to force its configuration
to be reloaded.

svn path=/nixos/trunk/; revision=27962
2011-07-26 14:13:07 +00:00
Eelco Dolstra
a1df35a590 * Don't enable HAL by default anymore. It's obsolete. It's still
enabled by modules that need it (KDE < 4.7, Xfce).
* Don't enable the PolicyKit module by default either, it's also
  obsolete (replaced by PolKit).  It's still enabled if HAL is
  enabled.

svn path=/nixos/trunk/; revision=27933
2011-07-25 00:52:59 +00:00
Eelco Dolstra
c548597976 * Allow Git to find the CA bundle.
svn path=/nixos/trunk/; revision=27735
2011-07-12 12:45:48 +00:00
Eelco Dolstra
37562ea864 * Remove a debug statement.
svn path=/nixos/trunk/; revision=26889
2011-04-19 13:23:45 +00:00
Lluís Batlle i Rossell
84bea7a351 I change the ldap settings so pam_unix and 'files' always go in front of ldap,
instead of the opposite. Thus, /etc/passwd has priority over ldap.


svn path=/nixos/trunk/; revision=26834
2011-04-13 20:48:50 +00:00
Michael Raskin
f6bc3d61cf To prevent glibc bug exploitation, make setuid-wrappers unreadable to non-root users
svn path=/nixos/trunk/; revision=24378
2010-10-20 09:29:02 +00:00
Lluís Batlle i Rossell
79ded36abf Making cron/fcron set their setuid wrappers. And made fcron use the nixos systemCrontabJobs by
default.
It does not look very modular, and the manual may not look very good, but I think it
works better than before. And setting cron.enable = false and fcron.enable = true works fine.


svn path=/nixos/trunk/; revision=24199
2010-10-10 11:35:15 +00:00
Eelco Dolstra
f729f12e4e Some cleanups in the activation script:
* Moved some scriptlets to the appropriate modules.
* Put the scriptlet that sets the default path at the start, since it
  never makes sense not to have it there.  It no longer needs to be
  declared as a dependency.
* If a scriptlet has no dependencies, it can be denoted as a plain
  string (i.e., `noDepEntry' is not needed anymore).

svn path=/nixos/trunk/; revision=23762
2010-09-13 15:41:38 +00:00
Yury G. Kudryashov
f0eb823a34 Add unix_chkpwd suid wrapper
svn path=/nixos/trunk/; revision=23165
2010-08-13 14:07:34 +00:00
David Guibert
6c8c1f935a nixos: authenticate through kerberos
config.krb5.enable needs to be set as true.
Also use pam_ccreds to cache Kerberos credentials for offline logins.

svn path=/nixos/trunk/; revision=22986
2010-08-06 08:50:48 +00:00
Eelco Dolstra
82be7d8d65 * `pam_console' maintains the set of locally logged in users in
/var/run/console.  This is obsolete, but D-Bus still uses it for its
  `at_console' feature.  So maintain it using a ConsoleKit session
  script.  Borrowed from
  http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-auth/consolekit/files/pam-foreground-compat.ck

svn path=/nixos/trunk/; revision=22720
2010-07-23 14:23:08 +00:00
Eelco Dolstra
c089738bdc * Use the shadow' package instead of pwdutils', `pam_login' and
`su'.
* The `usermod' from `shadow' allows setting a supplementary group
  equal to the user's primary group, so the special hack for the
  `nixbld' group is no longer needed.
* Removed /etc/default/passwd since it's not used by the new passwd.
  The hash is configured in pam_unix.
* Move some values for `security.setuidPrograms' and
  `security.pam.services' to the appropriate modules.

svn path=/nixos/trunk/; revision=22107
2010-06-02 21:10:48 +00:00
Eelco Dolstra
876954d15d * Use pam_unix (from the PAM package) instead of pam_unix2. All the
functionality we needed from pam_unix2 (more secure hashes, and,
  uh...) has been merged into pam_unix.

svn path=/nixos/trunk/; revision=22106
2010-06-02 19:59:44 +00:00
Eelco Dolstra
540c673364 * Enable the `chfn' program. Note that by default non-root users are
still not permitted to change their account information, as
  specified in login.defs.

svn path=/nixos/trunk/; revision=22049
2010-05-28 14:59:34 +00:00
Yury G. Kudryashov
a0b97de260 Use polkit-agent-helper-1 from libexec/polkit-1
svn path=/nixos/trunk/; revision=21844
2010-05-18 16:46:32 +00:00
Yury G. Kudryashov
7ae39feedb Get rid of extraSetuidPrograms.
Also state in description that it is obsolete.

svn path=/nixos/trunk/; revision=21777
2010-05-14 21:01:06 +00:00
Yury G. Kudryashov
03caab4572 Enable polkit-1
Now both polkit-1 and old policykit are enabled. Packages that can use both will
be migrated to new polkit-1, than old one can be disabled.

svn path=/nixos/trunk/; revision=21776
2010-05-14 20:28:04 +00:00
Eelco Dolstra
8a6346e477 * Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set
the CURL_CA_BUNDLE environment variable.  This allows curl to work
  without the `-k' flag on https sites with a properly signed
  certificate.

svn path=/nixos/trunk/; revision=19572
2010-01-20 14:22:47 +00:00
Ludovic Courtès
c68f5fbae4 Add support for pam_limits.
svn path=/nixos/trunk/; revision=19370
2010-01-12 11:02:23 +00:00
Nicolas Pierron
d2901e979d * Add support for pam_usb.
svn path=/nixos/trunk/; revision=19185
2010-01-03 11:59:08 +00:00
Eelco Dolstra
5dfaf565bf * On the CD or on a newly installed system, create the root account
with an empty password, rather than with a hashed empty password.
  The latter is a security risk, because it allows remote root logins
  if a user enables sshd before setting a proper root password.
* Allow empty passwords for login and slim, but nothing else.

svn path=/nixos/trunk/; revision=17833
2009-10-15 14:41:59 +00:00
Marc Weber
ccd2a0b617 sudo default configFile: replace outdated comment
svn path=/nixos/trunk/; revision=17790
2009-10-13 21:29:30 +00:00
Eelco Dolstra
d933f55e45 * Tell PolicyKit about the policies of HAL and ConsoleKit.
svn path=/nixos/trunk/; revision=17439
2009-09-26 10:32:57 +00:00
Eelco Dolstra
3d5462c980 * Install a PolicyKit policy configuration file. There should be a
configuration option to add to this file.

svn path=/nixos/trunk/; revision=17436
2009-09-26 00:07:52 +00:00
Eelco Dolstra
69f68c319d * A module for the old PolicyKit.
svn path=/nixos/trunk/; revision=17433
2009-09-25 23:06:38 +00:00