Commit Graph

38 Commits

Author SHA1 Message Date
h7x4
79d3d59f58
treewide: replace mkPackageOptionMD with mkPackageOption 2023-11-30 19:03:14 +01:00
Georges
c7695805ca
nixos/shadow: refactor login.defs config options
Add a settings option for the login.defs file
to provide enhanced configuration abilities.

Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
2023-05-20 13:34:41 +02:00
Martin Weinelt
a3c7dcd88d
nixos/shadow: Set default encrypt method
Fixes the default for tools like chpasswd, chgpasswd and gpasswd.

Closes: #230880
2023-05-09 17:05:34 +02:00
pennae
2e751c0772 treewide: automatically md-convert option descriptions
the conversion procedure is simple:

 - find all things that look like options, ie calls to either `mkOption`
   or `lib.mkOption` that take an attrset. remember the attrset as the
   option
 - for all options, find a `description` attribute who's value is not a
   call to `mdDoc` or `lib.mdDoc`
 - textually convert the entire value of the attribute to MD with a few
   simple regexes (the set from mdize-module.sh)
 - if the change produced a change in the manual output, discard
 - if the change kept the manual unchanged, add some text to the
   description to make sure we've actually found an option. if the
   manual changes this time, keep the converted description

this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
2022-07-30 15:16:34 +02:00
Naïm Favier
2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
rnhmjoj
fedd7cd690
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
2021-09-13 13:48:13 +02:00
Jörg Thalheim
53d0dc6638
Merge pull request #51270 from aneeshusa/enable-setuid-wrapper-for-chsh
nixos/shadow: create setuid wrapper for chsh
2020-06-02 10:50:31 +01:00
rnhmjoj
1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
Silvan Mosberger
23d920c8f0
nixos/users: Increase maximum system uid/gid from 499 to 999
This enlarges the system uid/gid range 6-fold, from 100 to 600 ids. This
is a preventative measure against running out of dynamically allocated
ids for NixOS services with isSystemUser, which should become the
preferred way of allocating uids for non-real users.
2019-10-14 01:59:19 +02:00
Aneesh Agrawal
925b028f17 nixos/shadow: create setuid wrapper for chsh
This allows non-declarative users to change their login shells.
https://github.com/NixOS/nixpkgs/pull/41966 will make this possible
for declarative users as well if the system config explicitly allows it.
2019-04-07 15:12:39 -07:00
Jesper Geertsen Jonsson
8c0558dbb2 sg/newgrp should always be available, not chfn
sg and newgrp only changes the current user session and should be
available to users even if the "users.mutableUsers" option is set.
These are common, useful commands.

chfn does modify the /etc/passwd GECOS field which is also controlled
by the option "users.users.<name?>.description", so it's less
appropriate to make it available when "users.mutableUsers" is set.

However, because CHFN_RESTRICT in login.defs is never set in current
NixOS the chfn functionality is never available to users anyway and
may as well have its SUID disabled, as only root is able to use it.
This is recommended in the chfn man page in this case.
2018-01-14 20:54:40 +01:00
Parnell Springmeyer
264db4e309
Set merge + mkIf always surprises me 2017-01-29 17:10:32 -06:00
Parnell Springmeyer
9f82c9903d
More fixes 2017-01-29 05:44:29 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Eelco Dolstra
98102ebd92 Enable the runuser command from util-linux
Fixes #14701.
2016-09-06 17:23:27 +02:00
Parnell Springmeyer
1f9494b752 Need to create a new build to see why it's failing 2016-09-01 19:47:41 -05:00
Parnell Springmeyer
d60581d4d6 Resolving that silly bad argument error. 2016-09-01 19:26:54 -05:00
Parnell Springmeyer
98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Parnell Springmeyer
390ab0b3ef everything?: Updating every package that depended on the old setuidPrograms configuration. 2016-09-01 19:17:43 -05:00
Benno Fünfstück
51b165c7d2 nixos/shadow: setuid wrappers for new{uid,gid}map
These utils are not related to user management, so they should be
available even if immutable users are enabled.
2016-08-19 14:59:33 +02:00
zimbatm
2974b6f4c8 Use shell packages to select the user's shell
The string type is still available for backward-compatiblity.
2016-06-12 20:35:34 +01:00
Joachim Fasting
75ab7bf960 nixos: condition shadow setuid-wrappers on mutableUsers
Having junk setuid wrappers in PATH is annoying.
2015-04-14 00:27:11 +02:00
obadz
be7f104502 sg: add setuid wrapper. (newgrp is a symlink to sg and was already setuid).
sudo: add ability for wheel users to change group (as well as user)
2015-03-30 23:50:45 +01:00
Michael Raskin
419031bcfc Merge pull request #2644 from lethalman/pam_tally
pam: Add logFailures option for adding pam_tally to su
2014-09-02 00:58:30 +04:00
Paul Colomiets
fb948c4f28 Upgrade shadow package 2014-08-01 21:19:21 +03:00
Shea Levy
b3cfb9084b Get all lib functions from lib, not pkgs.lib, in modules 2014-07-02 12:28:18 -04:00
aszlig
3e64126344
nixos/shadow: Add an example for defaultUserShell.
Thanks to @devhell for the suggestion.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-06-19 01:51:33 +02:00
Luca Bruno
1d5d7fdee2 pam: Add logFailures option for adding pam_tally to su 2014-05-14 17:54:21 +02:00
Eelco Dolstra
0e23a175de Allocate system uids/gids between 400 and 500
Previously it was between 100 and 500, but this can already collide
with the static uids/guid in misc/ids.nix.
2014-04-29 10:45:06 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Peter Simons
ad65a1e064 Revert "nixos: fix shell on conatiners"
This reverts commit c69577b7d6.
See https://github.com/NixOS/nixpkgs/pull/2198 for further details.
2014-04-11 12:07:00 +02:00
Jaka Hudoklin
c69577b7d6 nixos: fix shell on conatiners 2014-04-10 12:28:09 +02:00
Rickard Nilsson
03ee174032 Only add shadow to system packages if users.mutableUsers is true 2014-02-05 15:56:51 +01:00
Rickard Nilsson
eb2f44c18c Generate /etc/passwd and /etc/group at build time
This is a rather large commit that switches user/group creation from using
useradd/groupadd on activation to just generating the contents of /etc/passwd
and /etc/group, and then on activation merging the generated files with the
files that exist in the system. This makes the user activation process much
cleaner, in my opinion.

The users.extraUsers.<user>.uid and users.extraGroups.<group>.gid must all be
properly defined (if <user>.createUser is true, which it is by default). My
pull request adds a lot of uids/gids to config.ids to solve this problem for
existing nixos services, but there might be configurations that break because
this change. However, this will be discovered during the build.

Option changes introduced by this commit:

* Remove the options <user>.isSystemUser and <user>.isAlias since
they don't make sense when generating /etc/passwd statically.

* Add <group>.members as a complement to <user>.extraGroups.

* Add <user>.passwordFile for setting a user's password from an encrypted
(shadow-style) file.

* Add users.mutableUsers which is true by default. This means you can keep
managing your users as previously, by using useradd/groupadd manually. This is
accomplished by merging the generated passwd/group file with the existing files
in /etc on system activation. The merging of the files is simplistic. It just
looks at the user/group names. If a user/group exists both on the system and
in the generated files, the system entry will be kept un-changed and the
generated entries will be ignored. The merging itself is performed with the
help of vipw/vigr to properly lock the account files during edit.
If mutableUsers is set to false, the generated passwd and group files will not
be merged with the system files on activation. Instead they will simply replace
the system files, and overwrite any changes done on the running system. The
same logic holds for user password, if the <user>.password or
<user>.passwordFile options are used. If mutableUsers is false, password will
simply be replaced on activation. If true, the initial user passwords will be
set according to the configuration, but existing passwords will not be touched.

I have tested this on a couple of different systems and it seems to work fine
so far. If you think this is a good idea, please test it. This way of adding
local users has been discussed in issue #103 (and this commit solves that
issue).
2014-02-05 15:56:51 +01:00
Eelco Dolstra
408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra
a2c820c678 Turn security.pam.services into an attribute set
That is, you can say

  security.pam.services.sshd = { options... };

instead of

  security.pam.services = [ { name = "sshd"; options... } ];

making it easier to override PAM settings from other modules.
2013-10-15 14:47:51 +02:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00