Commit Graph

59 Commits

Author SHA1 Message Date
Mathijs Kwik
f356cee747 sudo: allow adding extra configuration options to the bottom of sudoers
from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
2014-11-02 13:27:05 +01:00
Ricardo M. Correia
10348a0f2c grsecurity: Update documentation to mention correct kernels 2014-10-22 16:50:36 +02:00
Eelco Dolstra
bb9ee6a13f Remove some setuid wrappers for non-standard programs 2014-09-05 14:46:36 +02:00
Eelco Dolstra
cd7129a037 Revert "nixos: add setuid wrappers for some networked filesystems' helpers"
This reverts commit 26a4001a98. It
breaks the NFS test:

  http://hydra.nixos.org/build/13943148

Also, having more setuid programs is a bad thing security-wise.
2014-09-05 14:43:11 +02:00
Michael Raskin
419031bcfc Merge pull request #2644 from lethalman/pam_tally
pam: Add logFailures option for adding pam_tally to su
2014-09-02 00:58:30 +04:00
Jan Malakhovski
26a4001a98 nixos: add setuid wrappers for some networked filesystems' helpers
So that `user` mount option would work allowing normal users to mount
and umount stuff marked with it in `fileSystems.<name>.options`.
2014-09-01 10:33:48 +04:00
Jan Malakhovski
8f50d803ef nixos: add support for mkhomedir in PAM 2014-09-01 10:33:48 +04:00
Eelco Dolstra
785ed2b528 Don't silently ignore errors from the activation script 2014-08-15 02:14:34 +02:00
Vladimír Čunát
87c3c0e885 Merge master into #2129
Conflicts (easy, just UID shifted):
	nixos/modules/misc/ids.nix
	nixos/modules/module-list.nix
2014-08-12 19:24:08 +02:00
Eelco Dolstra
36f99a9a82 Set $SSL_CERT_FILE
It's more standard than $OPENSSL_X509_CERT_FILE (which I guess was a
totally unnecessary patch to OpenSSL). Since curl respects
$SSL_CERT_FILE, it's no longer needed to set $CURL_CA_BUNDLE. Git
unfortunately doesn't.
2014-07-28 19:09:32 +02:00
Rastus Vernon
d5daa8ae6f Fix repeated typo
"Can either by" should be "Can either be". There are three occurrences of this mistake, all in descriptions of configuration options.
2014-07-11 23:14:53 -04:00
Jaka Hudoklin
16f801cba9 nixos/pam: make pam_loginuid optional if in container 2014-06-30 11:08:39 +02:00
Austin Seipp
0399c5ee24 grsecurity: update stable/testing kernels, refactoring
This updates the new stable kernel to 3.14, and the new testing kernel
to 3.15.

This also removes the vserver kernel, since it's probably not nearly as
used.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-22 22:29:10 -05:00
William A. Kennington III
ef4ea24420 sudo: Always keepVisudo in order to simplify sudo build 2014-06-17 22:41:32 -05:00
Ricardo M. Correia
f8e108c865 nixos.tests.installer: Fix test failures due to network being disabled 2014-06-17 18:41:26 +02:00
Eelco Dolstra
f5055e2ef6 Rename environment.systemVariables -> environment.sessionVariables
This makes it clearer that they're part of PAM sessions.
2014-06-13 17:57:04 +02:00
Eelco Dolstra
8ae659f16c Revert "Revert "Merge #2692: Use pam_env to properly setup system-wide env""
This reverts commit 491c088731.
2014-06-10 13:07:10 +02:00
Eelco Dolstra
491c088731 Revert "Merge #2692: Use pam_env to properly setup system-wide env"
This reverts commit 18a0cdd864.
2014-06-10 13:03:44 +02:00
Vladimír Čunát
18a0cdd864 Merge #2692: Use pam_env to properly setup system-wide env 2014-06-10 11:42:59 +02:00
Michael Raskin
e68a5b265a Enable checking sudoers syntax. Fixes #2850, probably. 2014-06-09 00:54:21 +04:00
Ricardo M. Correia
f0cf8f4140 grsecurity: Fix module evaluation 2014-05-22 20:17:34 +02:00
Austin Seipp
e31f212f6b nixos/duosec: Add an option to allow TCP forwarding
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-20 02:42:38 -05:00
Austin Seipp
67c309fe75 Fix fallout from 4f27ad14
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-18 07:38:13 -05:00
Austin Seipp
4f27ad14a1 grsec: refactor grsecurity packages
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:43 -05:00
Austin Seipp
92abc4c610 kernel: enable AppArmor by default
AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order
to work properly (with the minor catch grsecurity -stable includes the
3.2 patches.) This adds them to the kernel builds by default, removes
features.apparmor (since it's always true) and makes it the default MAC
system.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:09 -05:00
Luca Bruno
1d5d7fdee2 pam: Add logFailures option for adding pam_tally to su 2014-05-14 17:54:21 +02:00
Aristid Breitkreuz
204fc0a397 sudo: env_keep TERMINFO for urxvt 2014-05-04 14:42:16 +02:00
Eelco Dolstra
4353220202 polkit: Remove unnecessary restart
There already is a restart trigger that takes care of this.
2014-04-28 23:57:37 +02:00
Eelco Dolstra
379c8ba237 polkit: Restart using systemctl
The use of pkill is now particularly bad due to containers (it might
kill processes in containers).
2014-04-28 12:38:50 +02:00
Alexander Kjeldaas
baf4faeddc Only disable TPM access by rngd when tcsd is enabled. 2014-04-22 14:05:09 +02:00
Alexander Kjeldaas
64311899db Don't let rngd read /dev/tpm0.
Only one process can interact with the TPM module and
that process should be tcsd.  The tpm_rng kernel module
should instead be loaded and /dev/hwrnd be used to
read the TPM random generator.
Also, log which random generator devices are used by
rngd on startup.
2014-04-22 14:05:09 +02:00
Rickard Nilsson
5db9287b7c rtkit: Update from 0.10 to 0.11 2014-04-21 23:22:10 +02:00
Ricardo M. Correia
5d5ca7b260 grsecurity: Update all patches
stable:  3.0-3.2.57-201404131252            -> 3.0-3.2.57-201404182109
test:    3.0-3.13.10-201404141717           -> 3.0-3.14.1-201404201132
vserver: 3.0-3.2.57-vs2.3.2.16-201404131253 -> 3.0-3.2.57-vs2.3.2.16-201404182110
2014-04-21 18:46:41 +02:00
Eelco Dolstra
fa9ed04997 Restart polkit if its configuration may have changed 2014-04-19 14:29:02 +02:00
Eelco Dolstra
9f1c9404da Put /var/setuid-wrappers on a tmpfs
This allows all other filesystems to be mounted without the suid
option.
2014-04-19 12:40:09 +02:00
Eelco Dolstra
fa1a46a01c setuid-wrapper: Fix broken string comparison 2014-04-19 10:58:30 +02:00
Eelco Dolstra
b80e6b27c7 setuid-wrapper: Drop runtime dependency on setuid-wrapper.c 2014-04-19 10:53:17 +02:00
Eelco Dolstra
a8aa9f3fd4 setuid-wrapper.c: Remove tabs 2014-04-19 10:53:05 +02:00
Eelco Dolstra
5378da25a0 Apply pam_loginuid before pam_systemd
As recommended by the pam_systemd manpage.
2014-04-17 11:35:18 +02:00
Austin Seipp
da6bc44dd7 nixos: transmission improvements
This mostly upgrades transmission, and does some very minor touchups on
AppArmor support.

In particular, there is now no need to ever specify the umask as part of
the settings, as it will be mixed in by default (which is essentially
always what you want). Also, the default configuration is now more
sensible: Downloads are put in /var/lib/transmission/Downloads, and
incomplete files are put in /var/lib/transmission/.incomplete - this
also allows easy use of file syncing probrams, like BitTorrent Sync.

Finally, this unconditionally enables the AppArmor profiles for the
daemon, if AppArmor is enabled - rather than letting the user specify
profile support, it's best to default to supporting profiles for daemons
transparently in all places.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 06:54:51 -05:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Bjørn Forsman
6fa1ad04da nixos: extend documentation example for security.setuidOwners
Show that it is possible to set custom permission bits.
2014-04-13 12:31:08 +02:00
Austin Seipp
64efd184ed grsecurity: Fix GRKERNSEC_PROC restrictions
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.

This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.

This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 11:16:05 -05:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Austin Seipp
29d46452dd nixos: add Duo Security module
This module adds the security.duosec attributes, which you can use to
enable simple two-factor authentication for NixOS logins.

The module currently provides PAM and SSH support, although the PAM unix
system configuration isn't automatically dealt with (although the
configuration is automatically built).

Enabling it is as easy as saying:

  security.duosec.ssh.enable = true;
  security.duosec.ikey       = "XXXXXXXX...";
  security.duosec.skey       = "XXXXXXXX...";
  security.duosec.host       = "api-XXXXXXX.duosecurity.com";
  security.duosec.group      = "duosec";

which will enforce two-factor authentication for SSH logins for users in
the 'duosec' group.

This requires uid/gid support in the environment.etc module.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 07:11:50 -05:00
Eelco Dolstra
9c616e3bf4 Remove /etc/ca-bundle.crt
Applications should use /etc/ssl/certs/ca-bundle.crt instead.
2014-02-11 17:13:36 +01:00
Eelco Dolstra
bc56bb7546 polkit: Add some examples 2013-11-18 18:04:17 +01:00
Eelco Dolstra
7ea47df0a4 polkit: Fix authenticating as a wheel user
In Javascript-based PolKit, "unix-user:0;unix-group:wheel" is not
valid; it should be a list "unix-user:0", "unix-group:wheel".
2013-11-18 18:04:17 +01:00
Eelco Dolstra
1ce709ee00 polkit: The rule file needs to end in .rules
Otherwise it's ignored.
2013-11-18 18:04:17 +01:00
Vladimír Čunát
8d14c7baa6 polkit: major update 0.105 -> 0.112
- It now uses JavaScript for configuration (only),
  so I had to "convert" config for NetworkManager.
- I tested suspend/restart/(un)mount on KDE/Xfce,
  Phreedom tested NetworkManager config conversion.
2013-11-09 16:29:18 +01:00