mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-25 16:33:15 +00:00
725777250b
Allow users to disable the shadow authentication suite. My primary motivation is to reduce the attack surface via setuid binaries, which shadow understandably introduces many. I realised, however, that I don't use any of these. The test demonstrates login working without needing the shadow suite.
50 lines
1.4 KiB
Nix
50 lines
1.4 KiB
Nix
import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... }:
|
|
{
|
|
name = "greetd-no-shadow";
|
|
meta = with pkgs.lib.maintainers; {
|
|
maintainers = [ ];
|
|
};
|
|
|
|
nodes.machine =
|
|
{ pkgs, lib, ... }: {
|
|
|
|
users.users.alice = {
|
|
isNormalUser = true;
|
|
group = "alice";
|
|
password = "foobar";
|
|
};
|
|
users.groups.alice = {};
|
|
|
|
# This means login(1) breaks, so we must use greetd/agreety instead.
|
|
security.shadow.enable = false;
|
|
|
|
services.greetd = {
|
|
enable = true;
|
|
settings = {
|
|
default_session = {
|
|
command = "${pkgs.greetd.greetd}/bin/agreety --cmd bash";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
machine.start()
|
|
|
|
machine.wait_for_unit("multi-user.target")
|
|
machine.wait_until_succeeds("pgrep -f 'agretty.*tty1'")
|
|
machine.screenshot("postboot")
|
|
|
|
with subtest("Log in as alice on a virtual console"):
|
|
machine.wait_until_tty_matches("1", "login: ")
|
|
machine.send_chars("alice\n")
|
|
machine.wait_until_tty_matches("1", "login: alice")
|
|
machine.wait_until_succeeds("pgrep login")
|
|
machine.wait_until_tty_matches("1", "Password: ")
|
|
machine.send_chars("foobar\n")
|
|
machine.wait_until_succeeds("pgrep -u alice bash")
|
|
machine.send_chars("touch done\n")
|
|
machine.wait_for_file("/home/alice/done")
|
|
'';
|
|
})
|