nixpkgs/nixos/modules/programs/shadow.nix
Jesper Geertsen Jonsson 8c0558dbb2 sg/newgrp should always be available, not chfn
sg and newgrp only changes the current user session and should be
available to users even if the "users.mutableUsers" option is set.
These are common, useful commands.

chfn does modify the /etc/passwd GECOS field which is also controlled
by the option "users.users.<name?>.description", so it's less
appropriate to make it available when "users.mutableUsers" is set.

However, because CHFN_RESTRICT in login.defs is never set in current
NixOS the chfn functionality is never available to users anyway and
may as well have its SUID disabled, as only root is able to use it.
This is recommended in the chfn man page in this case.
2018-01-14 20:54:40 +01:00

116 lines
3.1 KiB
Nix

# Configuration for the pwdutils suite of tools: passwd, useradd, etc.
{ config, lib, utils, pkgs, ... }:
with lib;
let
loginDefs =
''
DEFAULT_HOME yes
SYS_UID_MIN 400
SYS_UID_MAX 499
UID_MIN 1000
UID_MAX 29999
SYS_GID_MIN 400
SYS_GID_MAX 499
GID_MIN 1000
GID_MAX 29999
TTYGROUP tty
TTYPERM 0620
# Ensure privacy for newly created home directories.
UMASK 077
# Uncomment this and install chfn SUID to allow non-root
# users to change their account GECOS information.
# This should be made configurable.
#CHFN_RESTRICT frwh
'';
in
{
###### interface
options = {
users.defaultUserShell = lib.mkOption {
description = ''
This option defines the default shell assigned to user
accounts. This can be either a full system path or a shell package.
This must not be a store path, since the path is
used outside the store (in particular in /etc/passwd).
'';
example = literalExample "pkgs.zsh";
type = types.either types.path types.shellPackage;
};
};
###### implementation
config = {
environment.systemPackages =
lib.optional config.users.mutableUsers pkgs.shadow ++
lib.optional (types.shellPackage.check config.users.defaultUserShell)
config.users.defaultUserShell;
environment.etc =
[ { # /etc/login.defs: global configuration for pwdutils. You
# cannot login without it!
source = pkgs.writeText "login.defs" loginDefs;
target = "login.defs";
}
{ # /etc/default/useradd: configuration for useradd.
source = pkgs.writeText "useradd"
''
GROUP=100
HOME=/home
SHELL=${utils.toShellPath config.users.defaultUserShell}
'';
target = "default/useradd";
}
];
security.pam.services =
{ chsh = { rootOK = true; };
chfn = { rootOK = true; };
su = { rootOK = true; forwardXAuth = true; logFailures = true; };
passwd = {};
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
useradd = { rootOK = true; };
usermod = { rootOK = true; };
userdel = { rootOK = true; };
groupadd = { rootOK = true; };
groupmod = { rootOK = true; };
groupmems = { rootOK = true; };
groupdel = { rootOK = true; };
login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; };
chpasswd = { rootOK = true; };
};
security.wrappers = {
su.source = "${pkgs.shadow.su}/bin/su";
sg.source = "${pkgs.shadow.out}/bin/sg";
newgrp.source = "${pkgs.shadow.out}/bin/newgrp";
newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
} // (if config.users.mutableUsers then {
passwd.source = "${pkgs.shadow.out}/bin/passwd";
} else {});
};
}