alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

Merge pull request #3100 from tailhook/new-shadow

Browse source 
Upgrade "shadow" to 4.2.1
This commit is contained in:
Michael Raskin 2014-08-29 00:42:57 +04:00
parent 0036f4d792 08b214a8f2
commit 1fd14fa415
3 changed files with 89 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

83
nixos/modules/config/users-groups.nix
View file

@ -100,6 +100,36 @@ let
description = "The path to the user's shell.";
};
subUidRanges = mkOption {
type = types.listOf types.optionSet;
default = [];
example = [
{ startUid = 1000; count = 1; }
{ startUid = 100001; count = 65534; }
];
options = [ subordinateUidRange ];
description = ''
Subordinate user ids that user is allowed to use.
They are set into <filename>/etc/subuid</filename> and are used
by <literal>newuidmap</literal> for user namespaces.
'';
};
subGidRanges = mkOption {
type = types.listOf types.optionSet;
default = [];
example = [
{ startGid = 100; count = 1; }
{ startGid = 1001; count = 999; }
];
options = [ subordinateGidRange ];
description = ''
Subordinate group ids that user is allowed to use.
They are set into <filename>/etc/subgid</filename> and are used
by <literal>newgidmap</literal> for user namespaces.
'';
};
createHome = mkOption {
type = types.bool;
default = false;
@ -211,6 +241,36 @@ let
};
subordinateUidRange = {
startUid = mkOption {
type = types.int;
description = ''
Start of the range of subordinate user ids that user is
allowed to use.
'';
};
count = mkOption {
type = types.int;
default = 1;
description = ''Count of subordinate user ids'';
};
};
subordinateGidRange = {
startGid = mkOption {
type = types.int;
description = ''
Start of the range of subordinate group ids that user is
allowed to use.
'';
};
count = mkOption {
type = types.int;
default = 1;
description = ''Count of subordinate group ids'';
};
};
getGroup = gname:
let
groups = mapAttrsToList (n: g: g) (
@ -265,6 +325,20 @@ let
))
);
mkSubuidEntry = user: concatStrings (
map (range: "${user.name}:${toString range.startUid}:${toString range.count}\n")
user.subUidRanges);
subuidFile = concatStrings (map mkSubuidEntry (
sortOn "uid" (attrValues cfg.extraUsers)));
mkSubgidEntry = user: concatStrings (
map (range: "${user.name}:${toString range.startGid}:${toString range.count}\n")
user.subGidRanges);
subgidFile = concatStrings (map mkSubgidEntry (
sortOn "uid" (attrValues cfg.extraUsers)));
# If mutableUsers is true, this script adds all users/groups defined in
# users.extra{Users,Groups} to /etc/{passwd,group} iff there isn't any
# existing user/group with the same name in those files.
@ -504,6 +578,15 @@ in {
# for backwards compatibility
system.activationScripts.groups = stringAfter [ "users" ] "";
environment.etc."subuid" = {
text = subuidFile;
mode = "0644";
};
environment.etc."subgid" = {
text = subgidFile;
mode = "0644";
};
assertions = [
{ assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);
message = "uids and gids must be unique!";

4
nixos/modules/programs/shadow.nix
View file

@ -100,7 +100,9 @@ in
chgpasswd = { rootOK = true; };
};
security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" ];
security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp"
"newuidmap" "newgidmap" # new in shadow 4.2.x
];
};

6
pkgs/os-specific/linux/shadow/default.nix
View file

@ -15,11 +15,11 @@ let
in
stdenv.mkDerivation rec {
name = "shadow-4.1.5.1";
name = "shadow-4.2.1";
src = fetchurl {
url = "http://pkg-shadow.alioth.debian.org/releases/${name}.tar.bz2";
sha256 = "1yvqx57vzih0jdy3grir8vfbkxp0cl0myql37bnmi2yn90vk6cma";
url = "http://pkg-shadow.alioth.debian.org/releases/${name}.tar.xz";
sha256 = "0h9x1zdbq0pqmygmc1x459jraiqw4gqz8849v268crk78z8r621v";
};
buildInputs = stdenv.lib.optional (pam != null && stdenv.isLinux) pam;