From 4fc151b5a3c749833554379a96bd87676f6c5740 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 9 May 2014 00:04:48 +0200 Subject: [PATCH] nixos-install: Ask the user to set a root password This removes the need to have an initially empty root password. --- nixos/doc/manual/installation.xml | 15 +++++++++++++- nixos/doc/manual/man-nixos-install.xml | 3 +++ nixos/modules/config/users-groups.nix | 8 ++++---- .../modules/installer/tools/nixos-install.sh | 20 +++++++++++++++++-- nixos/modules/virtualisation/amazon-image.nix | 5 ----- nixos/modules/virtualisation/containers.nix | 1 - .../virtualisation/google-compute-image.nix | 5 ----- .../modules/virtualisation/nixos-container.pl | 1 - .../virtualisation/virtualbox-image.nix | 5 ----- 9 files changed, 39 insertions(+), 24 deletions(-) diff --git a/nixos/doc/manual/installation.xml b/nixos/doc/manual/installation.xml index dcbb20b19eed..fa4b89e6ba84 100644 --- a/nixos/doc/manual/installation.xml +++ b/nixos/doc/manual/installation.xml @@ -209,7 +209,20 @@ $ nixos-install a network issue while downloading binaries from the NixOS binary cache), you can just re-run nixos-install. Otherwise, fix your configuration.nix and - then re-run nixos-install. + then re-run nixos-install. + + As the last step, nixos-install will ask + you to set the password for the root user, e.g. + + +setting root password... +Enter new UNIX password: *** +Retype new UNIX password: *** + + + + + If everything went well: diff --git a/nixos/doc/manual/man-nixos-install.xml b/nixos/doc/manual/man-nixos-install.xml index d5157859857b..0ebee7d23f9b 100644 --- a/nixos/doc/manual/man-nixos-install.xml +++ b/nixos/doc/manual/man-nixos-install.xml @@ -42,6 +42,9 @@ the following steps: and generates a GRUB configuration file that boots into the NixOS configuration just installed. + It prompts you for a password for the root + account. + diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 2c37dccd6ce1..e7afb5181576 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -374,8 +374,8 @@ in { security.initialRootPassword = mkOption { type = types.str; - default = ""; - example = "!"; + default = "!"; + example = ""; description = '' The (hashed) password for the root account set on initial installation. The empty string denotes that root can login @@ -383,9 +383,9 @@ in { as SSH, or indirectly via su or sudo). The string ! prevents root from logging in using a password. - Note, setting this option sets + Note that setting this option sets users.extraUsers.root.hashedPassword. - Note, if users.mutableUsers is false + Also, if users.mutableUsers is false you cannot change the root password manually, so in that case the name of this option is a bit misleading, since it will define the root password beyond the user initialisation phase. diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 1b481d4c65f9..e708521c93f6 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -73,16 +73,18 @@ fi # Mount some stuff in the target root directory. We bind-mount /etc # into the chroot because we need networking and the nixbld user # accounts in /etc/passwd. But we do need the target's /etc/nixos. -mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc +mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run mkdir -m 01777 -p $mountPoint/tmp mkdir -m 0755 -p $mountPoint/tmp/root -mkdir -m 0755 -p $mountPoint/var +mkdir -m 0755 -p $mountPoint/var/setuid-wrappers mount --rbind /dev $mountPoint/dev mount --rbind /proc $mountPoint/proc mount --rbind /sys $mountPoint/sys mount --rbind / $mountPoint/tmp/root mount --bind /etc $mountPoint/etc mount --bind $mountPoint/tmp/root/$mountPoint/etc/nixos $mountPoint/etc/nixos +mount -t tmpfs -o "mode=0755" none $mountPoint/run +mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers # Create the necessary Nix directories on the target device, if they @@ -215,3 +217,17 @@ touch $mountPoint/etc/NIXOS echo "finalising the installation..." NIXOS_INSTALL_GRUB=1 chroot $mountPoint \ /nix/var/nix/profiles/system/bin/switch-to-configuration boot + + +# Run the activation script. +chroot $mountPoint /nix/var/nix/profiles/system/activate + + +# Ask the user to set a root password. +if [ -t 0 ] ; then + echo "setting root password..." + chroot $mountPoint passwd +fi + + +echo "installation finished!" diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 18b18dd4b230..8ce89c09b244 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -160,9 +160,4 @@ with lib; environment.systemPackages = [ pkgs.cryptsetup ]; boot.initrd.supportedFilesystems = [ "unionfs-fuse" ]; - - # Prevent logging in as root without a password. This doesn't really matter, - # since the only PAM services that allow logging in with a null - # password are local ones that are inaccessible on EC2 machines. - security.initialRootPassword = mkDefault "!"; } diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index a0238277f5d0..d0d04d9a1e5d 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -117,7 +117,6 @@ in modules = let extraConfig = { boot.isContainer = true; - security.initialRootPassword = mkDefault "!"; networking.hostName = mkDefault name; networking.useDHCP = false; }; diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 34b8b0e9c1ca..d55b74202436 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -114,11 +114,6 @@ in # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; - # Prevent logging in as root without a password. This doesn't really matter, - # since the only PAM services that allow logging in with a null - # password are local ones that are inaccessible on Google Compute machines. - security.initialRootPassword = mkDefault "!"; - # Configure default metadata hostnames networking.extraHosts = '' 169.254.169.254 metadata.google.internal metadata diff --git a/nixos/modules/virtualisation/nixos-container.pl b/nixos/modules/virtualisation/nixos-container.pl index 8a1e6f927b30..c60662d8d399 100644 --- a/nixos/modules/virtualisation/nixos-container.pl +++ b/nixos/modules/virtualisation/nixos-container.pl @@ -64,7 +64,6 @@ sub writeNixOSConfig { with lib; { boot.isContainer = true; - security.initialRootPassword = mkDefault "!"; networking.hostName = mkDefault "$containerName"; networking.useDHCP = false; $extraConfig diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index 3247881784e4..594b3e93ffeb 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -107,9 +107,4 @@ with lib; boot.loader.grub.device = "/dev/sda"; services.virtualbox.enable = true; - - # Prevent logging in as root without a password. For NixOps, we - # don't need this because the user can login via SSH, and for the - # demo images, there is a demo user account that can sudo to root. - security.initialRootPassword = mkDefault "!"; }