From 8833983f261c6afa0361465f31c4dbc39c45b386 Mon Sep 17 00:00:00 2001 From: Klemens Nanni Date: Sun, 22 Nov 2020 23:42:02 +0100 Subject: [PATCH] nixos/users-groups: createHome: Ensure HOME permissions, fix description configuration.nix(1) states users.extraUsers..createHome [...] If [...] the home directory already exists but is not owned by the user, directory owner and group will be changed to match the user. i.e. ownership would change only if the user mismatched; the code however ignores the owner, it is sufficient to enable `createHome`: if ($u->{createHome}) { make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home}; chown $u->{uid}, $u->{gid}, $u->{home}; } Furthermore, permissions are ignored on already existing directories and therefore may allow others to read private data eventually. Given that createHome already acts as switch to not only create but effectively own the home directory, manage permissions in the same manner to ensure the intended default and cover all primary attributes. Avoid yet another configuration option to have administrators make a clear and simple choice between securely managing home directories and optionally defering management to own code (taking care of custom location, ownership, mode, extended attributes, etc.). While here, simplify and thereby fix misleading documentation. --- nixos/doc/manual/release-notes/rl-2103.xml | 7 +++++++ nixos/modules/config/update-users-groups.pl | 3 ++- nixos/modules/config/users-groups.nix | 6 ++---- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 35c10d3e5939..a8f961a06dc7 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -409,6 +409,13 @@ been dropped from upstream releases. + + + now always ensures home directory permissions to be 0700. + Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. + The option's description was incorrect regarding ownership management and has been simplified greatly. + + diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index fd3affae899c..758237152932 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -209,10 +209,11 @@ foreach my $u (@{$spec->{users}}) { } } - # Create a home directory. + # Ensure home directory incl. ownership and permissions. if ($u->{createHome}) { make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home}; chown $u->{uid}, $u->{gid}, $u->{home}; + chmod 0700, $u->{home}; } if (defined $u->{passwordFile}) { diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 72285fe631da..a95763380986 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -198,10 +198,8 @@ let type = types.bool; default = false; description = '' - If true, the home directory will be created automatically. If this - option is true and the home directory already exists but is not - owned by the user, directory owner and group will be changed to - match the user. + Whether to create the home directory and ensure ownership as well as + permissions to match the user. ''; };