3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

634 commits

Author SHA1 Message Date
Joachim Fasting b33da46a8e
nixos/hardened: split description of allowUserNamespaces into paras 2019-04-21 13:11:25 +02:00
Alexander Kahl 56bd0110e7 nixos/pam: Add GNOME keyring use_authtok directive to password group 2019-04-14 09:50:22 -04:00
Will Dietz c8a9c1c2b8 yubico-pam: add nixos integration 2019-03-31 12:04:35 -05:00
aszlig dcf40f7c24
Merge pull request #57519 (systemd-confinement)
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.

However, this process is a bit tedious, so the changes here implement
this in a more generic way.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.myservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      confinement.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.

In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.

Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.

A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.

The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):

  @samueldr:

    Via pull request comment[1]:

      +1 for backporting as this only enhances the feature set of nixos,
      and does not (at a glance) change existing behaviours.

    Via IRC:

      new feature: -1, tests +1, we're at zero, self-contained, with no
      global effects without actively using it, +1, I think it's good

  @lheckemann:

    Via pull request comment[2]:

      I'm neutral on backporting. On the one hand, as @samueldr says,
      this doesn't change any existing functionality. On the other hand,
      it's a new feature and we're well past the feature freeze, which
      AFAIU is intended so that new, potentially buggy features aren't
      introduced in the "stabilisation period". It is a cool feature
      though? :)

A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:

  @edolstra:  "I'm not against it"
  @Infinisil: "+1 from me as well"
  @grahamc:   "IMO its up to the RMs"

So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.

I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
2019-03-29 04:37:53 +01:00
aszlig 52299bccf5
nixos/confinement: Use PrivateMounts option
So far we had MountFlags = "private", but as @Infinisil has correctly
noticed, there is a dedicated PrivateMounts option, which does exactly
that and is better integrated than providing raw mount flags.

When checking for the reason why I used MountFlags instead of
PrivateMounts, I found that at the time I wrote the initial version of
this module (Mar 12 06:15:58 2018 +0100) the PrivateMounts option didn't
exist yet and has been added to systemd in Jun 13 08:20:18 2018 +0200.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 20:34:32 +01:00
aszlig 861a1cec60
nixos/confinement: Remove handling for StartOnly
Noted by @Infinisil on IRC:

   infinisil: Question regarding the confinement PR
   infinisil: On line 136 you do different things depending on
              RootDirectoryStartOnly
   infinisil: But on line 157 you have an assertion that disallows that
              option being true
   infinisil: Is there a reason behind this or am I missing something

I originally left this in so that once systemd supports that, we can
just flip a switch and remove the assertion and thus support
RootDirectoryStartOnly for our confinement module.

However, this doesn't seem to be on the roadmap for systemd in the
foreseeable future, so I'll just remove this, especially because it's
very easy to add it again, once it is supported.

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-27 20:22:37 +01:00
Alex Guzman 0c34b9fcf8
nixos/security: make duo support secure failure correctly
seems that this got broken when the config option was made to use enums. "secure" got replaced with "enum", which isn't a valid option for the failure mode.
2019-03-17 18:25:20 -07:00
aszlig d13ad389b4
nixos/confinement: Explicitly set serviceConfig
My implementation was relying on PrivateDevices, PrivateTmp,
PrivateUsers and others to be false by default if chroot-only mode is
used.

However there is an ongoing effort[1] to change these defaults, which
then will actually increase the attack surface in chroot-only mode,
because it is expected that there is no /dev, /sys or /proc.

If for example PrivateDevices is enabled by default, there suddenly will
be a mounted /dev in the chroot and we wouldn't detect it.

Fortunately, our tests cover that, but I'm preparing for this anyway so
that we have a smoother transition without the need to fix our
implementation again.

Thanks to @Infinisil for the heads-up.

[1]: https://github.com/NixOS/nixpkgs/issues/14645

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-15 04:13:01 +01:00
aszlig 9e9af4f9c0
nixos/confinement: Allow to include the full unit
From @edolstra at [1]:

  BTW we probably should take the closure of the whole unit rather than
  just the exec commands, to handle things like Environment variables.

With this commit, there is now a "fullUnit" option, which can be enabled
to include the full closure of the service unit into the chroot.

However, I did not enable this by default, because I do disagree here
and *especially* things like environment variables or environment files
shouldn't be in the closure of the chroot.

For example if you have something like:

  { pkgs, ... }:

  {
    systemd.services.foobar = {
      serviceConfig.EnvironmentFile = ${pkgs.writeText "secrets" ''
        user=admin
        password=abcdefg
      '';
    };
  }

We really do not want the *file* to end up in the chroot, but rather
just the environment variables to be exported.

Another thing is that this makes it less predictable what actually will
end up in the chroot, because we have a "globalEnvironment" option that
will get merged in as well, so users adding stuff to that option will
also make it available in confined units.

I also added a big fat warning about that in the description of the
fullUnit option.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 20:04:33 +01:00
aszlig 46f7dd436f
nixos/confinement: Allow to configure /bin/sh
Another thing requested by @edolstra in [1]:

  We should not provide a different /bin/sh in the chroot, that's just
  asking for confusion and random shell script breakage. It should be
  the same shell (i.e. bash) as in a regular environment.

While I personally would even go as far to even have a very restricted
shell that is not even a shell and basically *only* allows "/bin/sh -c"
with only *very* minimal parsing of shell syntax, I do agree that people
expect /bin/sh to be bash (or the one configured by environment.binsh)
on NixOS.

So this should make both others and me happy in that I could just use
confinement.binSh = "${pkgs.dash}/bin/dash" for the services I confine.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:05 +01:00
aszlig 0ba48f46da
nixos/systemd-chroot: Rename chroot to confinement
Quoting @edolstra from [1]:

  I don't really like the name "chroot", something like "confine[ment]"
  or "restrict" seems better. Conceptually we're not providing a
  completely different filesystem tree but a restricted view of the same
  tree.

I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).

So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:03 +01:00
aszlig ac64ce9945
nixos: Add 'chroot' options to systemd.services
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.

This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.

However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.

Now if you want to chroot a systemd service, all you need to do is:

  {
    systemd.services.yourservice = {
      description = "My Shiny Service";
      wantedBy = [ "multi-user.target" ];

      chroot.enable = true;
      serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
    };
  }

If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.

In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".

Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.

However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).

Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.

The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.

Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.

[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
     to make room for a *real* "full" confinement mode, which is more
     restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:01 +01:00
Silvan Mosberger 02db11d369
Merge pull request #55792 from sdier/fix/pam-update
Allow duosec to be used in nixos as a pam module.
2019-02-25 01:38:51 +01:00
Scott Dier a3273e85e3 nixos/security: Fix pam configuration file generation. 2019-02-24 22:49:01 +00:00
Scott Dier 4e9ac79ef5 nixos/security: Allow configuration of pam for duosec. 2019-02-24 22:49:01 +00:00
Scott Dier 096e66a8ad nixos/security: Add duo-unix support to pam.
Also whitespace cleanup of surrounding code.
2019-02-24 22:48:56 +00:00
Symphorien Gibol a915b33315 nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
Florian Klink d3c2ed21d0
Merge pull request #53762 from ju1m/nslcd
Improving integration of `nslcd`, PAM and `openldap`.
2019-01-30 19:34:40 +01:00
Wael Nasreddine f072cfe1eb
nixos/pam: refactor U2F, docs about u2f_keys path (#54756)
* change enableU2F option to u2f.* set
* add few u2f options (not all) to customize pam-u2f module
* document default u2f_keys locations

Co-authored-by: Tomasz Czyż <tomasz.czyz@gmail.com>
Co-authored-by: Arda Xi <arda@ardaxi.com>
2019-01-29 08:45:26 -08:00
Julien Moutinho 65cfba23af nixos/tests: test LDAP password changing through nslcd
NOTE: slapd.conf is deprecated, hence use cn=config.
2019-01-18 05:13:42 +01:00
Joachim Fasting ea4f371627
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
2018-12-27 15:00:49 +01:00
Joachim Fasting e9761fa327
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
2018-12-27 15:00:48 +01:00
Joachim Fasting 84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Joachim Fasting 9db84f6fcd
nixos/security/misc: use mkMerge for easier extension 2018-12-27 15:00:46 +01:00
Florian Klink c6de45c0d7 config.security.googleOsLogin: add module
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
profile during ssh authentication phase.
NSS Module to provide user and group information
PAM Module for the sshd service, providing authorization and
authentication support, allowing the system to use data stored in
Google Cloud IAM permissions to control both, the ability to log into
an instance, and to perform operations as root (sudo).
2018-12-21 17:52:37 +01:00
Florian Klink be5ad774bf security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication) 2018-12-21 17:52:37 +01:00
Florian Klink d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
Gabriel Ebner 20078fd5b2 nixos/rngd: do not pass --version flag 2018-11-05 10:41:38 +01:00
Will Dietz afdf16b714 apparmor-suid: don't force glibc
(cherry picked from commit 131131e58fc66365854f37f4fe2bf6ca01c8aed6)
2018-10-30 19:50:47 -05:00
Léo Gaspard 888034f6ca
dhparams module: add self as maintainer 2018-10-31 01:05:35 +09:00
Renaud deacd0bd73
nixos/rngd: fix exec flags and udev rules
TPM1.2 support has been dropped in rng-tools v6.5
see caef8cce97

rngd won't access /dev/tpm0 anymore and the "--no-tpm=1" option is now unrecognised
2018-10-28 17:31:35 +01:00
Renaud b2f6aa0069
nixos/rngd: use new name pkgs.rng-tools
Instead of pkgs.rng_tools which is now an alias
2018-10-24 13:46:08 +02:00
Linus Heckemann 45981145ad nixos/wrappers: remove outdated upgrade code
As mentioned in the code comments themselves, this was only necessary
for 16.09 -> 17.03 and as such is obsolete.
2018-10-21 15:12:36 +02:00
Joachim F 205aff5a65
Merge pull request #48439 from joachifm/hardened-misc
nixos/security/misc: init
2018-10-15 21:25:42 +00:00
Joachim Fasting f4ea22e5de
nixos/security/misc: init
A module for security options that are too small to warrant their own module.

The impetus for adding this module is to make it more convenient to override
the behavior of the hardened profile wrt user namespaces.
Without a dedicated option for user namespaces, the user needs to
1) know which sysctl knob controls userns
2) know how large a value the sysctl knob needs to allow e.g.,
   Nix sandbox builds to work

In the future, other mitigations currently enabled by the hardened profile may
be promoted to options in this module.
2018-10-15 23:11:37 +02:00
Joachim Fasting e619998eb3
nixos/lock-kernel-modules: add myself to maintainers 2018-10-15 01:33:30 +02:00
Jörg Thalheim b12c759f76
Merge pull request #47563 from jameysharp/unscripted
Replace several activation script snippets with declarative configuration
2018-10-02 19:21:34 +01:00
Jamey Sharp b63f65aea0 nixos/pam: create wtmp/lastlog iff using pam_lastlog
I think pam_lastlog is the only thing that writes to these files in
practice on a modern Linux system, so in a configuration that doesn't
use that module, we don't need to create these files.

I used tmpfiles.d instead of activation snippets to create the logs.
It's good enough for upstream and other distros; it's probably good
enough for us.
2018-09-30 11:08:12 -07:00
Jamey Sharp ae3d3b0fff nixos/polkit: use tmpfiles to clean old dirs
These don't need to get cleaned up during activation; that can wait
until systemd-tmpfiles-setup runs.
2018-09-30 11:08:11 -07:00
Graham Christensen 8413f22bb3
docs: format 2018-09-29 20:51:11 -04:00
Robin Gloster 515a7aa452
acme module: fix self-signed cert with openssl 1.1 2018-09-12 13:40:46 +02:00
Graham Christensen 34d2ec7c09
nixos docs: give IDs to things 2018-09-01 16:20:49 -04:00
Matthew Bauer 1b40dda8a7
Merge pull request #42834 from Synthetica9/patch-1
security.sudo.extraRules: documentation fix
2018-07-23 11:29:18 -04:00
Jörg Thalheim e9ff0f9448
Merge pull request #43863 from volth/unused4
[bot] nixos/*: remove unused arguments in lambdas
2018-07-21 16:39:08 +01:00
volth 2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
volth 6d2857a311 [bot] treewide: remove unused 'inherit' in let blocks 2018-07-20 19:38:19 +00:00
volth 87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Joachim F 3ea5b15c20
Merge pull request #42845 from ivanbrennan/nixos-sudo-describe-rules-precedence
nixos/security.sudo: Document ordering of extraRules
2018-07-02 23:55:56 +00:00
ivanbrennan d08967a3a8
nixos/security.sudo: describe extraRules order
The order of sudoers entries is significant. The man page for sudoers(5)
notes:

  Where there are multiple matches, the last match is used (which is not
  necessarily the most specific match).

This module adds a rule for group "wheel" matching all commands. If you
wanted to add a more specific rule allowing members of the "wheel" group
to run command `foo` without a password, you'd need to use mkAfter to
ensure your rule comes after the more general rule.

  extraRules = lib.mkAfter [
    {
      groups = [ "wheel" ];
      commands = [
        {
          command = "${pkgs.foo}/bin/foo";
          options = [ "NOPASSWD" "SETENV" ];
        }
      ]
    }
  ];

Otherwise, when configuration options are merged, if the general rule
ends up after the specific rule, it will dictate the behavior even when
running the `foo` command.
2018-07-01 15:50:51 -04:00
Patrick Hilhorst 38b7233f83
Update sudo.nix
Updated example for security.sudo.extraRules to match comment
2018-07-01 13:23:55 +02:00
Florian Klink fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Niklas Hambüchen 7f79a4fe11 manual: Clarify that limits.conf doesn't apply to systemd services. (#40267)
Say how systemd services can be set instead.

Sources:

* https://bugzilla.redhat.com/show_bug.cgi?id=754285
* https://ro-che.info/articles/2017-03-26-increase-open-files-limit

Signed-off-by: Niklas Hambüchen <mail@nh2.me>
2018-05-12 17:44:57 +02:00
aszlig 78b4b90d6c
Merge pull request #39526 (improve dhparams)
This introduces an option that allows us to turn off stateful generation
of Diffie-Hellman parameters, which in some way is still "stateful" as
the generated DH params file is non-deterministic.

However what we can avoid with this is to have an increased surface for
failures during system startup, because generation of the parameters is
done during build-time.

Aside from adding a NixOS VM test it also restructures the type of the
security.dhparams.params option, so that it's a submodule.

A new defaultBitSize option is also there to allow users to set a
system-wide default.

I added a release notes entry that described what has changed and also
included a few notes for module developers using this module, as the
first usage already popped up in NixOS/nixpkgs#39507.

Thanks to @Ekleog and @abbradar for reviewing.
2018-05-08 02:09:46 +02:00
Matthew Justin Bauer 11df600bf8
Merge pull request #39680 from bgamari/fix-acme-post-stop
nixos/acme: Fix broken post-stop script
2018-05-07 04:19:49 +00:00
aszlig 81fc2c3509
nixos/dhparams: Add a defaultBitSize option
This allows to set the default bit size for all the Diffie-Hellman
parameters defined in security.dhparams.params and it's particularly
useful so that we can set it to a very low value in tests (so it doesn't
take ages to generate).

Regardless for the use in testing, this also has an impact in production
systems if the owner wants to set all of them to a different size than
2048, they don't need to set it individually for every params that are
set.

I've added a subtest to the "dhparams" NixOS test to ensure this is
working properly.

Signed-off-by: aszlig <aszlig@nix.build>
2018-05-07 04:58:52 +02:00
Graham Christensen d1165dba99
Merge pull request #38831 from rdnetto/improve-cross-refs
Improve cross referencing in NixOS Manual
2018-04-30 21:30:20 -04:00
aszlig b3d5ca8359
nixos/dhparams: Set default bit size to 2048
@Ekleog writes in https://github.com/NixOS/nixpkgs/pull/39526:

> I think a default of 4096 is maybe too much? See certbot/certbot#4973;
> Let's Encrypt supposedly know what they are doing and use a
> pre-generated 2048-bit DH params (and using the same DH params as
> others is quite bad, even compared to lower bit size, if I correctly
> remember the attacks available -- because it increases by as much the
> value of breaking the group).

> Basically I don't have anything personal against 4096, but fear it may
> re-start the arms race: people like having "more security" than their
> distributions, and having NixOS already having more security than is
> actually useful (I personally don't know whether a real-size quantum
> computer will come before or after our being able to break 2048-bit
> keys, let alone 3072-bit ones -- see wikipedia for some numbers).

> So basically, I'd have set it to 3072 in order to both decrease build
> time and avoid having people setting it to 8192 and complaining about
> how slow things are, but that's just my opinion. :)

While he suggests is 3072 I'm using 2048 now, because it's the default
of "openssl dhparam". If users want to have a higher value, they can
still change it.

Signed-off-by: aszlig <aszlig@nix.build>
2018-04-30 05:53:38 +02:00
Ben Gamari 7d68eadf37 nixos/acme: Fix broken post-stop script
Previously the script would contain an empty `if` block (which is invalid
syntax) if both `data.activationDelay == null` and `data.postRun == ""`. Fix
this by adding a no-op `true`.
2018-04-29 13:32:02 -04:00
aszlig ce87773867
nixos/dhparams: Clean up module expression
First of all let's start with a clean up the multiline string
indentation for descriptions, because having two indentation levels
after description is a waste of screen estate.

A quick survey in the form of the following also reveals that the
majority of multiline strings in nixpkgs is starting the two beginning
quotes in the same line:

$ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l
817
$ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l
14818

The next point is to get the type, default and example attributes on top
of the description because that's the way it's rendered in the manual.

Most services have their enable option close to the beginning of the
file, so let's move it to the top.

Also, I found the script attribute for dhparams-init.service a bit hard
to read as it was using string concatenation to split a "for" loop.

Now for the more substantial clean ups rather than just code style:

  * Remove the "with lib;" at the beginning of the module, because it
    makes it easier to do a quick check with "nix-instantiate --parse".
  * Use ConditionPathExists instead of test -e for checking whether we
    need to generate the dhparams file. This avoids spawning a shell if
    the file exists already and it's probably more common that it will
    exist, except for the initial creation of course.
  * When cleaning up old dhparams file, use RemainAfterExit so that the
    unit won't be triggered again whenever we stop and start a service
    depending on it.
  * Capitalize systemd unit descriptions to be more in par with most
    other unit descriptions (also see 0c5e837b66).
  * Use "=" instead of "==" for conditionals using []. It's just a very
    small nitpick though and it will only fail for POSIX shells. Bash on
    the other side accepts it anyway.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog
2018-04-26 08:04:52 +02:00
aszlig 3e11ff6e0d
nixos/dhparams: Introduce a 'stateful' option
This option allows us to turn off stateful generation of Diffie-Hellman
parameters, which in some way is still stateful as the generated DH
params file is non-deterministic.

However what we can avoid with this is to have an increased surface for
failures during system startup, because generation of the parameters is
done during build-time.

Another advantage of this is that we no longer need to take care of
cleaning up the files that are no longer used and in my humble opinion I
would have preferred that #11505 (which puts the dhparams in the Nix
store) would have been merged instead of #22634 (which we have now).

Luckily we can still change that and this change gives the user the
option to put the dhparams into the Nix store.

Beside of the more obvious advantages pointed out here, this also
effects test runtime if more services are starting to use this (for
example see #39507 and #39288), because generating DH params could take
a long time depending on the bit size which adds up to test runtime.

If we generate the DH params in a separate derivation, subsequent test
runs won't need to wait for DH params generation during bootup.

Of course, tests could still mock this by force-disabling the service
and adding a service or activation script that places pre-generated DH
params in /var/lib/dhparams but this would make tests less readable and
the workaround would have to be made for each test affected.

Note that the 'stateful' option is still true by default so that we are
backwards-compatible with existing systems.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog, @abbradar, @fpletz
2018-04-26 08:04:50 +02:00
aszlig 761266bd18
nixos/dhparams: Turn params into a submodule
We're going to implement an option which allows us to turn off stateful
handling of Diffie-Hellman parameter files by putting them into the Nix
store.

However, modules now might need a way to reference these files, so we
add a now path option to every param specified, which carries a
read-only value of the path where to find the corresponding DH params
file.

I've also improved the description of security.dhparams.params a bit so
that it uses <warning/> and <note/>.

The NixOS VM test also reflects this change and checks whether the old
way to specify the bit size still works.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog
2018-04-26 08:04:48 +02:00
Gregor Kleen 79eebad055 Fix incorrect merge 2018-04-21 22:34:39 +02:00
Matthew Justin Bauer 1eea73eaa8
Merge branch 'master' into feat/acme/delay 2018-04-21 14:53:23 -05:00
Matthew Justin Bauer aeff4242db
Merge pull request #31969 from Assassinkin/master
Update sssd integration with pam as documented by RedHat
2018-04-21 14:36:47 -05:00
Nikolay Amiantov 4fc0b4edca acme service: generate a CA for self-signed certificate
This is needed because simp_le expects two certificates in fullchain.pem, leading to error:

> Not enough PEM encoded messages were found in fullchain.pem; at least 2 were expected, found 1.

We now create a CA and sign the key with it instead, providing correct fullchain.pem.

Also cleanup service a bit -- use PATH and a private temporary directory (which
is more suitable).
2018-04-17 12:53:29 +03:00
Reuben D'Netto 42a84598fb Added cross-references to NixOS manual 2018-04-12 09:39:14 +10:00
Frederik Rietdijk 0aa59a08d6 Merge master into staging 2018-04-09 15:12:32 +02:00
Jörg Thalheim e8cfda7f13 lxc: enable pam_cgfs and fix module
pam_cgfs was part in lxcfs before and moved here

fixes #37985
2018-04-09 08:15:00 +01:00
Matthew Justin Bauer 75616ceb49
Merge pull request #37840 from matthewbauer/unixtools
Cross-platform "unixtools"
2018-03-27 18:43:03 -05:00
Will Dietz cb30a1b425 wrapper.c: fixup includes to work w/musl 2018-03-25 18:06:02 -05:00
Wout Mertens 527e97f333
acme module: update for simp_le v0.8
Hopefully fixes #37689
2018-03-24 17:43:32 +01:00
Geoffrey Huntley a88ec5e8a5 duosec: use root uid as sshd uid has been retired (#33597)
* fix: use root uid as sshd uid has been retired

fixes https://github.com/NixOS/nixpkgs/issues/10088
related PR (abandoned) at https://github.com/NixOS/nixpkgs/pull/15391

* must use "sshd" user otherwise duosec does not work in multi user mode

see https://github.com/duosecurity/duo_unix/issues/89#issuecomment-272062632
2018-03-21 18:46:35 -05:00
giraffito b9639d7e1f
nixos/security: fix description of sudo.wheelNeedsPassword
the previous description mistakenly described the opposite semantics
2018-03-16 21:50:46 +00:00
Shea Levy a183563cf0
Revert "Merge branch 'setuid-wrapper-readlink'"
Kernel symlinks don't have st_size. Really thought I tested this, guess I ran the
wrong NixOS test :(

This reverts commit 6dab907ebe, reversing
changes made to eab479a5f0.
2018-03-07 17:09:05 -05:00
Shea Levy dffa3d2b1f
nixos: setuid-wrapper: simplify readlink logic 2018-03-07 11:57:43 -05:00
Shea Levy fec543436d
nixos: Move uses of stdenv.shell to runtimeShell. 2018-03-01 14:38:53 -05:00
Shea Levy fe406d66b2
nixos: sudo: Use build-time visudo for syntax check. 2018-02-28 15:01:33 -05:00
Jan Tojnar a31d98f312
tree-wide: autorename gnome packages to use dashes 2018-02-25 17:41:16 +01:00
Dawid Ciężarkiewicz 5c746a0a84 nixos/pam: support for Google Authenticator 2018-02-09 21:09:03 -08:00
Robert Schütz b5ecdfa977 nixos/acme: Fix xml (#34683) 2018-02-06 23:27:28 +00:00
Joachim Schiele edeacd00ad security.acme: default name value via module system (#34388) 2018-02-06 21:08:57 +00:00
Leon Schuermann f297ddb5c9 sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
zimbatm 1276a3b12a
nixos/acme: configurable TOS hash (#33522)
This hash tends to change and upstream simp_le doesn't seem to keep up
with the changes.
2018-01-11 14:19:15 +00:00
Ben Gamari b2cbffae64 nixos/security-wrapper: Fix cross-compilation 2018-01-09 11:25:19 -05:00
gnidorah f15fad898b pam: add optional pam_gnome_keyring integration 2018-01-01 21:58:37 +03:00
Jörg Thalheim 0bbf671b5a
Merge pull request #31157 from sorki/lxcfs_pam_related
[wip] lxcfs,pam: disable cgmanager, enable pam_cgfs, lxcfs 2.0.7 -> 2.0.8
2018-01-01 15:42:03 +01:00
gnidorah b9851a975e Make less known wayland compositors usable (#32285)
* bemenu: init at 2017-02-14

* velox: 2015-11-03 -> 2017-07-04

* orbment, velox: don't expose subprojects

the development of orbment and velox got stuck
their subprojects (bemenu, dmenu-wayland, st-wayland) don't work correctly outside of parent projects
so hide them to not confuse people
swc and wld libraries are unpopular and unlike wlc are not used by anything except velox

* pythonPackages.pydbus: init at 0.6.0

* way-cooler: 0.5.2 -> 0.6.2

* nixos/way-cooler: add module

* dconf module: use for wayland

non-invasive approach for #31293
see discussion at #32210

* sway: embed LD_LIBRARY_PATH for #32755

* way-cooler: switch from buildRustPackage to buildRustCrate #31150
2017-12-21 16:16:19 +00:00
Assassinkin de67f50351 Update sssd integration with pam as documented by RedHat 2017-11-22 18:07:04 +01:00
Gregor Kleen e70d293b6b nixos/acme: Allow for time window between cert issue and activation 2017-11-19 17:25:00 +01:00
Bjørn Forsman 3f36f167e6 nixos/pam: fix docs about path to u2f_keys file
Looking at upstream git repo (git://github.com/Yubico/pam-u2f.git) the
docs initially said the path was ~/.yubico/u2f_keys, but it was later
changed to ~/.config/Yubico/u2f_keys (in 2015).

I have run pam_u2f.so with "debug" option and observed that the correct
path indeed is ~/.config/Yubico/u2f_keys.
2017-11-17 17:50:40 +01:00
Pierre-Etienne Meunier 538acd9060 ACME module: add server option (#31122) 2017-11-02 11:10:47 +01:00
Richard Marko 4e26054ff5 pam, lxcfs: enable pam_cgfs
Related to #30023
2017-11-02 02:52:08 +01:00
Chris Martin 0581038e8e nixos/acme: remove doc note about restarting nginx
Discussion from #30945 indicates that it is no longer true that you have
to restart nginx.
2017-10-30 13:51:35 -04:00
edef ea35bc94bf nixos/ecryptfs: init
Currently, ecryptfs support is coupled to `security.pam.enableEcryptfs`, but one
might want to use ecryptfs without enabling the PAM functionality. This commit
splits it out into a `boot.supportedFilesystems` switch.
2017-10-20 17:42:04 +01:00
gnidorah 7867b50881 nixos/pam: add swaylock (#29919) 2017-10-20 16:30:28 +00:00
Tristan Helmich c6761f8578 security.pam.usb: link to wiki on github.com
pamusb.org no longer serves the intended content.
2017-09-28 16:00:28 +02:00
Joachim Fasting 1df6cf5d1d
nixos/lock-kernel-modules: fix deferred fileSystem mounts
Ensure that modules required by all declared fileSystems are explicitly
loaded.  A little ugly but fixes the deferred mount test.

See also https://github.com/NixOS/nixpkgs/issues/29019
2017-09-22 23:55:04 +02:00
Joachim Fasting 15a4f9d8ef
nixos/hardened: simplify script 2017-09-22 23:53:06 +02:00
Michael Weiss 351f5fc585 fuse3: init at 3.1.1
This includes fuse-common (fusePackages.fuse_3.common) as recommended by
upstream. But while fuse(2) and fuse3 would normally depend on
fuse-common we can't do that in nixpkgs while fuse-common is just
another output from the fuse3 multiple-output derivation (i.e. this
would result in a circular dependency). To avoid building fuse3 twice I
decided it would be best to copy the shared files (i.e. the ones
provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and
avoid collision warnings by defining priorities. Now it should be
possible to install an arbitrary combination of "fuse", "fuse3", and
"fuse-common" without getting any collision warnings. The end result
should be the same and all changes should be backwards compatible
(assuming that mount.fuse from fuse3 is backwards compatible as stated
by upstream [0] - if not this might break some /etc/fstab definitions
but that should be very unlikely).

My tests with sshfs (version 2 and 3) didn't show any problems.

See #28409 for some additional information.

[0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0
2017-09-21 23:59:46 +02:00
Joachim Fasting bb036a327c
nixos/chromium-suid-sandbox: remove reference to grsecurity 2017-09-02 20:35:28 +02:00
Joachim Fasting 268eb4adb7
nixos: purge remaining grsecurity bits
:(

Fixes https://github.com/NixOS/nixpkgs/issues/28859
2017-09-02 20:35:24 +02:00
Benjamin Staffin 2e65e2df94 nixos: Fix pam_kwallet5 integration
Fixes #28469
2017-08-22 11:52:14 -04:00
Christian Albrecht 93965870a8 nixos/auditd: break ordering cycle (#27577)
auditd creates an ordering cycle by adding wantedBy = [ "basic.target" ],
because of this the job job systemd-update-utmp.service/start is deleted.

Adding unitConfig.DefaultDependencies = false; to the auditd service unbreaks the cycle.

See also #11864
2017-08-01 20:45:01 +01:00
Christian Albrecht ebaff599ba nixos/auditd: init at 2.7.6 (#27261)
#11864 Support Linux audit subsystem
Add the auditd.service as NixOS module to be able to
generate profiles from /var/log/audit/audit.log
with apparmor-utils.

auditd needs the folder /var/log/audit to be present on start
so this is generated in ExecPreStart.

auditd starts with -s nochange so that effective audit processing
is managed by the audit.service.
2017-07-09 17:59:09 +01:00
Jörg Thalheim 343ad1697d Merge pull request #26897 from layus/nixos-terminfo
terminfo: symlink terminfo to /etc for ncurses
2017-07-01 09:27:24 +01:00
Guillaume Maudoux bd562949cf terminfo: symlink terminfo to /etc for ncurses 2017-06-30 11:17:11 +02:00
tv ea44ca47f3 security-wrapper: run activation script after specialfs
Ensures that parentWrapperDir exists before it is used.

Closes #26851
2017-06-26 09:26:16 +02:00
Parnell Springmeyer 5ca644c228
Fixing attribute name mistake: setguid => setgid 2017-06-15 19:25:43 -07:00
Bjørn Forsman 6a55fda61e nixos/acme: improve documentation
* Use literalExample for better readability
* Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
2017-06-09 19:35:17 +02:00
Bjørn Forsman 7a0e958b97 nixos/acme: support "full.pem" (for lighttpd)
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates

Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
2017-06-09 19:35:17 +02:00
lassulus fd7a8f1b91 nixos/security/acme: fix acme folder permissions 2017-05-11 18:49:26 +02:00
Joachim Fasting 56e1133d75
nixos/lock-kernel-modules: fix typo in unitConfig
I managed to miss this one somehow ... meh
2017-04-30 15:17:29 +02:00
Joachim Fasting 878ad1ce6e
nixos: add option to lock kernel modules
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.

The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.

The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session.  This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).

From an aestethic point of view, enabling this option helps make the
configuration more "declarative".

Closes https://github.com/NixOS/nixpkgs/pull/24681
2017-04-30 12:05:37 +02:00
Joachim Fasting 32b8512e54
grsecurity: discontinue support
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1].  Consequently, we can no longer
responsibly support grsecurity on NixOS.

This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother.  For 17.09 all of it should
probably be pruned.

[1]: https://grsecurity.net/passing_the_baton.php
2017-04-28 12:35:15 +02:00
edanaher e3559c23c2 acme: Add "domain" option to separate domain from name
Fixes #24731.
2017-04-11 18:28:05 +02:00
Eelco Dolstra 01dbf03628
network-link-*.service: Set stopIfChanged = false
This reduces the time window during which IP addresses are gone during
switch-to-configuration. A complication is that with stopIfChanged =
true, preStop would try to delete the *new* IP addresses rather than
the old one (since the preStop script now runs after the switch to the
new configuration). So we now record the actually configured addresses
in /run/nixos/network/addresses/<interface>. This is more robust in
any case.

Issue https://github.com/NixOS/nixops/issues/640.
2017-04-04 15:13:49 +02:00
Niklas Hambüchen ee0f3e7ad9 acme: Use chown -R for challenges directory. Fixes #24529.
Commit 75f131da02 added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
2017-04-01 15:22:01 +02:00
Robin Gloster e82baf043e
security-wrapper: link old wrapper dir to new one
This makes setuid wrappers not fail after upgrading.

references #23641, #22914, #19862, #16654
2017-03-23 15:57:30 +01:00
Robin Gloster 45f486f096
Revert "security-wrapper: Don't remove the old paths yet as that can create migration pain"
This reverts commit 4c751ced37.

This does not fix the issue as /run is now mounted with nosuid.
2017-03-23 15:57:23 +01:00
Robin Gloster f2ff646e59 Merge pull request #23641 from awakenetworks/parnell/fix-wrapper-migration
security-wrapper: Don't remove the old paths yet as that can create migration pain
2017-03-21 13:40:15 +01:00
Franz Pletz fb50cde71e
nixos/treewide: systemd.time is in manvolume 7
cc #23396
2017-03-21 08:28:53 +01:00
Franz Pletz 9536169074
nixos/treewide: remove boolean examples for options
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00
Léo Gaspard 66e54f25a1 dhparams module: condition on enable option (#23661)
Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
zetok 4ca17dd6c0 gresecurity docs: fix incorrect option (#23789) 2017-03-12 15:05:14 +01:00
Parnell Springmeyer 4c751ced37
security-wrapper: Don't remove the old paths yet as that can create migration pain 2017-03-08 08:57:52 -06:00
Jesper Geertsen Jonsson 056e57678d
grsecurity docs: fix syntax and indentation errors
Closes https://github.com/NixOS/nixpkgs/pull/23515
2017-03-05 16:05:43 +01:00
Thomas Tuegel 8eb4d2afbc
Remove top-level kde5 attribute
- There is no such thing as KDE 5
2017-02-27 11:49:10 -06:00
Robin Gloster 940492cef5 Merge pull request #22634 from Ekleog/dhparams
dhparams module: initialize
2017-02-23 17:16:04 +01:00
Vladimír Čunát 4509487e82
nixos polkit: fixup setuid wrapper of pkexec
Broken in 628e6a8.  Fixes #23083.
2017-02-22 23:04:21 +01:00
Nikolay Amiantov 2cc4703a2d wrappers service: make /run/wrappers a mountpoint
Also remove some compatibility code because the directory in question would be
shadowed by a mountpoint anyway.
2017-02-21 12:13:35 +03:00
Robin Gloster 12b4556642 Merge pull request #22882 from bjornfor/wireshark
nixos: add programs.wireshark option
2017-02-20 14:03:30 +01:00
Joachim F 6dbe55ca68 Merge pull request #20456 from ericsagnes/feat/loaf-dep-1
Use attrsOf in place of loaOf when relevant
2017-02-19 15:49:25 +01:00
Léo Gaspard e2c78910d1
dhparams module: initialize 2017-02-18 00:07:03 +01:00
Robin Gloster 070825d443
setcapWrapper: add support for setting permissions 2017-02-17 15:42:54 +01:00
Benjamin Staffin 463e90273f pam: add optional pam_kwallet5 integration 2017-02-16 02:26:42 -05:00
Bjørn Forsman ce0a52f9bf nixos/security.wrappers: improve documentation
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
  IMHO)
2017-02-15 20:05:27 +01:00
Bjørn Forsman f9cb2b5640 nixos/security.wrappers: use literalExample in documentation
It's much more readable when the example attrset is pretty printed
instead of written as one line.
2017-02-15 09:08:41 +01:00
Bjørn Forsman 448acd8e5e nixos: remove remaining reference to setuidPrograms
The option doesn't exist anymore.
2017-02-15 07:25:33 +01:00
Parnell Springmeyer 1f83f1c878
security-wrapper: Wrap <para> tags in a <note> tag 2017-02-14 21:30:04 -06:00
Parnell Springmeyer 69794e333a
Using para tags for manual formatting 2017-02-14 08:53:30 -06:00
Parnell Springmeyer 794b3721bc
Syntax wibble 2017-02-14 08:42:08 -06:00
Parnell Springmeyer e856d6efe8
Default should be to set owner and group to root on setcap wrappers too 2017-02-14 08:40:12 -06:00
Parnell Springmeyer c01689f8da
Fixing ref to old-wrappersDir 2017-02-14 08:33:07 -06:00
Parnell Springmeyer f8b8c353ff
Simplifying the wrapper program derivation 2017-02-14 08:27:40 -06:00
Parnell Springmeyer fb6d13c01a
Addressing feedback and fixing a bug 2017-02-14 07:38:45 -06:00
Parnell Springmeyer ba499e3aa0
Removing unused module option old-wrapperDir 2017-02-14 07:30:21 -06:00
Parnell Springmeyer a27f35993d
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00
Parnell Springmeyer cca2e11556
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00
Parnell Springmeyer 9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Graham Christensen 96d767de62
pam_oath: require OATH and pam_unix credentials to be valid 2017-02-12 18:27:11 -05:00
Joachim Fasting 0c31286f75
grsecurity docs: some polish
Fix minor formatting issues, excessive punctuation, and also some
improved wording.
2017-02-03 18:47:07 +01:00
Parnell Springmeyer 128bdac94f
Conditionally logging debug messages based on the WRAPPER_DEBUG env var being set (or not) 2017-01-30 12:59:29 -06:00
Parnell Springmeyer d8ecd5eb0d
Switching to individually generated derivations 2017-01-30 12:26:56 -06:00
Parnell Springmeyer 264db4e309
Set merge + mkIf always surprises me 2017-01-29 17:10:32 -06:00
Parnell Springmeyer f2f3f1479e
Derp, wrong path name 2017-01-29 16:54:27 -06:00
Parnell Springmeyer 0f728de67e
More migration cleanup + todos for cleanup 2017-01-29 16:52:23 -06:00
Parnell Springmeyer 4856b42ab6
Gotta provide sane defaults! This is what I get for 5AM coding 2017-01-29 16:47:14 -06:00
Parnell Springmeyer cfe4351c33
I'm clearly very tired 2017-01-29 05:39:54 -06:00
Parnell Springmeyer 1cc500ea8e
Syntax wibble 2017-01-29 05:34:50 -06:00
Parnell Springmeyer 628e6a83d0
More derp 2017-01-29 05:33:56 -06:00
Parnell Springmeyer 70b8167d4a
A few more tweaks 2017-01-29 05:05:30 -06:00
Parnell Springmeyer 4aa0923009
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
Parnell Springmeyer af3b9a3d46
More wibbles? 2017-01-29 01:41:39 -06:00
Parnell Springmeyer 48564d1ae5
Another wibble 2017-01-29 01:31:33 -06:00
Parnell Springmeyer 5077699605
Derp derp 2017-01-29 01:27:11 -06:00
Parnell Springmeyer 0707a3eaa2
Qualify with lib 2017-01-29 01:23:10 -06:00
Parnell Springmeyer 8e159b9d1e
Qualify mkOption with lib 2017-01-29 01:22:47 -06:00
Parnell Springmeyer 70ec24093c
Removing dead code 2017-01-29 01:22:19 -06:00
Parnell Springmeyer 82de4c0fad
setcap-wrapper: Syntax wibble 2017-01-29 01:20:02 -06:00
Parnell Springmeyer 7680a40a37
setcap-wrapper: Syntax wibble 2017-01-29 01:16:04 -06:00
Parnell Springmeyer 2f113ee90a
setcap-wrapper: Minor refactor 2017-01-29 01:08:36 -06:00
Parnell Springmeyer 3fe7b1a4c9
setcap-wrapper: Addressing more PR feedback, unifying drvs, and cleaning up a bit 2017-01-29 01:07:12 -06:00
Parnell Springmeyer e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer 9de070e620
Setuid wrapper should not be constrained to a specific linux kernel version 2017-01-26 09:39:37 -08:00
Parnell Springmeyer 01e6b82f3f
Removing dead code 2017-01-26 09:20:15 -08:00
Parnell Springmeyer 189a0c2579
Wrap with quotes as-per GCC's recommendation 2017-01-26 02:07:36 -08:00
Parnell Springmeyer c30cf645f8
Make setting of the wrapper macros a compile-time error 2017-01-26 02:06:24 -08:00
Parnell Springmeyer a26a796d5c
Merging against master - updating smokingpig, rebase was going to be messy 2017-01-26 02:00:04 -08:00
Parnell Springmeyer ad8fde5e5d
Andddd more derp 2017-01-26 01:33:25 -08:00
Parnell Springmeyer ce36b58e21
Derp 2017-01-26 01:31:49 -08:00
Parnell Springmeyer f64b06a3e0
Hmmm 2017-01-26 01:13:19 -08:00
Parnell Springmeyer fd974085bf
It's clearly quite late 2017-01-26 01:04:12 -08:00
Parnell Springmeyer 61fe8de40c
Silly, should just have one activation script 2017-01-26 01:03:18 -08:00
Parnell Springmeyer 48a0c5a3a7
More fixing 2017-01-26 01:00:46 -08:00
Parnell Springmeyer 21368c4c67
Hmm, unnecessary 2017-01-26 00:58:44 -08:00
Parnell Springmeyer a4f905afc2
Enhhh I think compile time macros are gross 2017-01-26 00:41:00 -08:00
Parnell Springmeyer 785684f6c2
Ahhh, my compile-time macros confused me...of course they did... 2017-01-26 00:39:17 -08:00
Parnell Springmeyer 1ad541171e
Hmm 2017-01-26 00:36:35 -08:00
Parnell Springmeyer e8bec4c75f
Implicit declared function... 2017-01-26 00:35:01 -08:00
Parnell Springmeyer a20e65724b
Fixing 2017-01-26 00:32:59 -08:00
Parnell Springmeyer 025555d7f1
More fixes and improvements 2017-01-26 00:05:40 -08:00
Parnell Springmeyer bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Franz Pletz 516760a6fb
nixos/acme: add random delay to timer
This way we behave like good citizens and won't overload Let's Encrypt
with lots of cert renewal requests at the same time.
2017-01-25 19:15:04 +01:00
Jörg Thalheim 30a554acfb
apparmor: support for lxc profiles 2017-01-10 23:01:03 +01:00
teh a878365b77 nixos docs: update for Nginx + ACME (#21320)
Closes #20698.
2017-01-09 06:39:10 +01:00
Alexander Kahl 61d125b842 sssd: init at 1.14.2
perlPackages.TextWrapI18N: init at 0.06
perlPackages.Po4a: init at 0.47
jade: init at 1.2.1
ding-libs: init at 0.6.0

Switch nscd to no-caching mode if SSSD is enabled.

abbradar: disable jade parallel building.

Closes #21150
2017-01-04 03:07:20 +03:00
Joachim Fasting f39d13cd3e
grsecurity doc: describe work-around for gitlab
Fixes https://github.com/NixOS/nixpkgs/issues/20959
2016-12-08 11:59:57 +01:00
Joachim Fasting 984d9ebb56
hidepid: polkit and systemd-logind compatibility
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
2016-12-07 01:12:05 +01:00
Joachim Fasting 0e765c72e5
grsecurity: enable module hardening 2016-12-06 01:23:58 +01:00
Joachim Fasting 31d79afbe5
grsecurity docs: note that pax_sanitize_slab defaults to fast 2016-12-06 01:23:51 +01:00
Joachim Fasting 071fbcda24
grsecurity: enable optional sysfs restrictions
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
2016-12-06 01:23:36 +01:00
Joachim Fasting 8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
2016-12-06 01:22:53 +01:00
Domen Kožar 75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Joachim Fasting e99228db30
grsecurity module: force a known good kernel package set
Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel.  Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).

With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
2016-11-28 12:11:04 +01:00
Joachim Fasting 2eb6ec1bc4
grsecurity module: remove code pertaining to zfs
I don't know if it still the case that zfs fails to boot; either way,
that's the user's responsibility to contend with.
2016-11-20 23:01:22 +01:00
Joachim Fasting 98935c7103
grsecurity module: remove requiredKernelConfig
Using a custom package set with the NixOS module is no longer
something I wish to support.  It's still *possible* but not
advertised.  Secondly, the requiredKernelConfig didn't really
do anything (setting kernelPackages to a non-grsec kernel would
just silently let the user boot into a non-grsec setup ...).
2016-11-20 23:00:41 +01:00
Joachim Fasting 5ad8a56d16
grsecurity module: remove use of mkEnableOption 2016-11-20 23:00:24 +01:00
Eric Sagnes 9513ab45aa duosec module: use enum 2016-11-16 22:36:05 +09:00
Eric Sagnes e5b7975fe3 acme module: certs option loaOf -> attrsOf 2016-11-16 16:28:27 +09:00
Timofei Kushnir faa6f9b6b3 grsecurity: fix 'isYes' and 'isNo' 2016-10-29 14:26:06 +03:00
Domen Kožar 41c490b75e acme: we do want to support ipv4 afterall 2016-10-21 13:25:11 +02:00
Domen Kožar d8f21b3ca3 acme: provide full nginx example
(cherry picked from commit 2af7382f76)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-10-21 13:19:04 +02:00
Alexander Ried d91365d714 audit module: only enable service if kernel has audit (#19569) 2016-10-15 16:03:41 +02:00
Franz Pletz 0d59fc1169
cacerts: refactor, add blacklist option
Previously, the list of CA certificates was generated with a perl script
which is included in curl. As this script is not very flexible, this commit
refactors the expression to use the python script that Debian uses to
generate their CA certificates from Mozilla's trust store in NSS.

Additionally, an option was added to the cacerts derivation and the
`security.pki` module to blacklist specific CAs.
2016-10-09 02:00:18 +02:00
Ricardo M. Correia 1623476904 nixos.acme: make timer persistent
This makes sure that if the system was powered off when the timer was
supposed to trigger, it will run the next time the system boots up.
2016-10-03 19:31:42 +02:00
Joachim Fasting 98e2b90cf3
grsecurity doc: note that module autoload hardening is disabled 2016-10-02 19:25:58 +02:00
Joachim Fasting 1bb7b44cd7
grsecurity: make GRKERNSEC y and PAX y implicit
These options should always be specified. Note, an implication of this
change is that not specifying any grsec/PaX options results in a build
failure.
2016-10-02 19:25:58 +02:00
Joachim F 7e80c42b0e Merge pull request #18511 from ericsagnes/feat/remove-optionSet
modules: optionSet -> submodule
2016-10-01 17:57:45 +02:00
Shea Levy 3f02cbbcaf Merge branch 'rngd-wantedBy' of git://github.com/srp/nixpkgs-1 2016-09-19 19:06:51 -04:00
Scott R. Parish a560223119 rngd: update modalias to match cpu type
It looks like the cpu type part of modalias might have changed, my
systems (4.4.20 and 4.7.2) show something like the following:

```
cpu:type:x86,ven0000fam0006mod003F:feature:,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,002B,0034,003B,003D,0068,006F,0070,0072,0074,0075,0076,007D,0080,0081,0089,008C,008D,0091,0093,0094,0095,0096,0097,0098,0099,009A,009B,009C,009D,009E,009F,00C0,00C5,0120,0123,0125,0127,0128,0129,012A,0140
```

Update the rngd modalias rule to match this so udev properly has
systemd start rngd.
2016-09-17 18:36:57 -07:00
Thomas Tuegel 9300b4903f
Revert "nixos/pam: clean up generated files (no functional change) (#18580)"
This reverts commit 1010271c63.
This reverts commit e85e51d41f.

The first commit causes multiple regressions. The second commit tries to
fix the regressions, but does not catch all of them. There are multiple
failing tests, one of which is blocking a package update. That is not
acceptable for a cosmetic patch.
2016-09-17 16:39:49 -05:00
aszlig e85e51d41f
nixos/pam: Fix wrong string concatenation
Regression introduced by 1010271c63.

This caused the line after using the loginuid module to be concatenated
with the next line without a newline.

In turn this has caused a lot of the NixOS VM tests to either run very
slowly (because of constantly hitting PAM errors) or simply fail.

I have tested this only with one of the failing NixOS tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-09-16 15:36:31 +02:00
Joachim Fasting 527b3dc1df
hidepid module: detailed description to external doc 2016-09-15 15:36:03 +02:00
Bjørn Forsman 1010271c63 nixos/pam: clean up generated files (no functional change) (#18580)
The generated files in /etc/pam.d/ typically have a lot of empty lines
in them, due to how the generated Nix strings are joined together;
optional elements that are excluded still produce a newline. This patch
changes how the files are generated to create more compact,
human-friendly output files.

The change is basically this, repeated:

-  ''
-    ${optionalString use_ldap
-        "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
-  ''
+  optionalString use_ldap ''
+    account sufficient ${pam_ldap}/lib/security/pam_ldap.so
+  ''
2016-09-14 11:56:07 +01:00
Roger Qiu de0737aed5 sudo: Allow root to use sudo to switch groups 2016-09-13 23:15:56 +10:00
Eric Sagnes fff4a9ee01 pam module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Eric Sagnes 3acf336f15 acme module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Franz Pletz 9190dbcc0e Merge pull request #18366 from groxxda/acme-loop
security.acme: require networking for client, remove loop without fallbackHost
2016-09-06 23:02:07 +02:00
Alexander Ried 7f98dca782 security.acme: the client really needs networking
Actually this can be improved since the client only needs network
connectivity if it needs to renew the certificate.
2016-09-06 17:47:00 +02:00
Eelco Dolstra 98102ebd92 Enable the runuser command from util-linux
Fixes #14701.
2016-09-06 17:23:27 +02:00
Joachim Fasting 269f739ded
grsecurity module: set nixpkgs.config.grsecurity = true 2016-09-05 00:56:17 +02:00
Domen Kožar 393e646e4f setuid-wrappers: correctly umount the tmpfs 2016-09-04 17:56:00 +02:00
Karn Kallio 8d977ead38
setuid-wrappers : Prepare permissions for running wrappers
The new setuid-wrappers in /run cannot be executed by users due to:

1) the temporary directory does not allow access
2) the /run is mounted nosuid
2016-09-04 03:19:32 +02:00
Parnell Springmeyer d60581d4d6 Resolving that silly bad argument error. 2016-09-01 19:26:54 -05:00
Parnell Springmeyer c686da8655 Updatig the chromium-suid-sandbox module 2016-09-01 19:26:30 -05:00
Parnell Springmeyer 98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Parnell Springmeyer 390ab0b3ef everything?: Updating every package that depended on the old setuidPrograms configuration. 2016-09-01 19:17:43 -05:00
Parnell Springmeyer 79e81aa31b security: Removing the old wrappers and replacing with 'permissions-wrappers' 2016-09-01 19:15:56 -05:00
Parnell Springmeyer c16647ec29 security: switching to linuxHeaders so we always stay current with the selected kernel. 2016-09-01 19:15:56 -05:00
Parnell Springmeyer 2efb60c8e9 security: tweaking the setcap-wrapper example to be more relevant 2016-09-01 19:15:56 -05:00
Parnell Springmeyer 1c0f672f7a security: update setcap-wrappers dir to match the system-level dir we're creating on init 2016-09-01 19:15:56 -05:00
Parnell Springmeyer b3d63f8191 security: whitespace wibble 2016-09-01 19:13:54 -05:00
Parnell Springmeyer bfc3956376 security: adding setcap-wrapper functionality 2016-09-01 19:13:54 -05:00
Domen Kožar a6670c1a0b Fixes #18124: atomically replace /var/setuid-wrappers/ (#18186)
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.

That's very unfortunate because one might lose sudo binary.

Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.

Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.

Tested:

- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
2016-09-01 20:57:51 +02:00
Tuomas Tynkkynen 8c4aeb1780 Merge staging into master
Brings in:
    - changed output order for multiple outputs:
      https://github.com/NixOS/nixpkgs/pull/14766
    - audit disabled by default
      https://github.com/NixOS/nixpkgs/pull/17916

 Conflicts:
	pkgs/development/libraries/openldap/default.nix
2016-09-01 13:27:27 +03:00
Tuomas Tynkkynen 16b3e26da4 audit: Disable by default
Because in its default enabled state it it causes a global performance
hit on all system calls (https://fedorahosted.org/fesco/ticket/1311) and
unwanted spam in dmesg, in particular when using Chromium
(https://github.com/NixOS/nixpkgs/issues/13710).
2016-08-31 23:15:41 +03:00
Tuomas Tynkkynen 5eff0b990c audit service: Explicitly call auditctl to disable everything
Otherwise, journald might be starting auditing.
Some reading:
    - https://fedorahosted.org/fesco/ticket/1311
    - https://github.com/systemd/systemd/issues/959
    - 64f83d3087
2016-08-31 23:15:32 +03:00
Domen Kožar d8d75ddec6 Revert "setuid-wrappers: Update wrapper dir atomically."
This reverts commit ee535056ce.

It doesn't work yet.
2016-08-31 16:25:18 +02:00
Nikolay Amiantov 4499a505ed hidepid service: use new boot.specialFileSystems 2016-08-31 17:16:41 +03:00
Shea Levy ee535056ce setuid-wrappers: Update wrapper dir atomically.
Fixes #18124.
2016-08-31 08:00:57 -04:00