3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

231 commits

Author SHA1 Message Date
Joachim Fasting 7a9a24a95e Update AppArmor service module
- Use AppArmor 2.9
- Enable PAM support
2015-03-12 11:49:05 +01:00
obadz e5d4624420 PAM/eCryptfs now able to mount ecryptfs'd home directories on login 2015-03-08 16:03:51 -07:00
lethalman c97d7819ab Merge pull request #6624 from joachifm/grsec-lock
nixos: grsec-lock service fixes
2015-03-02 18:49:39 +01:00
Joachim Fasting 18320d3b21 nixos: fix grsec-lock requires 2015-03-02 18:39:04 +01:00
Joachim Fasting ccd6f5a313 nixos: make the grsec-lock unit depend on the path it writes to
The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.
2015-03-02 18:39:01 +01:00
Lluís Batlle i Rossell b26e939111 fix pam (OATH related)
the pam config was wrong.

Issue #6551
2015-02-24 17:52:41 +01:00
Lluís Batlle i Rossell 4e99901961 nixos: Adding OATH in pam.
(cherry picked from commit cb3cba54a1)

Conflicts:
	nixos/modules/security/pam.nix
2015-02-22 15:25:38 +01:00
Eelco Dolstra 5092d625d6 /etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt
Even though there is no "official" standard location, it's better to
stick to what most distros are using.
2015-02-15 19:06:31 +01:00
Eelco Dolstra 75e1b5e317 Provide symlinks to ca-bundle.crt for compat with other distros
There is no "standard" location for the certificate bundle, so many
programs/libraries have various hard-coded default locations that
don't exist on NixOS. To make these more likely to work, provide
some symlinks.
2015-02-15 19:06:31 +01:00
Eelco Dolstra d2bfb5ceb0 Add options for installing additional root certificates 2015-02-05 18:08:35 +01:00
Ricardo M. Correia a11dc2f0a3 grsecurity: Add denyUSB option to grsec NixOS module
The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.

After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.
2015-01-20 19:18:06 +01:00
Luca Bruno 804a958663 pam: add pam_wheel 2015-01-14 18:32:08 +01:00
Shea Levy cca8bae86e Merge branch 'rngd-fix' of git://github.com/abbradar/nixpkgs 2015-01-08 09:36:29 -05:00
Nikolay Amiantov dbc0395b2b nixos/rngd: some fixes 2015-01-06 17:27:07 +03:00
Nikolay Amiantov a164a0b4c5 nixos/fprintd: add service and pam support 2015-01-03 19:50:40 +03:00
Tobias Geerinckx-Rice c64257b8e5 Fix user-facing typos (mainly in descriptions) 2014-12-30 03:31:03 +01:00
Ricardo M. Correia 1d44322d53 grsecurity: Update stable and test patches
stable: 3.0-3.14.27-201412211908 -> 3.0-3.14.27-201412280859
test:   3.0-3.17.7-201412211910  -> 3.0-3.18.1-201412281149
2014-12-29 03:00:47 +01:00
Eelco Dolstra 89697b0fc1 Improve /etc/sudoers message 2014-12-18 11:51:42 +01:00
wmertens 3cecef15d7 Revert $GIT_SSL_CAINFO removal
Users have an older git in their user environment and it doesn't work without it. We should keep it around for a while.
2014-12-01 23:07:50 +01:00
wmertens 45c1b9147f Merge pull request #5130 from wmertens/git-ssl-env
Let git use $SSL_CERT_FILE
2014-11-27 13:24:08 +01:00
Wout Mertens 72b81cf8bb Remove unnecessary $GIT_SSL_CAINFO from sys env 2014-11-26 00:30:07 +01:00
Ricardo M. Correia 389143d808 grsecurity: Update assertion msg to correct major kernel versions 2014-11-16 18:52:39 +01:00
Mathijs Kwik f356cee747 sudo: allow adding extra configuration options to the bottom of sudoers
from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
2014-11-02 13:27:05 +01:00
Ricardo M. Correia 10348a0f2c grsecurity: Update documentation to mention correct kernels 2014-10-22 16:50:36 +02:00
Eelco Dolstra bb9ee6a13f Remove some setuid wrappers for non-standard programs 2014-09-05 14:46:36 +02:00
Eelco Dolstra cd7129a037 Revert "nixos: add setuid wrappers for some networked filesystems' helpers"
This reverts commit 26a4001a98. It
breaks the NFS test:

  http://hydra.nixos.org/build/13943148

Also, having more setuid programs is a bad thing security-wise.
2014-09-05 14:43:11 +02:00
Michael Raskin 419031bcfc Merge pull request #2644 from lethalman/pam_tally
pam: Add logFailures option for adding pam_tally to su
2014-09-02 00:58:30 +04:00
Jan Malakhovski 26a4001a98 nixos: add setuid wrappers for some networked filesystems' helpers
So that `user` mount option would work allowing normal users to mount
and umount stuff marked with it in `fileSystems.<name>.options`.
2014-09-01 10:33:48 +04:00
Jan Malakhovski 8f50d803ef nixos: add support for mkhomedir in PAM 2014-09-01 10:33:48 +04:00
Eelco Dolstra 785ed2b528 Don't silently ignore errors from the activation script 2014-08-15 02:14:34 +02:00
Vladimír Čunát 87c3c0e885 Merge master into #2129
Conflicts (easy, just UID shifted):
	nixos/modules/misc/ids.nix
	nixos/modules/module-list.nix
2014-08-12 19:24:08 +02:00
Eelco Dolstra 36f99a9a82 Set $SSL_CERT_FILE
It's more standard than $OPENSSL_X509_CERT_FILE (which I guess was a
totally unnecessary patch to OpenSSL). Since curl respects
$SSL_CERT_FILE, it's no longer needed to set $CURL_CA_BUNDLE. Git
unfortunately doesn't.
2014-07-28 19:09:32 +02:00
Rastus Vernon d5daa8ae6f Fix repeated typo
"Can either by" should be "Can either be". There are three occurrences of this mistake, all in descriptions of configuration options.
2014-07-11 23:14:53 -04:00
Jaka Hudoklin 16f801cba9 nixos/pam: make pam_loginuid optional if in container 2014-06-30 11:08:39 +02:00
Austin Seipp 0399c5ee24 grsecurity: update stable/testing kernels, refactoring
This updates the new stable kernel to 3.14, and the new testing kernel
to 3.15.

This also removes the vserver kernel, since it's probably not nearly as
used.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-22 22:29:10 -05:00
William A. Kennington III ef4ea24420 sudo: Always keepVisudo in order to simplify sudo build 2014-06-17 22:41:32 -05:00
Ricardo M. Correia f8e108c865 nixos.tests.installer: Fix test failures due to network being disabled 2014-06-17 18:41:26 +02:00
Eelco Dolstra f5055e2ef6 Rename environment.systemVariables -> environment.sessionVariables
This makes it clearer that they're part of PAM sessions.
2014-06-13 17:57:04 +02:00
Eelco Dolstra 8ae659f16c Revert "Revert "Merge #2692: Use pam_env to properly setup system-wide env""
This reverts commit 491c088731.
2014-06-10 13:07:10 +02:00
Eelco Dolstra 491c088731 Revert "Merge #2692: Use pam_env to properly setup system-wide env"
This reverts commit 18a0cdd864.
2014-06-10 13:03:44 +02:00
Vladimír Čunát 18a0cdd864 Merge #2692: Use pam_env to properly setup system-wide env 2014-06-10 11:42:59 +02:00
Michael Raskin e68a5b265a Enable checking sudoers syntax. Fixes #2850, probably. 2014-06-09 00:54:21 +04:00
Ricardo M. Correia f0cf8f4140 grsecurity: Fix module evaluation 2014-05-22 20:17:34 +02:00
Austin Seipp e31f212f6b nixos/duosec: Add an option to allow TCP forwarding
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-20 02:42:38 -05:00
Austin Seipp 67c309fe75 Fix fallout from 4f27ad14
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-18 07:38:13 -05:00
Austin Seipp 4f27ad14a1 grsec: refactor grsecurity packages
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:43 -05:00
Austin Seipp 92abc4c610 kernel: enable AppArmor by default
AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order
to work properly (with the minor catch grsecurity -stable includes the
3.2 patches.) This adds them to the kernel builds by default, removes
features.apparmor (since it's always true) and makes it the default MAC
system.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:09 -05:00
Luca Bruno 1d5d7fdee2 pam: Add logFailures option for adding pam_tally to su 2014-05-14 17:54:21 +02:00
Aristid Breitkreuz 204fc0a397 sudo: env_keep TERMINFO for urxvt 2014-05-04 14:42:16 +02:00
Eelco Dolstra 4353220202 polkit: Remove unnecessary restart
There already is a restart trigger that takes care of this.
2014-04-28 23:57:37 +02:00
Eelco Dolstra 379c8ba237 polkit: Restart using systemctl
The use of pkill is now particularly bad due to containers (it might
kill processes in containers).
2014-04-28 12:38:50 +02:00
Alexander Kjeldaas baf4faeddc Only disable TPM access by rngd when tcsd is enabled. 2014-04-22 14:05:09 +02:00
Alexander Kjeldaas 64311899db Don't let rngd read /dev/tpm0.
Only one process can interact with the TPM module and
that process should be tcsd.  The tpm_rng kernel module
should instead be loaded and /dev/hwrnd be used to
read the TPM random generator.
Also, log which random generator devices are used by
rngd on startup.
2014-04-22 14:05:09 +02:00
Rickard Nilsson 5db9287b7c rtkit: Update from 0.10 to 0.11 2014-04-21 23:22:10 +02:00
Ricardo M. Correia 5d5ca7b260 grsecurity: Update all patches
stable:  3.0-3.2.57-201404131252            -> 3.0-3.2.57-201404182109
test:    3.0-3.13.10-201404141717           -> 3.0-3.14.1-201404201132
vserver: 3.0-3.2.57-vs2.3.2.16-201404131253 -> 3.0-3.2.57-vs2.3.2.16-201404182110
2014-04-21 18:46:41 +02:00
Eelco Dolstra fa9ed04997 Restart polkit if its configuration may have changed 2014-04-19 14:29:02 +02:00
Eelco Dolstra 9f1c9404da Put /var/setuid-wrappers on a tmpfs
This allows all other filesystems to be mounted without the suid
option.
2014-04-19 12:40:09 +02:00
Eelco Dolstra fa1a46a01c setuid-wrapper: Fix broken string comparison 2014-04-19 10:58:30 +02:00
Eelco Dolstra b80e6b27c7 setuid-wrapper: Drop runtime dependency on setuid-wrapper.c 2014-04-19 10:53:17 +02:00
Eelco Dolstra a8aa9f3fd4 setuid-wrapper.c: Remove tabs 2014-04-19 10:53:05 +02:00
Eelco Dolstra 5378da25a0 Apply pam_loginuid before pam_systemd
As recommended by the pam_systemd manpage.
2014-04-17 11:35:18 +02:00
Austin Seipp da6bc44dd7 nixos: transmission improvements
This mostly upgrades transmission, and does some very minor touchups on
AppArmor support.

In particular, there is now no need to ever specify the umask as part of
the settings, as it will be mixed in by default (which is essentially
always what you want). Also, the default configuration is now more
sensible: Downloads are put in /var/lib/transmission/Downloads, and
incomplete files are put in /var/lib/transmission/.incomplete - this
also allows easy use of file syncing probrams, like BitTorrent Sync.

Finally, this unconditionally enables the AppArmor profiles for the
daemon, if AppArmor is enabled - rather than letting the user specify
profile support, it's best to default to supporting profiles for daemons
transparently in all places.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 06:54:51 -05:00
Eelco Dolstra 29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Bjørn Forsman 6fa1ad04da nixos: extend documentation example for security.setuidOwners
Show that it is possible to set custom permission bits.
2014-04-13 12:31:08 +02:00
Austin Seipp 64efd184ed grsecurity: Fix GRKERNSEC_PROC restrictions
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.

This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.

This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 11:16:05 -05:00
Austin Seipp 172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Austin Seipp 29d46452dd nixos: add Duo Security module
This module adds the security.duosec attributes, which you can use to
enable simple two-factor authentication for NixOS logins.

The module currently provides PAM and SSH support, although the PAM unix
system configuration isn't automatically dealt with (although the
configuration is automatically built).

Enabling it is as easy as saying:

  security.duosec.ssh.enable = true;
  security.duosec.ikey       = "XXXXXXXX...";
  security.duosec.skey       = "XXXXXXXX...";
  security.duosec.host       = "api-XXXXXXX.duosecurity.com";
  security.duosec.group      = "duosec";

which will enforce two-factor authentication for SSH logins for users in
the 'duosec' group.

This requires uid/gid support in the environment.etc module.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 07:11:50 -05:00
Eelco Dolstra 9c616e3bf4 Remove /etc/ca-bundle.crt
Applications should use /etc/ssl/certs/ca-bundle.crt instead.
2014-02-11 17:13:36 +01:00
Eelco Dolstra bc56bb7546 polkit: Add some examples 2013-11-18 18:04:17 +01:00
Eelco Dolstra 7ea47df0a4 polkit: Fix authenticating as a wheel user
In Javascript-based PolKit, "unix-user:0;unix-group:wheel" is not
valid; it should be a list "unix-user:0", "unix-group:wheel".
2013-11-18 18:04:17 +01:00
Eelco Dolstra 1ce709ee00 polkit: The rule file needs to end in .rules
Otherwise it's ignored.
2013-11-18 18:04:17 +01:00
Vladimír Čunát 8d14c7baa6 polkit: major update 0.105 -> 0.112
- It now uses JavaScript for configuration (only),
  so I had to "convert" config for NetworkManager.
- I tested suspend/restart/(un)mount on KDE/Xfce,
  Phreedom tested NetworkManager config conversion.
2013-11-09 16:29:18 +01:00
Eelco Dolstra 408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra 862e3dd977 Substitute "types.uniq types.string" -> "types.str" 2013-10-30 14:57:42 +01:00
Eelco Dolstra d5047faede Remove uses of the "merge" option attribute
It's redundant because you can (and should) specify an option type, or
an apply function.
2013-10-28 22:45:56 +01:00
Eelco Dolstra ff74d78c9d Allow PAM resource limits to be integers 2013-10-17 15:36:59 +02:00
Eelco Dolstra af8fc748dd Fix PAM resource limits 2013-10-17 15:26:48 +02:00
Eelco Dolstra ae74b0ae58 sshd: Remove the usePAM option
Sshd *must* use PAM because we depend on it for proper session
management.  The original goal of this option (disabling password
logins) can also be implemented by removing pam_auth authentication
from sshd's PAM service.
2013-10-15 15:05:49 +02:00
Eelco Dolstra a2c820c678 Turn security.pam.services into an attribute set
That is, you can say

  security.pam.services.sshd = { options... };

instead of

  security.pam.services = [ { name = "sshd"; options... } ];

making it easier to override PAM settings from other modules.
2013-10-15 14:47:51 +02:00
Domen Kožar 30933abb97 add prey: Proven tracking software that helps you find, lock and recover your devices when stolen or missing 2013-10-14 11:57:48 +02:00
Eelco Dolstra 5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00