3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

83 commits

Author SHA1 Message Date
edef 2e4fb5cf4c nixos/users-groups: don't consider a system with Google OS Login inaccessible
This allows disabling users.mutableUsers without configuring any
authentication mechanisms (passwords, authorized SSH keys) other than
Google OS Login.
2020-07-19 00:28:02 +00:00
adisbladis 5733967290
nixos.users-groups: Set up subuid/subgid mappings for all normal users
This is required by (among others) Podman to run containers in rootless mode.

Other distributions such as Fedora and Ubuntu already set up these mappings.

The scheme with a start UID/GID offset starting at 100000 and increasing in 65536 increments is copied from Fedora.
2020-07-13 13:15:02 +02:00
Raghav Sood 23e259cf7d
nixos/users-groups: fix mkChangedOptionModule for root password hash 2020-07-12 02:06:22 +00:00
rnhmjoj c37347af7e
nixos/users-groups: handle password hashes with special meaning 2020-07-04 12:21:49 +02:00
rnhmjoj 99899e2e46
nixos/users-groups: add assertion for ":" in hashes 2020-07-04 12:21:49 +02:00
rnhmjoj 751c2ed6e4
nixos/users-groups: do not check validity of empty hashes 2020-07-04 12:21:49 +02:00
rnhmjoj 900ae97569
nixos/users-groups: clearly document special hash values
This explanation was contained in the description of
security.initialRootPassword but got lost when it was deprecated
a long ago (f496c3c) and removed.
2020-07-04 12:21:48 +02:00
rnhmjoj a6ed7d4845
nixos/users-groups: remove ancient security.initialRootPassword option
This option has been deprecated for a long time because is redundant
(users.users.root.initialHashedPassword exists).
Moreover, being of type string, it required to handle the special value
"!" separately, instead of using just `null`.
2020-07-04 12:14:37 +02:00
Jörg Thalheim b2aa673d5a
nixos: fix manual build
https://github.com/NixOS/nixpkgs/pull/92240#issuecomment-653740926
2020-07-04 10:23:25 +01:00
Niklas Hambüchen 06b8b96500 docs: Explain how to set password-less logins.
This explains the

    # Allow the user to log in as root without a password.
    users.users.root.initialHashedPassword = "";

that the NixOS installer live systems use in
`profiles/installation-device.nix`.
2020-07-04 02:05:03 +02:00
Profpatsch 517be84135 small treewide: his -> theirs/its
SJW brigade represent. ;)

Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
2020-06-23 16:49:50 +02:00
rnhmjoj 470ce4784e
nixos/users: validate password hashes 2020-06-15 20:08:36 +02:00
Silvan Mosberger 4ee3e8b21d
nixos/treewide: Move rename.nix imports to their respective modules
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
Drew 6445a7cf7d users-groups: fix typo
Fix typo in the ``users.users.<name>.packages`` option description.
2019-10-23 20:49:15 +02:00
Vladimír Čunát f21211ebfe
Merge branch 'master' into staging 2019-09-02 23:25:24 +02:00
Silvan Mosberger 478e7184f8
nixos/modules: Remove all usages of types.string
And replace them with a more appropriate type

Also fix up some minor module problems along the way
2019-08-31 18:19:00 +02:00
volth 35d68ef143 treewide: remove redundant quotes 2019-08-26 21:40:19 +00:00
Tobias Happ 33c834f2fb environment.profiles: fix order of profiles
This change is needed because the order of profiles correlate to the
order in PATH, therefore "/etc/profiles/per-user/$USER" always appeared
after the system packages directories.
2019-08-10 10:28:12 +02:00
volth bb9557eb7c lib.makePerlPath -> perlPackages.makePerlPath 2018-12-15 03:50:31 +00:00
Jeff Slight d7fcd1dcbf nixos/users: fix users home directory with isNormalUser 2018-10-24 10:38:56 -07:00
Eric Wolf 7f8b1dd32f systemd: added groups kvm, render
they need to exist according to the README of systemd
2018-08-25 05:18:53 +03:00
volth 92b3e8f147 fix build with allowAliases=false 2018-07-23 00:12:23 +00:00
volth 2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
aszlig 99ba1cb424
Increase max group name length to 32 characters
With #36556, a check was introduced to make sure the user and group
names do not exceed their respective maximum length. This is in part
because systemd also enforces that length, but only at runtime.

So in general it's a good idea to catch as much as we can during
evaluation time, however the maximum length of the group name was set to
16 characters according groupadd(8).

The maximum length of the group names however is a compile-time option
and even systemd allows more than 16 characters. In the mentioned pull
request (#36556) there was already a report that this has broken
evaluation for people out there.

I have also checked what other distributions are doing and they set the
length to either 31 characters or 32 characters, the latter being more
common.

Unfortunately there is a difference between the maximum length enforced
by the shadow package and systemd, both for user name lengths and group
name lengths. However, systemd enforces both length to have a maximum of
31 characters and I'm not sure if this is intended or just a off-by-one
error in systemd.

Nevertheless, I choose 32 characters simply to bring it in par with the
maximum user name length.

For the NixOS assertion however, I use a maximum length of 31 to make
sure that nobody accidentally creates services that contain group names
that systemd considers invalid because of a length of 32 characters.

Signed-off-by: aszlig <aszlig@nix.build>
Closes: #38548
Cc: @vcunat, @fpletz, @qknight
2018-04-08 12:51:33 +02:00
Michael Raskin 195521350a
Merge pull request #38111 from oxij/tree/cleanups
assorted cleanups
2018-04-05 07:08:05 +00:00
Joachim Schiele 1b0cb040d9 user/group assertion to not exceed the 32 character limit 2018-03-30 23:43:23 +02:00
Jan Malakhovski 6d7854a9a8 nixos: users-groups: cleanup 2018-03-30 06:40:13 +00:00
Eelco Dolstra 9fc786c3a4
Create /home with the right permissions
Without this, it will be created with 700 permissions.
2018-02-27 20:28:49 +01:00
Eelco Dolstra cc0caac098
Move creation of /root to the activation script
...so it appears in a new installation before rebooting the system.
2018-02-05 22:12:18 +01:00
Michal Rus 55344df089
users-groups module: use buildEnv in per-user profiles
Resolves #31253
2017-11-05 17:56:31 +01:00
Volth faac018630 environment.etc: add user/group option
fixes #27546
2017-07-29 23:56:46 +01:00
tv f46b3a038f users-groups module: add per-user packages 2017-05-12 20:30:22 +02:00
Eric Sagnes 77f572f072 users-groups module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Profpatsch 56664c5fc6 modules/users-groups: add shell example 2016-06-25 19:41:24 +02:00
zimbatm 31c158ad45 Merge pull request #16189 from zimbatm/usershell-config
User shell config
2016-06-19 23:36:45 +01:00
Joachim Fasting a53452f3e1
nixos: remove the grsecurity GID
This GID was used to exempt users from Grsecurity's
`/proc` restrictions; we now prefer to rely on
`security.hideProcessInformation`, which uses the `proc` group
for this purpose.  That leaves no use for the grsecurity GID.

More generally, having only a single GID to, presumably, serve as the
default for all of grsecurity's GID based exemption/resriction schemes
would be problematic in any event, so if we decide to enable those
grsecurity features in the future, more specific GIDs should be added.
2016-06-14 03:38:17 +02:00
zimbatm 2974b6f4c8 Use shell packages to select the user's shell
The string type is still available for backward-compatiblity.
2016-06-12 20:35:34 +01:00
Jacob Mitchell 7ce9699a6a Fix package name typo 2016-01-02 12:37:20 -08:00
Eelco Dolstra 5f077e2296 Factor out option renaming
Option aliases/deprecations can now be declared in any NixOS module,
not just in nixos/modules/rename.nix. This is more modular (since it
allows for example grub-related aliases to be declared in the grub
module), and allows aliases outside of NixOS (e.g. in NixOps modules).

The syntax is a bit funky. Ideally we'd have something like:

  options = {
    foo.bar.newOption = mkOption { ... };
    foo.bar.oldOption = mkAliasOption [ "foo" "bar" "newOption" ];
  };

but that's not possible because options cannot define values in
*other* options - you need to have a "config" for that. So instead we
have functions that return a *module*: mkRemovedOptionModule,
mkRenamedOptionModule and mkAliasOptionModule. These can be used via
"imports", e.g.

  imports = [
    (mkAliasOptionModule [ "foo" "bar" "oldOption" ] [ "foo" "bar" "newOption" ]);
  ];

As an added bonus, deprecation warnings now show the file name of the
offending module.

Fixes #10385.
2015-10-14 18:18:47 +02:00
Eelco Dolstra 14321ae243 Rename users.extraUsers -> users.users, users.extraGroup -> users.groups
The "extra" part hasn't made sense for years.
2015-09-02 17:34:23 +02:00
Eelco Dolstra 6e76765795 If !cfg.mutableUsers, require a password or SSH authorized key
Fixes https://github.com/NixOS/nixpkgs/issues/7308
2015-09-02 16:17:33 +02:00
Thomas Strobel 7b6f279142 pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-04 23:42:31 +02:00
William A. Kennington III ff21171921 Fix references to current-system/sw/sbin 2015-04-01 13:57:36 -07:00
Eelco Dolstra 1002fb6433 Add "input" group
This is required by systemd >= 215.
2015-03-03 20:27:09 +01:00
Domen Kožar 3d7ff07258 fix manual 2015-01-03 16:32:07 +01:00
Domen Kožar 1f523bb23d clarify things about hashed passwords and mutableUsers 2015-01-02 17:32:56 +01:00
Eelco Dolstra f496c3cbe4 Obsolete security.initialPassword
You can now set users.extraUsers.root.initialHashedPassword instead.
2014-11-03 12:36:56 +01:00
Eelco Dolstra f8f787b800 Handle initialPassword and initialHashedPassword for !mutableUsers
In this case, they're equivalent to setting ‘password’ and
‘hashedPassword’ (since there is no distinction between an initial and
non-initial user account state).
2014-11-03 12:32:32 +01:00
Eelco Dolstra 1b53a3fcb7 Add initialPassword and initialHashedPassword options
These are like password and hashedPassword, except that they only
apply when the user is initially created.
2014-11-03 12:32:19 +01:00
Longrin Wischnewski a2c65d447f passwordFile: update description 2014-10-23 04:52:50 +02:00