1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-28 08:31:59 +00:00
Commit graph

32 commits

Author SHA1 Message Date
Jörg Thalheim 53d0dc6638
Merge pull request #51270 from aneeshusa/enable-setuid-wrapper-for-chsh
nixos/shadow: create setuid wrapper for chsh
2020-06-02 10:50:31 +01:00
rnhmjoj 1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
Silvan Mosberger 23d920c8f0
nixos/users: Increase maximum system uid/gid from 499 to 999
This enlarges the system uid/gid range 6-fold, from 100 to 600 ids. This
is a preventative measure against running out of dynamically allocated
ids for NixOS services with isSystemUser, which should become the
preferred way of allocating uids for non-real users.
2019-10-14 01:59:19 +02:00
Aneesh Agrawal 925b028f17 nixos/shadow: create setuid wrapper for chsh
This allows non-declarative users to change their login shells.
https://github.com/NixOS/nixpkgs/pull/41966 will make this possible
for declarative users as well if the system config explicitly allows it.
2019-04-07 15:12:39 -07:00
Jesper Geertsen Jonsson 8c0558dbb2 sg/newgrp should always be available, not chfn
sg and newgrp only changes the current user session and should be
available to users even if the "users.mutableUsers" option is set.
These are common, useful commands.

chfn does modify the /etc/passwd GECOS field which is also controlled
by the option "users.users.<name?>.description", so it's less
appropriate to make it available when "users.mutableUsers" is set.

However, because CHFN_RESTRICT in login.defs is never set in current
NixOS the chfn functionality is never available to users anyway and
may as well have its SUID disabled, as only root is able to use it.
This is recommended in the chfn man page in this case.
2018-01-14 20:54:40 +01:00
Parnell Springmeyer 264db4e309
Set merge + mkIf always surprises me 2017-01-29 17:10:32 -06:00
Parnell Springmeyer 9f82c9903d
More fixes 2017-01-29 05:44:29 -06:00
Parnell Springmeyer e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Eelco Dolstra 98102ebd92 Enable the runuser command from util-linux
Fixes #14701.
2016-09-06 17:23:27 +02:00
Parnell Springmeyer 1f9494b752 Need to create a new build to see why it's failing 2016-09-01 19:47:41 -05:00
Parnell Springmeyer d60581d4d6 Resolving that silly bad argument error. 2016-09-01 19:26:54 -05:00
Parnell Springmeyer 98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Parnell Springmeyer 390ab0b3ef everything?: Updating every package that depended on the old setuidPrograms configuration. 2016-09-01 19:17:43 -05:00
Benno Fünfstück 51b165c7d2 nixos/shadow: setuid wrappers for new{uid,gid}map
These utils are not related to user management, so they should be
available even if immutable users are enabled.
2016-08-19 14:59:33 +02:00
zimbatm 2974b6f4c8 Use shell packages to select the user's shell
The string type is still available for backward-compatiblity.
2016-06-12 20:35:34 +01:00
Joachim Fasting 75ab7bf960 nixos: condition shadow setuid-wrappers on mutableUsers
Having junk setuid wrappers in PATH is annoying.
2015-04-14 00:27:11 +02:00
obadz be7f104502 sg: add setuid wrapper. (newgrp is a symlink to sg and was already setuid).
sudo: add ability for wheel users to change group (as well as user)
2015-03-30 23:50:45 +01:00
Michael Raskin 419031bcfc Merge pull request #2644 from lethalman/pam_tally
pam: Add logFailures option for adding pam_tally to su
2014-09-02 00:58:30 +04:00
Paul Colomiets fb948c4f28 Upgrade shadow package 2014-08-01 21:19:21 +03:00
Shea Levy b3cfb9084b Get all lib functions from lib, not pkgs.lib, in modules 2014-07-02 12:28:18 -04:00
aszlig 3e64126344
nixos/shadow: Add an example for defaultUserShell.
Thanks to @devhell for the suggestion.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-06-19 01:51:33 +02:00
Luca Bruno 1d5d7fdee2 pam: Add logFailures option for adding pam_tally to su 2014-05-14 17:54:21 +02:00
Eelco Dolstra 0e23a175de Allocate system uids/gids between 400 and 500
Previously it was between 100 and 500, but this can already collide
with the static uids/guid in misc/ids.nix.
2014-04-29 10:45:06 +02:00
Eelco Dolstra 29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Peter Simons ad65a1e064 Revert "nixos: fix shell on conatiners"
This reverts commit c69577b7d6.
See https://github.com/NixOS/nixpkgs/pull/2198 for further details.
2014-04-11 12:07:00 +02:00
Jaka Hudoklin c69577b7d6 nixos: fix shell on conatiners 2014-04-10 12:28:09 +02:00
Rickard Nilsson 03ee174032 Only add shadow to system packages if users.mutableUsers is true 2014-02-05 15:56:51 +01:00
Rickard Nilsson eb2f44c18c Generate /etc/passwd and /etc/group at build time
This is a rather large commit that switches user/group creation from using
useradd/groupadd on activation to just generating the contents of /etc/passwd
and /etc/group, and then on activation merging the generated files with the
files that exist in the system. This makes the user activation process much
cleaner, in my opinion.

The users.extraUsers.<user>.uid and users.extraGroups.<group>.gid must all be
properly defined (if <user>.createUser is true, which it is by default). My
pull request adds a lot of uids/gids to config.ids to solve this problem for
existing nixos services, but there might be configurations that break because
this change. However, this will be discovered during the build.

Option changes introduced by this commit:

* Remove the options <user>.isSystemUser and <user>.isAlias since
they don't make sense when generating /etc/passwd statically.

* Add <group>.members as a complement to <user>.extraGroups.

* Add <user>.passwordFile for setting a user's password from an encrypted
(shadow-style) file.

* Add users.mutableUsers which is true by default. This means you can keep
managing your users as previously, by using useradd/groupadd manually. This is
accomplished by merging the generated passwd/group file with the existing files
in /etc on system activation. The merging of the files is simplistic. It just
looks at the user/group names. If a user/group exists both on the system and
in the generated files, the system entry will be kept un-changed and the
generated entries will be ignored. The merging itself is performed with the
help of vipw/vigr to properly lock the account files during edit.
If mutableUsers is set to false, the generated passwd and group files will not
be merged with the system files on activation. Instead they will simply replace
the system files, and overwrite any changes done on the running system. The
same logic holds for user password, if the <user>.password or
<user>.passwordFile options are used. If mutableUsers is false, password will
simply be replaced on activation. If true, the initial user passwords will be
set according to the configuration, but existing passwords will not be touched.

I have tested this on a couple of different systems and it seems to work fine
so far. If you think this is a good idea, please test it. This way of adding
local users has been discussed in issue #103 (and this commit solves that
issue).
2014-02-05 15:56:51 +01:00
Eelco Dolstra 408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra a2c820c678 Turn security.pam.services into an attribute set
That is, you can say

  security.pam.services.sshd = { options... };

instead of

  security.pam.services = [ { name = "sshd"; options... } ];

making it easier to override PAM settings from other modules.
2013-10-15 14:47:51 +02:00
Eelco Dolstra 5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00
Renamed from modules/programs/shadow.nix (Browse further)