mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-19 04:02:10 +00:00
Code Issues Wiki Activity
89351 commits 276 branches 124 tags 6.1 GiB
Commit graph

177 commits

Author SHA1 Message Date
Dan Peebles 63bfe20b72 security.audit: add NixOS module 
Part of the way towards #11864. We still don't have the auditd
userland logging daemon, but journald also tracks audit logs so we
can already use this.
 2016-01-07 03:06:10 +00:00
Vladimír Čunát f9f6f41bff Merge branch 'master' into closure-size 
TODO: there was more significant refactoring of qtbase and plasma 5.5
on master, and I'm deferring pointing to correct outputs to later.
 2015-12-31 09:53:02 +01:00
Nikolay Amiantov 5250582396 nixos/acme: fix timer unit 2015-12-13 17:01:59 +03:00
Franz Pletz 1685b9d06e nixos/acme: Add module documentation 2015-12-12 16:06:53 +01:00
Franz Pletz 9374ddb895 nixos/acme: validMin & renewInterval aren't cert-specific 2015-12-12 16:06:53 +01:00
Franz Pletz 0517d59a66 nixos/acme: Improve documentation 2015-12-12 16:06:52 +01:00
Franz Pletz de24b00d41 nixos/simp_le: Rename to security.acme 2015-12-12 16:06:52 +01:00
Luca Bruno 31ed92f65f Fix system-path with multiout 2015-12-01 15:09:41 +01:00
Luca Bruno 920b1d3591 Merge branch 'master' into closure-size 2015-11-29 16:50:26 +01:00
Luca Bruno 07a0204282 nixos/polkit: fix systemd service after spiltting 2015-11-26 18:14:22 +01:00
obadz a05a340e26 PAM: reorganize the way pam_ecryptfs and pam_mount get their password 
Run pam_unix an additional time rather than switching it from sufficient
to required. This fixes a potential security issue for
ecryptfs/pam_mount users as with pam_deny gone, if cfg.unixAuth = False
then it is possible to login without a password.
 2015-11-21 21:10:40 +00:00
Tuomas Tynkkynen d5c9e1aebe nixos/polkit: Reference correct output of polkit 2015-10-28 10:17:10 +01:00
Vladimír Čunát 2490848627 polkit: split dev and bin outputs 2015-10-14 14:32:26 +02:00
Tuomas Tynkkynen 1ac0e05f69 nixos/setuid-wrappers: Build with normal mkDerivation phases 
This way the binary gets stripped & rpath-shrinked etc. as usual.
We'd seem to get a runtime reference to gcc otherwise.
 2015-10-03 14:08:55 +02:00
Vladimír Čunát 5227fb1dd5 Merge commit staging+systemd into closure-size 
Many non-conflict problems weren't (fully) resolved in this commit yet.
 2015-10-03 13:33:37 +02:00
Jan Malakhovski 6eadb16022 nixos: fix some types 2015-09-18 18:48:50 +00:00
Tobias Geerinckx-Rice c90eb862fc nixos: prey module: fix option descriptions 2015-09-06 23:50:03 +02:00
Jaka Hudoklin c7bb64cb97 Merge pull request #7344 from joachifm/apparmor-pam 
nixos: add AppArmor PAM support
 2015-08-29 18:59:53 +02:00
obadz 172522e153 ecryptfs: 
- upgrade 106 -> 108
- fix passphrase rewrapper (password changing should now work fine) as
  discussed on https://bugs.launchpad.net/ecryptfs/+bug/1486470
- add lsof dependency so ecryptfs-migrate-home should work out of the
  box
 2015-08-19 12:16:57 +01:00
Joachim Fasting 2e0933787b nixos: add AppArmor PAM support 
Enables attaching AppArmor profiles at the user/group level.

This is not intended to be used directly, but as part of a
role-based access control scheme. For now, profile attachment
is 'session optional', but should be changed to 'required' once
a more comprehensive solution is in place.
 2015-07-15 12:40:06 +02:00
William A. Kennington III d605663ae2 Merge branch 'master.upstream' into staging.upstream 2015-07-05 13:06:02 -07:00
Thomas Strobel 7b6f279142 pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-04 23:42:31 +02:00
William A. Kennington III 8e19ac8d7c Merge branch 'master.upstream' into staging.upstream 2015-06-17 11:57:40 -07:00
Eelco Dolstra 6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
William A. Kennington III 9d6555dc0a Merge branch 'master.upstream' into staging.upstream 2015-06-06 12:04:42 -07:00
William A. Kennington III ffd0539eba cacert: store ca-bundle.crt in $out/etc/ssl/certs instead of $out 2015-06-05 13:00:52 -07:00
William A. Kennington III 867d2c5c46 openssl: Remove References to OPENSSL_X509_CERT_FILE 2015-05-31 15:50:51 -07:00
William A. Kennington III d6cbb061e3 cacert: Build directly from nss instead of our own tarball 2015-05-29 13:52:07 -07:00
Ricardo M. Correia aa75bb25d8 grsecurity: Update stable and test patches 
stable: 3.1-3.14.41-201505072056 -> 3.1-3.14.41-201505101121
test:   3.1-4.0.2-201505072057   -> 3.1-4.0.2-201505101122
 2015-05-11 02:45:38 +02:00
Vladimír Čunát 3b9ef2c71b fix "libc}/lib" and similar references 
Done mostly without any verification.
I didn't bother with libc}/include, as the path is still correct.
 2015-05-05 11:52:08 +02:00
Philip Potter 2216728979 add support for pam_u2f to nixos pam module 
This adds support for authenticating using a U2F device such as a
yubikey neo.
 2015-05-03 19:22:00 +01:00
Austin Seipp 8d3b8d0dc8 Merge pull request #7149 from joachifm/grsec-gradm-optional 
grsecurity module: configure gradm iff RBAC is enabled
 2015-04-13 17:11:29 -05:00
Austin Seipp b86f6a3ed6 Merge pull request #7148 from joachifm/grsec-trivial 
grsecurity module: trivial improvements
 2015-04-13 17:10:47 -05:00
Nicolas B. Pierron 6de931a0f8 Merge rename.nix changes. 2015-04-03 23:12:12 +02:00
Arseniy Seroka 8592c6c004 Merge pull request #7150 from joachifm/grsec-types 
grsecurity module: use types.enum
 2015-04-03 16:03:49 +03:00
Joachim Fasting 3e847d512d grsecurity module: configure gradm iff RBAC is enabled 2015-04-03 13:45:57 +02:00
Joachim Fasting ba93a75724 grsecurity module: use types.enum 
Also
- set desktop as default system
- make virtualisationSoftware nullOr
- make virtualisationConfig nullOr
 2015-04-03 13:45:45 +02:00
Joachim Fasting 66c4f51046 grsecurity module: simplify assertion 2015-04-03 13:38:32 +02:00
Joachim Fasting 2e88605a91 grsecurity module: remove reference to systemd-sysctl 
First, that's not what the service is called, and secondly it's
most likely irrelevant to the user.
 2015-04-03 13:38:32 +02:00
Arseniy Seroka 4fa554e32b Merge pull request #7017 from obadz/sg+sudo-g 
Ability to switch groups with sg and sudo -g
 2015-04-02 02:11:10 +03:00
obadz be7f104502 sg: add setuid wrapper. (newgrp is a symlink to sg and was already setuid). 
sudo: add ability for wheel users to change group (as well as user)
 2015-03-30 23:50:45 +01:00
Austin Seipp 3ff22a924f Merge pull request #6871 from joachifm/apparmor-fixups 
Apparmor fixups
 2015-03-20 15:36:42 -05:00
Joachim Fasting 532337d673 Cleanup AppArmor module 
Remove excessive whitespace & comment sections
 2015-03-18 12:07:43 +01:00
Austin Seipp ef95600372 Merge pull request #6771 from joachifm/apparmor-2.9 
Apparmor 2.9
 2015-03-15 14:16:24 -05:00
Ricardo M. Correia 7c8247a8c5 grsecurity: Update stable and test patches 
stable: 3.1-3.14.35-201503071140 -> 3.1-3.14.35-201503092203
test:   3.1-3.18.9-201503071142  -> 3.1-3.19.1-201503122205
 2015-03-15 03:49:58 +01:00
Shea Levy 1d62ad4746 modules.nix: Generate the extra argument set from the configuration 
This allows for module arguments to be handled modularly, in particular
allowing the nixpkgs module to handle the nixpkgs import internally.
This creates the __internal option namespace, which should only be added
to by the module system itself.
 2015-03-12 23:42:57 +01:00
Joachim Fasting 7a9a24a95e Update AppArmor service module 
- Use AppArmor 2.9
- Enable PAM support
 2015-03-12 11:49:05 +01:00
obadz e5d4624420 PAM/eCryptfs now able to mount ecryptfs'd home directories on login 2015-03-08 16:03:51 -07:00
lethalman c97d7819ab Merge pull request #6624 from joachifm/grsec-lock 
nixos: grsec-lock service fixes
 2015-03-02 18:49:39 +01:00
Joachim Fasting 18320d3b21 nixos: fix grsec-lock requires 2015-03-02 18:39:04 +01:00
Joachim Fasting ccd6f5a313 nixos: make the grsec-lock unit depend on the path it writes to 
The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.
 2015-03-02 18:39:01 +01:00
Lluís Batlle i Rossell b26e939111 fix pam (OATH related) 
the pam config was wrong.

Issue #6551
 2015-02-24 17:52:41 +01:00
Lluís Batlle i Rossell 4e99901961 nixos: Adding OATH in pam. 
(cherry picked from commit cb3cba54a1)

Conflicts:
	nixos/modules/security/pam.nix
 2015-02-22 15:25:38 +01:00
Eelco Dolstra 5092d625d6 /etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt 
Even though there is no "official" standard location, it's better to
stick to what most distros are using.
 2015-02-15 19:06:31 +01:00
Eelco Dolstra 75e1b5e317 Provide symlinks to ca-bundle.crt for compat with other distros 
There is no "standard" location for the certificate bundle, so many
programs/libraries have various hard-coded default locations that
don't exist on NixOS. To make these more likely to work, provide
some symlinks.
 2015-02-15 19:06:31 +01:00
Eelco Dolstra d2bfb5ceb0 Add options for installing additional root certificates 2015-02-05 18:08:35 +01:00
Ricardo M. Correia a11dc2f0a3 grsecurity: Add denyUSB option to grsec NixOS module 
The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.

After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.
 2015-01-20 19:18:06 +01:00
Luca Bruno 804a958663 pam: add pam_wheel 2015-01-14 18:32:08 +01:00
Shea Levy cca8bae86e Merge branch 'rngd-fix' of git://github.com/abbradar/nixpkgs 2015-01-08 09:36:29 -05:00
Nikolay Amiantov dbc0395b2b nixos/rngd: some fixes 2015-01-06 17:27:07 +03:00
Nikolay Amiantov a164a0b4c5 nixos/fprintd: add service and pam support 2015-01-03 19:50:40 +03:00
Tobias Geerinckx-Rice c64257b8e5 Fix user-facing typos (mainly in descriptions) 2014-12-30 03:31:03 +01:00
Ricardo M. Correia 1d44322d53 grsecurity: Update stable and test patches 
stable: 3.0-3.14.27-201412211908 -> 3.0-3.14.27-201412280859
test:   3.0-3.17.7-201412211910  -> 3.0-3.18.1-201412281149
 2014-12-29 03:00:47 +01:00
Eelco Dolstra 89697b0fc1 Improve /etc/sudoers message 2014-12-18 11:51:42 +01:00
wmertens 3cecef15d7 Revert $GIT_SSL_CAINFO removal 
Users have an older git in their user environment and it doesn't work without it. We should keep it around for a while.
 2014-12-01 23:07:50 +01:00
wmertens 45c1b9147f Merge pull request #5130 from wmertens/git-ssl-env 
Let git use $SSL_CERT_FILE
 2014-11-27 13:24:08 +01:00
Wout Mertens 72b81cf8bb Remove unnecessary $GIT_SSL_CAINFO from sys env 2014-11-26 00:30:07 +01:00
Ricardo M. Correia 389143d808 grsecurity: Update assertion msg to correct major kernel versions 2014-11-16 18:52:39 +01:00
Mathijs Kwik f356cee747 sudo: allow adding extra configuration options to the bottom of sudoers 
from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
 2014-11-02 13:27:05 +01:00
Ricardo M. Correia 10348a0f2c grsecurity: Update documentation to mention correct kernels 2014-10-22 16:50:36 +02:00
Eelco Dolstra bb9ee6a13f Remove some setuid wrappers for non-standard programs 2014-09-05 14:46:36 +02:00
Eelco Dolstra cd7129a037 Revert "nixos: add setuid wrappers for some networked filesystems' helpers" 
This reverts commit 26a4001a98. It
breaks the NFS test:

  http://hydra.nixos.org/build/13943148

Also, having more setuid programs is a bad thing security-wise.
 2014-09-05 14:43:11 +02:00
Michael Raskin 419031bcfc Merge pull request #2644 from lethalman/pam_tally 
pam: Add logFailures option for adding pam_tally to su
 2014-09-02 00:58:30 +04:00
Jan Malakhovski 26a4001a98 nixos: add setuid wrappers for some networked filesystems' helpers 
So that `user` mount option would work allowing normal users to mount
and umount stuff marked with it in `fileSystems.<name>.options`.
 2014-09-01 10:33:48 +04:00
Jan Malakhovski 8f50d803ef nixos: add support for mkhomedir in PAM 2014-09-01 10:33:48 +04:00
Eelco Dolstra 785ed2b528 Don't silently ignore errors from the activation script 2014-08-15 02:14:34 +02:00
Vladimír Čunát 87c3c0e885 Merge master into #2129 
Conflicts (easy, just UID shifted):
	nixos/modules/misc/ids.nix
	nixos/modules/module-list.nix
 2014-08-12 19:24:08 +02:00
Eelco Dolstra 36f99a9a82 Set $SSL_CERT_FILE 
It's more standard than $OPENSSL_X509_CERT_FILE (which I guess was a
totally unnecessary patch to OpenSSL). Since curl respects
$SSL_CERT_FILE, it's no longer needed to set $CURL_CA_BUNDLE. Git
unfortunately doesn't.
 2014-07-28 19:09:32 +02:00
Rastus Vernon d5daa8ae6f Fix repeated typo 
"Can either by" should be "Can either be". There are three occurrences of this mistake, all in descriptions of configuration options.
 2014-07-11 23:14:53 -04:00
Jaka Hudoklin 16f801cba9 nixos/pam: make pam_loginuid optional if in container 2014-06-30 11:08:39 +02:00
Austin Seipp 0399c5ee24 grsecurity: update stable/testing kernels, refactoring 
This updates the new stable kernel to 3.14, and the new testing kernel
to 3.15.

This also removes the vserver kernel, since it's probably not nearly as
used.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
 2014-06-22 22:29:10 -05:00
William A. Kennington III ef4ea24420 sudo: Always keepVisudo in order to simplify sudo build 2014-06-17 22:41:32 -05:00
Ricardo M. Correia f8e108c865 nixos.tests.installer: Fix test failures due to network being disabled 2014-06-17 18:41:26 +02:00
Eelco Dolstra f5055e2ef6 Rename environment.systemVariables -> environment.sessionVariables 
This makes it clearer that they're part of PAM sessions.
 2014-06-13 17:57:04 +02:00
Eelco Dolstra 8ae659f16c Revert "Revert "Merge #2692: Use pam_env to properly setup system-wide env"" 
This reverts commit 491c088731.
 2014-06-10 13:07:10 +02:00
Eelco Dolstra 491c088731 Revert "Merge #2692: Use pam_env to properly setup system-wide env" 
This reverts commit 18a0cdd864.
 2014-06-10 13:03:44 +02:00
Vladimír Čunát 18a0cdd864 Merge #2692: Use pam_env to properly setup system-wide env 2014-06-10 11:42:59 +02:00
Michael Raskin e68a5b265a Enable checking sudoers syntax. Fixes #2850, probably. 2014-06-09 00:54:21 +04:00
Ricardo M. Correia f0cf8f4140 grsecurity: Fix module evaluation 2014-05-22 20:17:34 +02:00
Austin Seipp e31f212f6b nixos/duosec: Add an option to allow TCP forwarding 
Signed-off-by: Austin Seipp <aseipp@pobox.com>
 2014-05-20 02:42:38 -05:00
Austin Seipp 67c309fe75 Fix fallout from 4f27ad14 
Signed-off-by: Austin Seipp <aseipp@pobox.com>
 2014-05-18 07:38:13 -05:00
Austin Seipp 4f27ad14a1 grsec: refactor grsecurity packages 
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
 2014-05-17 14:09:43 -05:00
Austin Seipp 92abc4c610 kernel: enable AppArmor by default 
AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order
to work properly (with the minor catch grsecurity -stable includes the
3.2 patches.) This adds them to the kernel builds by default, removes
features.apparmor (since it's always true) and makes it the default MAC
system.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
 2014-05-17 14:09:09 -05:00
Luca Bruno 1d5d7fdee2 pam: Add logFailures option for adding pam_tally to su 2014-05-14 17:54:21 +02:00
Aristid Breitkreuz 204fc0a397 sudo: env_keep TERMINFO for urxvt 2014-05-04 14:42:16 +02:00
Eelco Dolstra 4353220202 polkit: Remove unnecessary restart 
There already is a restart trigger that takes care of this.
 2014-04-28 23:57:37 +02:00
Eelco Dolstra 379c8ba237 polkit: Restart using systemctl 
The use of pkill is now particularly bad due to containers (it might
kill processes in containers).
 2014-04-28 12:38:50 +02:00
Alexander Kjeldaas baf4faeddc Only disable TPM access by rngd when tcsd is enabled. 2014-04-22 14:05:09 +02:00
Alexander Kjeldaas 64311899db Don't let rngd read /dev/tpm0. 
Only one process can interact with the TPM module and
that process should be tcsd.  The tpm_rng kernel module
should instead be loaded and /dev/hwrnd be used to
read the TPM random generator.
Also, log which random generator devices are used by
rngd on startup.
 2014-04-22 14:05:09 +02:00
Rickard Nilsson 5db9287b7c rtkit: Update from 0.10 to 0.11 2014-04-21 23:22:10 +02:00