Merge pull request #18365 from NixOS/fix-sshd-failure

Make /var/empty immutable (with chattr +i)
2016-09-07 11:18:49 +02:00 · 2016-09-07 11:18:49 +02:00 · 70be99c645
commit 70be99c645
parent 4a265a68bd 8f95e6f6aa
1 changed files with 14 additions and 7 deletions
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@ -12,11 +12,13 @@ let
    '';
  });

-  path = map getBin
-    [ pkgs.coreutils pkgs.gnugrep pkgs.findutils
-      pkgs.glibc # needed for getent
-      pkgs.shadow
-      pkgs.nettools # needed for hostname
+  path = with pkgs; map getBin
+    [ coreutils
+      gnugrep
+      findutils
+      glibc # needed for getent
+      shadow
+      nettools # needed for hostname
    ];

 in
@ -137,8 +139,13 @@ in

        mkdir -m 1777 -p /var/tmp

-        # Empty, read-only home directory of many system accounts.
-        mkdir -m 0555 -p /var/empty
+        # Empty, immutable home directory of many system accounts.
+        mkdir -p /var/empty
+        # Make sure it's really empty
+        ${pkgs.e2fsprogs}/bin/chattr -i /var/empty
+        find /var/empty -mindepth 1 -delete
+        chmod 0555 /var/empty
+        ${pkgs.e2fsprogs}/bin/chattr +i /var/empty
      '';

    system.activationScripts.usrbinenv = if config.environment.usrbinenv != null