Commit Graph

64 Commits

Author SHA1 Message Date
Jeff Slight
d7fcd1dcbf nixos/users: fix users home directory with isNormalUser 2018-10-24 10:38:56 -07:00
Eric Wolf
7f8b1dd32f systemd: added groups kvm, render
they need to exist according to the README of systemd
2018-08-25 05:18:53 +03:00
volth
92b3e8f147 fix build with allowAliases=false 2018-07-23 00:12:23 +00:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
aszlig
99ba1cb424
Increase max group name length to 32 characters
With #36556, a check was introduced to make sure the user and group
names do not exceed their respective maximum length. This is in part
because systemd also enforces that length, but only at runtime.

So in general it's a good idea to catch as much as we can during
evaluation time, however the maximum length of the group name was set to
16 characters according groupadd(8).

The maximum length of the group names however is a compile-time option
and even systemd allows more than 16 characters. In the mentioned pull
request (#36556) there was already a report that this has broken
evaluation for people out there.

I have also checked what other distributions are doing and they set the
length to either 31 characters or 32 characters, the latter being more
common.

Unfortunately there is a difference between the maximum length enforced
by the shadow package and systemd, both for user name lengths and group
name lengths. However, systemd enforces both length to have a maximum of
31 characters and I'm not sure if this is intended or just a off-by-one
error in systemd.

Nevertheless, I choose 32 characters simply to bring it in par with the
maximum user name length.

For the NixOS assertion however, I use a maximum length of 31 to make
sure that nobody accidentally creates services that contain group names
that systemd considers invalid because of a length of 32 characters.

Signed-off-by: aszlig <aszlig@nix.build>
Closes: #38548
Cc: @vcunat, @fpletz, @qknight
2018-04-08 12:51:33 +02:00
Michael Raskin
195521350a
Merge pull request #38111 from oxij/tree/cleanups
assorted cleanups
2018-04-05 07:08:05 +00:00
Joachim Schiele
1b0cb040d9 user/group assertion to not exceed the 32 character limit 2018-03-30 23:43:23 +02:00
Jan Malakhovski
6d7854a9a8 nixos: users-groups: cleanup 2018-03-30 06:40:13 +00:00
Eelco Dolstra
9fc786c3a4
Create /home with the right permissions
Without this, it will be created with 700 permissions.
2018-02-27 20:28:49 +01:00
Eelco Dolstra
cc0caac098
Move creation of /root to the activation script
...so it appears in a new installation before rebooting the system.
2018-02-05 22:12:18 +01:00
Michal Rus
55344df089
users-groups module: use buildEnv in per-user profiles
Resolves #31253
2017-11-05 17:56:31 +01:00
Volth
faac018630 environment.etc: add user/group option
fixes #27546
2017-07-29 23:56:46 +01:00
tv
f46b3a038f users-groups module: add per-user packages 2017-05-12 20:30:22 +02:00
Eric Sagnes
77f572f072 users-groups module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Profpatsch
56664c5fc6 modules/users-groups: add shell example 2016-06-25 19:41:24 +02:00
zimbatm
31c158ad45 Merge pull request #16189 from zimbatm/usershell-config
User shell config
2016-06-19 23:36:45 +01:00
Joachim Fasting
a53452f3e1
nixos: remove the grsecurity GID
This GID was used to exempt users from Grsecurity's
`/proc` restrictions; we now prefer to rely on
`security.hideProcessInformation`, which uses the `proc` group
for this purpose.  That leaves no use for the grsecurity GID.

More generally, having only a single GID to, presumably, serve as the
default for all of grsecurity's GID based exemption/resriction schemes
would be problematic in any event, so if we decide to enable those
grsecurity features in the future, more specific GIDs should be added.
2016-06-14 03:38:17 +02:00
zimbatm
2974b6f4c8 Use shell packages to select the user's shell
The string type is still available for backward-compatiblity.
2016-06-12 20:35:34 +01:00
Jacob Mitchell
7ce9699a6a Fix package name typo 2016-01-02 12:37:20 -08:00
Eelco Dolstra
5f077e2296 Factor out option renaming
Option aliases/deprecations can now be declared in any NixOS module,
not just in nixos/modules/rename.nix. This is more modular (since it
allows for example grub-related aliases to be declared in the grub
module), and allows aliases outside of NixOS (e.g. in NixOps modules).

The syntax is a bit funky. Ideally we'd have something like:

  options = {
    foo.bar.newOption = mkOption { ... };
    foo.bar.oldOption = mkAliasOption [ "foo" "bar" "newOption" ];
  };

but that's not possible because options cannot define values in
*other* options - you need to have a "config" for that. So instead we
have functions that return a *module*: mkRemovedOptionModule,
mkRenamedOptionModule and mkAliasOptionModule. These can be used via
"imports", e.g.

  imports = [
    (mkAliasOptionModule [ "foo" "bar" "oldOption" ] [ "foo" "bar" "newOption" ]);
  ];

As an added bonus, deprecation warnings now show the file name of the
offending module.

Fixes #10385.
2015-10-14 18:18:47 +02:00
Eelco Dolstra
14321ae243 Rename users.extraUsers -> users.users, users.extraGroup -> users.groups
The "extra" part hasn't made sense for years.
2015-09-02 17:34:23 +02:00
Eelco Dolstra
6e76765795 If !cfg.mutableUsers, require a password or SSH authorized key
Fixes https://github.com/NixOS/nixpkgs/issues/7308
2015-09-02 16:17:33 +02:00
Thomas Strobel
7b6f279142 pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-04 23:42:31 +02:00
William A. Kennington III
ff21171921 Fix references to current-system/sw/sbin 2015-04-01 13:57:36 -07:00
Eelco Dolstra
1002fb6433 Add "input" group
This is required by systemd >= 215.
2015-03-03 20:27:09 +01:00
Domen Kožar
3d7ff07258 fix manual 2015-01-03 16:32:07 +01:00
Domen Kožar
1f523bb23d clarify things about hashed passwords and mutableUsers 2015-01-02 17:32:56 +01:00
Eelco Dolstra
f496c3cbe4 Obsolete security.initialPassword
You can now set users.extraUsers.root.initialHashedPassword instead.
2014-11-03 12:36:56 +01:00
Eelco Dolstra
f8f787b800 Handle initialPassword and initialHashedPassword for !mutableUsers
In this case, they're equivalent to setting ‘password’ and
‘hashedPassword’ (since there is no distinction between an initial and
non-initial user account state).
2014-11-03 12:32:32 +01:00
Eelco Dolstra
1b53a3fcb7 Add initialPassword and initialHashedPassword options
These are like password and hashedPassword, except that they only
apply when the user is initially created.
2014-11-03 12:32:19 +01:00
Longrin Wischnewski
a2c65d447f passwordFile: update description 2014-10-23 04:52:50 +02:00
Rickard Nilsson
a59df1e567 nixos: Add also group.members to group 2014-09-22 19:18:08 +02:00
Eelco Dolstra
624efa4224 Support users-groups.json referring to store paths
Fixes #4016.
2014-09-10 11:50:45 +02:00
Eelco Dolstra
20be024d1b Fix subuid/subgid generation
I don't think we need to filter users with an unset uid, because
mkSubuidEntry/mkSubgidEntry don't references the uid.
2014-09-05 17:40:09 +02:00
Vladimír Čunát
e51f73652d Merge recent master into staging
Hydra: ?compare=1149952

Conflicts:
	nixos/doc/manual/configuration.xml (changed split file)
	nixos/modules/config/users-groups.nix (choosing filterNull instead of inline definition)
	pkgs/development/libraries/readline/readline6.3.nix (auto-solved)
2014-08-30 10:04:02 +02:00
aszlig
e0e65cbf8e
nixos/users-groups: Fix eval on missing uid/gid.
This hopefully fixes a regression introduced by 08b214a.

In bf129a2, it was already fixed for normal uid/gid values and it got
reintroduced by sub-uid/gid-handling again, so I've refactored it a bit
into a filterNull function which takes care of also the filtering
introduced by bf129a2.

I have not tested this extensively, but master is already broken for
systems with `mutableUsers = true` and no uid values set.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-29 07:17:19 +02:00
Michael Raskin
1fd14fa415 Merge pull request #3100 from tailhook/new-shadow
Upgrade "shadow" to 4.2.1
2014-08-29 00:42:57 +04:00
Vladimír Čunát
d4e9fd2a90 Merge recent master into staging
Hydra: ?compare=1148749

Conflicts (easy):
	nixos/modules/virtualisation/containers.nix
2014-08-21 15:09:31 +02:00
Matej Cotman
f4b5cd9f3f use mkDefault on root's shell 2014-08-20 21:17:48 +02:00
Eelco Dolstra
a323d146b7 Add user attribute isNormalUser
This is shorthand for setting group, createHome, home, useDefaultShell
and isSystemUser.
2014-08-15 02:16:04 +02:00
Eelco Dolstra
1a75958be5 Unify mutableUsers = { true, false }
With mutableUsers = true, we now ensure that all users and groups that
were created declaratively, are updated or removed
appropriately. Thus, adding a user to users.extraUsers and then
removing it now causes the acoount to be removed from
/etc/passwd. Thus user/group management is fully congruent except that
users and groups that were created imperatively (via useradd/groupadd)
are not touched. We distinguish between declarative and imperative
users/groups by tracking the former in
/var/lib/nixos/declarative-{groups,users}.

With mutableUsers = false, you are now no longer required to specify
UIDs/GIDs for all users. The handling of mutableUsers = true/false is
the same code path; the only difference is that the "false" mode
ignores the existing contents of /etc/{passwd,group}.

The attribute ‘createUser’ is gone. It doesn't really make sense to
specify users that shouldn't be created.
2014-08-15 02:15:29 +02:00
Paul Colomiets
08b214a8f2 First implementation of subuid/subgid manipulation module 2014-08-01 21:27:20 +03:00
Sönke Hahn
089b293019 better error message in case of missing uids 2014-05-28 20:12:53 +08:00
Charles Strahan
5445132f73 fix -G delimiter in call to useradd 2014-05-17 00:45:16 -04:00
Eelco Dolstra
4fc151b5a3 nixos-install: Ask the user to set a root password
This removes the need to have an initially empty root password.
2014-05-09 00:52:02 +02:00
Rob Vermaas
d056d1d37b Fix users.*.extraGroups for users.mutableUsers = true.
(cherry picked from commit eb222923054fdc895ab73ff5d0260c1e1fc689c7)
2014-05-05 15:35:16 +02:00
Eelco Dolstra
05468f9b78 Bring back the isSystemUser option 2014-04-29 10:43:38 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Rickard Nilsson
604306c34a Don't add users if createUser is false 2014-04-08 12:36:03 +02:00