Commit Graph

164417 Commits

Author SHA1 Message Date
Florian Klink
706efadcb6 nixos/modules/virtualisation/google-compute-config.nix: remove google-accounts-daemon
Use googleOsLogin for login instead.
This allows setting users.mutableUsers back to false, and to strip the
security.sudo.extraConfig.

security.sudo.enable is default anyhow, so we can remove that as well.
2018-12-21 17:52:37 +01:00
Florian Klink
0f46188ca1 nixos/tests: add google-oslogin test 2018-12-21 17:52:37 +01:00
Florian Klink
04f3562fc4 config.nsswitch: load cache_oslogin and oslogin nss modules if config.security.googleOsLogin.enable is set 2018-12-21 17:52:37 +01:00
Florian Klink
c6de45c0d7 config.security.googleOsLogin: add module
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
profile during ssh authentication phase.
NSS Module to provide user and group information
PAM Module for the sshd service, providing authorization and
authentication support, allowing the system to use data stored in
Google Cloud IAM permissions to control both, the ability to log into
an instance, and to perform operations as root (sudo).
2018-12-21 17:52:37 +01:00
Florian Klink
be5ad774bf security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication) 2018-12-21 17:52:37 +01:00
Florian Klink
fb41136208 google-compute-engine-oslogin: init at 1.4.3 2018-12-21 17:52:37 +01:00
Florian Klink
9c86e8faf5
Merge pull request #52488 from flokli/pam_account_unix_required
security.pam: make pam_unix.so required, not sufficient
2018-12-21 17:49:19 +01:00
Alyssa Ross
a2eed09a8c
Merge pull request #52416 from alyssais/icu
icu63: init at 63.1
2018-12-21 16:07:40 +00:00
José Luis Lafuente
5d9d164c77
clojure: 1.9.0.391 -> 1.10.0.403 2018-12-21 17:03:48 +01:00
Mario Rodas
485bf85407
pyre: fix watchman references 2018-12-21 16:20:44 +01:00
Jörg Thalheim
594fd0ff6e
Merge pull request #52627 from vdemeester/52469-localtime-to-buildgopackage
localtime: migrate to using buildGoPackage
2018-12-21 15:32:49 +01:00
Florian Klink
d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
Timo Kaufmann
bfca7082d4
Merge pull request #52613 from nyanloutre/pyqt5-fix
pythonPackages.pyqt5: fix sip dependency
2018-12-21 15:28:50 +01:00
Vincent Demeester
ed473e6615
localtime: migrate to using buildGoPackage
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-12-21 15:24:02 +01:00
Orivej Desh
8eccf9e284 bento4: fix license
The documentation says GPL2, and the source files also say "or any later version".
https://www.bento4.com/about/
https://github.com/axiomatic-systems/Bento4/blob/v1.5.1-624/Source/C++/CApi/Bento4C.h
2018-12-21 14:12:24 +00:00
Tim Steinbach
af6c117fac
linux: 4.19.11 -> 4.19.12 2018-12-21 09:11:02 -05:00
Tim Steinbach
dea57f15e9
linux: 4.14.89 -> 4.14.90 2018-12-21 09:10:54 -05:00
Tim Steinbach
a5f447e16a
linux: 4.9.146 -> 4.9.147 2018-12-21 09:10:45 -05:00
Tim Steinbach
54ce2e016b
linux: 4.4.168 -> 4.4.169 2018-12-21 09:10:24 -05:00
Tim Steinbach
98ac5710bd
kernel-config: CIFS_POSIX no longer exists 2018-12-21 09:10:17 -05:00
Michael Raskin
35efbedce4 matrix-synapse: 0.33.9 -> 0.34.0 2018-12-21 15:01:45 +01:00
Michael Raskin
13d5941d50 matrix-synapse: fix build by local dependency downgrade 2018-12-21 15:01:45 +01:00
Justin Humm
0be7bfe1bf
qutebrowser: fix pdfjs
Pdfjs was downloaded in two derivations, where one is sufficient.

Also there was allegedly a typo in the download URL.
2018-12-21 14:12:02 +01:00
nyanloutre
05cf0e1107 pythonPackages.pyqt5: link sip module 2018-12-21 14:06:44 +01:00
nyanloutre
b569b87d4a pythonPackages.sip: change module name
See https://github.com/NixOS/nixpkgs/pull/49400
2018-12-21 14:06:03 +01:00
Peter Simons
195f8ac5ac haskell-JuicyPixels: update overrides for the new version 2018-12-21 14:02:57 +01:00
Peter Simons
a220b2f370 haskell-appar: drop obsolete override 2018-12-21 14:02:57 +01:00
Peter Simons
e6d726e5aa hackage-packages.nix: automatic Haskell package set update
This update was generated by hackage2nix v2.12-11-gaf7cf68 from Hackage revision
6694c4746f.
2018-12-21 14:02:57 +01:00
Peter Simons
7f85bfd70d hackage2nix: prefer alsa-mixer 0.2.x by default
Fixes https://github.com/NixOS/nixpkgs/issues/52516.
2018-12-21 14:02:56 +01:00
Peter Simons
2018654322 LTS Haskell 12.23 2018-12-21 14:02:56 +01:00
Jörg Thalheim
a647b1218b
Merge pull request #52620 from Mic92/collectd-fix-2
collectd: fix build (take 2)
2018-12-21 14:02:22 +01:00
Alex Branham
a5fc513079 R: 3.5.1 -> 3.5.2
Closes https://github.com/NixOS/nixpkgs/pull/52571.
2018-12-21 13:59:36 +01:00
Jörg Thalheim
ce2cea80bf
collectd: add comment regarding propagated libraries 2018-12-21 13:43:10 +01:00
Jörg Thalheim
92343831c8
Merge pull request #52618 from hedning/ad-hoc-fix-strongswan
strongswan: ad-hoc fix build
2018-12-21 13:41:58 +01:00
Jörg Thalheim
652248e0e5
libcollectdclient: fix evaluation 2018-12-21 13:40:40 +01:00
Jörg Thalheim
e7ad85552e
Revert "Revert "collectd: fix build with lm_sensors" (#52619)"
This reverts commit c5398741e0.
2018-12-21 13:39:23 +01:00
Jörg Thalheim
3d6e86f77e
Merge pull request #52519 from risicle/ris-cf-cli-platforms
cloudfoundry-cli: fix build on multiple platforms, notably darwin. also bump -> 6.41.0
2018-12-21 13:28:45 +01:00
Michael Raskin
02ce974d04 python2Packages.wptserve: fix build 2018-12-21 13:21:50 +01:00
Michael Raskin
14b3e7c004 mozlz4a: 2015-07-24 -> 2018-08-23; fixes compatibility with newer python3Packages.lz4 2018-12-21 13:21:49 +01:00
Timo Kaufmann
c5398741e0
Revert "collectd: fix build with lm_sensors" (#52619) 2018-12-21 13:11:22 +01:00
Vincent Laporte
e0561cbadd coqPackages.Verdi: fix build 2018-12-21 12:37:04 +01:00
Vincent Laporte
1d5059c5e6 coqPackages.InfSeqExt: fix build 2018-12-21 12:37:04 +01:00
Vincent Laporte
954bc20786 coqPackages.Cheerios: fix build 2018-12-21 12:37:04 +01:00
Vincent Laporte
5a12bedbfa coqPackages.StructTact: fix build 2018-12-21 12:37:04 +01:00
Tor Hedin Brønner
ba055b698b strongswan: ad-hoc fix build
Simply add libpcap to buildInputs until iptables with pruned libtool files lands
in master.
2018-12-21 12:22:27 +01:00
Jörg Thalheim
f2d19d6d7a
Merge pull request #52614 from Mic92/collectd
collectd: fix build with lm_sensors
2018-12-21 11:33:34 +01:00
Jörg Thalheim
46b75db767
collectd: fix build with lm_sensors 2018-12-21 11:27:36 +01:00
Michael Weiss
469a36cdb9 gns3-server: Switch to overrideAttrs 2018-12-21 11:07:39 +01:00
Robert Scott
9046038d6c cloudfoundry-cli: 6.37.0 -> 6.41.0 2018-12-21 09:56:15 +00:00
Robert Scott
8e5c4a4c1d cloudfoundry-cli: output to "bin" output, don't "remove-references-to" 2018-12-21 09:56:15 +00:00