diff --git a/hosts/common/polyunfill.nix b/hosts/common/polyunfill.nix index a616a6f1..c3c2b8d1 100644 --- a/hosts/common/polyunfill.nix +++ b/hosts/common/polyunfill.nix @@ -2,12 +2,6 @@ { lib, pkgs, ... }: let - mkPrio = p: p.overrideAttrs (upstream: { - meta = (upstream.meta or {}) // { - # shadow the unpatched PAM with my patched PAM - priority = ((upstream.meta or {}).priority or 0) - 1; - }; - }); suidlessPam = pkgs.pam.overrideAttrs (upstream: { # nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one, # but i don't want the wrapper, so undo that. @@ -18,7 +12,6 @@ let "/run/wrappers/bin/unix_chkpwd" "$out/bin/unix_chkpwd" ''; }); - useSuidlessPam = p: p.override { pam = suidlessPam; }; in { # remove a few items from /run/wrappers we don't need. @@ -36,91 +29,36 @@ in ])); }; options.security.pam.services = lib.mkOption { - apply = lib.filterAttrs (name: _: !(builtins.elem name [ - # from - "i3lock" - "i3lock-color" - "vlock" - "xlock" - "xscreensaver" - "runuser" - "runuser-l" - # from ?? - "chfn" - "chpasswd" - "chsh" - "groupadd" - "groupdel" - "groupmems" - "groupmod" - "useradd" - "userdel" - "usermod" - ])); + apply = services: let + filtered = lib.filterAttrs (name: _: !(builtins.elem name [ + # from + "i3lock" + "i3lock-color" + "vlock" + "xlock" + "xscreensaver" + "runuser" + "runuser-l" + # from ?? + "chfn" + "chpasswd" + "chsh" + "groupadd" + "groupdel" + "groupmems" + "groupmod" + "useradd" + "userdel" + "usermod" + ])) services; + in lib.mapAttrs (_serviceName: service: service // { + # replace references with the old pam_unix, which calls into /run/wrappers/bin/unix_chkpwd, + # with a pam_unix that calls until unix_chkpwd via the nix store. + text = lib.replaceStrings [" pam_unix.so" ] [ " ${suidlessPam}/lib/security/pam_unix.so" ] service.text; + }) filtered; }; config = { - # TODO: do this generically (via option `apply`?) - security.pam.services.cups.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.cups.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.cups.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.cups.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.cups.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - - security.pam.services.login.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.login.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.login.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.login.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.login.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - - security.pam.services.other.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.other.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.other.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.other.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.other.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - - security.pam.services.passwd.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.passwd.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.passwd.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.passwd.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.passwd.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - - security.pam.services.polkit-1.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.polkit-1.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.polkit-1.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.polkit-1.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.polkit-1.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - - security.pam.services.sshd.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.sshd.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - # security.pam.services.sshd.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.sshd.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.sshd.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - - security.pam.services.su.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.su.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.su.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.su.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.su.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - - security.pam.services.sudo.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.sudo.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.sudo.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.sudo.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.sudo.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - - security.pam.services.swaylock.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.swaylock.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.swaylock.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.swaylock.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.swaylock.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - - security.pam.services.systemd-user.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.systemd-user.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - # security.pam.services.systemd-user.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.systemd-user.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - security.pam.services.systemd-user.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so"; - # disable non-required packages like nano, perl, rsync, strace environment.defaultPackages = [];