polyunfill: simplify pam hacks
This commit is contained in:
parent
2ee39ca0cc
commit
57d6a9a4c3
|
|
@ -2,12 +2,6 @@
|
||||||
|
|
||||||
{ lib, pkgs, ... }:
|
{ lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
mkPrio = p: p.overrideAttrs (upstream: {
|
|
||||||
meta = (upstream.meta or {}) // {
|
|
||||||
# shadow the unpatched PAM with my patched PAM
|
|
||||||
priority = ((upstream.meta or {}).priority or 0) - 1;
|
|
||||||
};
|
|
||||||
});
|
|
||||||
suidlessPam = pkgs.pam.overrideAttrs (upstream: {
|
suidlessPam = pkgs.pam.overrideAttrs (upstream: {
|
||||||
# nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one,
|
# nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one,
|
||||||
# but i don't want the wrapper, so undo that.
|
# but i don't want the wrapper, so undo that.
|
||||||
|
|
@ -18,7 +12,6 @@ let
|
||||||
"/run/wrappers/bin/unix_chkpwd" "$out/bin/unix_chkpwd"
|
"/run/wrappers/bin/unix_chkpwd" "$out/bin/unix_chkpwd"
|
||||||
'';
|
'';
|
||||||
});
|
});
|
||||||
useSuidlessPam = p: p.override { pam = suidlessPam; };
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# remove a few items from /run/wrappers we don't need.
|
# remove a few items from /run/wrappers we don't need.
|
||||||
|
|
@ -36,91 +29,36 @@ in
|
||||||
]));
|
]));
|
||||||
};
|
};
|
||||||
options.security.pam.services = lib.mkOption {
|
options.security.pam.services = lib.mkOption {
|
||||||
apply = lib.filterAttrs (name: _: !(builtins.elem name [
|
apply = services: let
|
||||||
# from <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
|
filtered = lib.filterAttrs (name: _: !(builtins.elem name [
|
||||||
"i3lock"
|
# from <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
|
||||||
"i3lock-color"
|
"i3lock"
|
||||||
"vlock"
|
"i3lock-color"
|
||||||
"xlock"
|
"vlock"
|
||||||
"xscreensaver"
|
"xlock"
|
||||||
"runuser"
|
"xscreensaver"
|
||||||
"runuser-l"
|
"runuser"
|
||||||
# from ??
|
"runuser-l"
|
||||||
"chfn"
|
# from ??
|
||||||
"chpasswd"
|
"chfn"
|
||||||
"chsh"
|
"chpasswd"
|
||||||
"groupadd"
|
"chsh"
|
||||||
"groupdel"
|
"groupadd"
|
||||||
"groupmems"
|
"groupdel"
|
||||||
"groupmod"
|
"groupmems"
|
||||||
"useradd"
|
"groupmod"
|
||||||
"userdel"
|
"useradd"
|
||||||
"usermod"
|
"userdel"
|
||||||
]));
|
"usermod"
|
||||||
|
])) services;
|
||||||
|
in lib.mapAttrs (_serviceName: service: service // {
|
||||||
|
# replace references with the old pam_unix, which calls into /run/wrappers/bin/unix_chkpwd,
|
||||||
|
# with a pam_unix that calls until unix_chkpwd via the nix store.
|
||||||
|
text = lib.replaceStrings [" pam_unix.so" ] [ " ${suidlessPam}/lib/security/pam_unix.so" ] service.text;
|
||||||
|
}) filtered;
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
# TODO: do this generically (via option `apply`?)
|
|
||||||
security.pam.services.cups.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.cups.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.cups.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.cups.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.cups.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
security.pam.services.login.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.login.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.login.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.login.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.login.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
security.pam.services.other.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.other.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.other.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.other.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.other.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
security.pam.services.passwd.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.passwd.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.passwd.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.passwd.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.passwd.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
security.pam.services.polkit-1.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.polkit-1.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.polkit-1.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.polkit-1.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.polkit-1.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
security.pam.services.sshd.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.sshd.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
# security.pam.services.sshd.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.sshd.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.sshd.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
security.pam.services.su.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.su.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.su.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.su.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.su.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
security.pam.services.sudo.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.sudo.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.sudo.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.sudo.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.sudo.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
security.pam.services.swaylock.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.swaylock.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.swaylock.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.swaylock.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.swaylock.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
security.pam.services.systemd-user.rules.account.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.systemd-user.rules.auth.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
# security.pam.services.systemd-user.rules.auth.unix-early.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.systemd-user.rules.password.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
security.pam.services.systemd-user.rules.session.unix.modulePath = lib.mkForce "${suidlessPam}/lib/security/pam_unix.so";
|
|
||||||
|
|
||||||
# disable non-required packages like nano, perl, rsync, strace
|
# disable non-required packages like nano, perl, rsync, strace
|
||||||
environment.defaultPackages = [];
|
environment.defaultPackages = [];
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user