nixos/users-groups: don't default users.users.<name>.group to nogroup
this is unsafe, as many distinct services may be running as the same nogroup group.
This commit is contained in:
parent
8a2ec31e22
commit
0f15a8f489
@ -123,7 +123,7 @@ let
|
|||||||
group = mkOption {
|
group = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;
|
apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;
|
||||||
default = "nogroup";
|
default = "";
|
||||||
description = "The user's primary group.";
|
description = "The user's primary group.";
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -638,6 +638,16 @@ in {
|
|||||||
Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
|
Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
assertion = user.group != "";
|
||||||
|
message = ''
|
||||||
|
users.users.${user.name}.group is unset. This used to default to
|
||||||
|
nogroup, but this is unsafe. For example you can create a group
|
||||||
|
for this user with:
|
||||||
|
users.users.${user.name}.group = "${user.name}";
|
||||||
|
users.groups.${user.name} = {};
|
||||||
|
'';
|
||||||
|
}
|
||||||
]
|
]
|
||||||
));
|
));
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user