Commit Graph

23 Commits

Author SHA1 Message Date
Jaakko Luttinen
099a9e809c nixos/update-users-groups: read access to /etc/shadow for group shadow 2021-03-18 00:08:35 -07:00
Niklas Hambüchen
9206c0d115
Merge pull request #41966 from aneeshusa/allow-mutable-shells-for-declarative-users
nixos/users: Allow mutable shells for declarative users
2020-12-31 02:03:22 +01:00
Klemens Nanni
8833983f26 nixos/users-groups: createHome: Ensure HOME permissions, fix description
configuration.nix(1) states

    users.extraUsers.<name>.createHome
        [...] If [...] the home directory already exists but is not
        owned by the user, directory owner and group will be changed to
        match the user.

i.e. ownership would change only if the user mismatched;  the code
however ignores the owner, it is sufficient to enable `createHome`:

    if ($u->{createHome}) {
        make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
        chown $u->{uid}, $u->{gid}, $u->{home};
    }

Furthermore, permissions are ignored on already existing directories and
therefore may allow others to read private data eventually.

Given that createHome already acts as switch to not only create but
effectively own the home directory, manage permissions in the same
manner to ensure the intended default and cover all primary attributes.

Avoid yet another configuration option to have administrators make a
clear and simple choice between securely managing home directories
and optionally defering management to own code (taking care of custom
location, ownership, mode, extended attributes, etc.).

While here, simplify and thereby fix misleading documentation.
2020-12-16 03:40:29 +01:00
Graham Christensen
75d7828724
Merge pull request #98544 from Mic92/unfuck-update-user-group
nixos/update-user-groups: Fix encoding issues + atomic writes
2020-11-20 10:28:52 -05:00
Jörg Thalheim
99406adaae
nixos/update-users-groups: write files truly atomic
Having the .tmp suffix is broken w.r.t. to multiple writers,
as they would overwrite existing files. using the atomic flag
will make write_file to create a unique temporary file it gets renamed
to its target.
2020-09-23 10:51:01 +02:00
Jörg Thalheim
f072d4dadc
nixos/update-users-groups: fix encoding of json database
The issue here is that updateFile expects a unicode string while
encode_json returns a binary string unlike to_json.
2020-09-23 10:50:57 +02:00
Jörg Thalheim
52bdb3eb7b
nixos/update-users-group: treat all file as utf-8
Ideally we would treat everything as bytes however our database is
already utf-8 encoded so we need to stay compatible.
2020-09-23 10:50:55 +02:00
adisbladis
5733967290
nixos.users-groups: Set up subuid/subgid mappings for all normal users
This is required by (among others) Podman to run containers in rootless mode.

Other distributions such as Fedora and Ubuntu already set up these mappings.

The scheme with a start UID/GID offset starting at 100000 and increasing in 65536 increments is copied from Fedora.
2020-07-13 13:15:02 +02:00
Cole Helbling
937359fcf1
nixos/update-users-groups: /etc/shadow owned by root:shadow 2020-09-25 09:38:35 -07:00
Silvan Mosberger
23d920c8f0
nixos/users: Increase maximum system uid/gid from 499 to 999
This enlarges the system uid/gid range 6-fold, from 100 to 600 ids. This
is a preventative measure against running out of dynamically allocated
ids for NixOS services with isSystemUser, which should become the
preferred way of allocating uids for non-real users.
2019-10-14 01:59:19 +02:00
Matthew Bauer
fc565c1b9d nixos/update-users-groups.pl: chomp hashedPassword
We don’t want any trailing whitespace, otherwise we mess up the
formating of the shadow file. Some things like readFile may have the
trailing new line.

Fixes #66745
2019-08-25 23:42:31 -04:00
Aneesh Agrawal
a709b1a373 nixos/users: Allow mutable shells for declarative users
I want to manage users centrally via declarativeUsers,
but allow users to change their shell as they please,
similar to how they can change passwords at will
if none of the password-related NixOS settings are set for their user.
2019-04-07 15:16:01 -07:00
Eelco Dolstra
a57bcd38b4
update-users-groups.pl: Keep track of deallocated UIDs/GIDs
When a user or group is revived, this allows it to be allocated the
UID/GID it had before.

A consequence is that UIDs and GIDs are no longer reused.

Fixes #24010.
2017-03-29 18:13:18 +02:00
Franz Pletz
9ea35eae7a
nixos/users-groups: chown home on createHome
Fixes #23619.
2017-03-08 00:29:20 +01:00
Domen Kožar
e561edc322 update-users-groups.pl: correctly guard duplicate uids for declarative users
Verified that following nixos configuration:

    users.users.foo = {
      uid = 1000;
      name = "foo";
    };
    users.users.bar = {
      name = "bar";
    };

Before this commit both users will get uid of 1000, after it's applied
bar will correctly get 1001.
2016-08-30 17:14:14 +02:00
Bjørn Forsman
6e528893a8 nixos/update-users-groups.pl: print UIDs and GIDs
Instead of showing this output from "nixos-rebuild switch":

  warning: not applying GID change of group ‘munin’
  warning: not applying UID change of user ‘ntp’

print this:

  warning: not applying GID change of group ‘munin’ (95 -> 102)
  warning: not applying UID change of user ‘ntp’ (3 -> 179)

This makes it possible for users to take action and fixup the UIDs/GIDs
that NixOS won't touch.
2016-07-01 13:13:46 +02:00
Eelco Dolstra
16cf3ee9da Ensure that the home directory exists even if the user already exists 2015-02-24 11:57:38 +01:00
Rüdiger Sonderfeld
fa1cec1037 update-users-groups.pl: Use UTF-8 instead of latin1.
Perl seems to write the file in latin1 independent of the actual input
encoding.  This can corrupt the "description" field of /etc/passwd.  By
setting "binmode" to ":utf8" Perl can be forced to write UTF-8.  Ideally
the program would simply read/write the fields by value without any
changes in encoding.  However, assuming/enforcing UTF-8 is a lot better
than using an obsolete coding like latin1.
2014-11-08 19:25:17 +01:00
Eelco Dolstra
3696536115 Handle removing a password if mutableUsers = false 2014-11-03 12:32:27 +01:00
Eelco Dolstra
1b53a3fcb7 Add initialPassword and initialHashedPassword options
These are like password and hashedPassword, except that they only
apply when the user is initially created.
2014-11-03 12:32:19 +01:00
Eelco Dolstra
a9f5e77e2f update-users-groups.pl: Generate hashed passwords internally
I.e. don't call "passwd" to update /etc/shadow from the "password"
option. This has the side-effect of not updating the password if
mutableUsers = true (since the code path for "hashedPassword" has a
check for mutableUsers).

Fixes #4747.
2014-10-31 17:42:09 +01:00
Eelco Dolstra
6dc5db3850 Fix setting an empty password 2014-08-18 17:12:56 +02:00
Eelco Dolstra
1a75958be5 Unify mutableUsers = { true, false }
With mutableUsers = true, we now ensure that all users and groups that
were created declaratively, are updated or removed
appropriately. Thus, adding a user to users.extraUsers and then
removing it now causes the acoount to be removed from
/etc/passwd. Thus user/group management is fully congruent except that
users and groups that were created imperatively (via useradd/groupadd)
are not touched. We distinguish between declarative and imperative
users/groups by tracking the former in
/var/lib/nixos/declarative-{groups,users}.

With mutableUsers = false, you are now no longer required to specify
UIDs/GIDs for all users. The handling of mutableUsers = true/false is
the same code path; the only difference is that the "false" mode
ignores the existing contents of /etc/{passwd,group}.

The attribute ‘createUser’ is gone. It doesn't really make sense to
specify users that shouldn't be created.
2014-08-15 02:15:29 +02:00