From 5666a378cb3cafbeb075740244b7a316d0ba9f7a Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Fri, 8 Sep 2023 21:13:31 +0200 Subject: [PATCH] nixos/users-groups: rename passwordFile in hashedPasswordFile This avoids the possible confusion with `passwordFile` being the file version of `password`, while it should contain the password hash. Fixes issue #165858. --- .../manual/release-notes/rl-2311.section.md | 2 + nixos/modules/config/users-groups.nix | 40 ++++++++++++------- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 4d559b9ca40a..81d21e132cea 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -87,6 +87,8 @@ - `getent` has been moved from `glibc`'s `bin` output to its own dedicated output, reducing closure size for many dependents. Dependents using the `getent` alias should not be affected; others should move from using `glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility with non-glibc platforms). +- The `users.users..passwordFile` has been renamed to `users.users..hashedPasswordFile` to avoid possible confusions. The option is in fact the file-based version of `hashedPassword`, not `password`, and expects a file containing the {manpage}`crypt(3)` hash of the user password. + - The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`. - The `matrix-synapse` package & module have undergone some significant internal changes, for most setups no intervention is needed, though: diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 684b4bc8fbcc..4893d28924eb 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -18,11 +18,11 @@ let passwordDescription = '' The options {option}`hashedPassword`, - {option}`password` and {option}`passwordFile` + {option}`password` and {option}`hashedPasswordFile` controls what password is set for the user. {option}`hashedPassword` overrides both - {option}`password` and {option}`passwordFile`. - {option}`password` overrides {option}`passwordFile`. + {option}`password` and {option}`hashedPasswordFile`. + {option}`password` overrides {option}`hashedPasswordFile`. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option {option}`users.mutableUsers` is true, the @@ -250,18 +250,26 @@ let ''; }; - passwordFile = mkOption { + hashedPasswordFile = mkOption { type = with types; nullOr str; - default = null; + default = cfg.users.${name}.passwordFile; + defaultText = literalExpression "null"; description = lib.mdDoc '' - The full path to a file that contains the user's password. The password - file is read on each system activation. The file should contain - exactly one line, which should be the password in an encrypted form - that is suitable for the `chpasswd -e` command. + The full path to a file that contains the hash of the user's + password. The password file is read on each system activation. The + file should contain exactly one line, which should be the password in + an encrypted form that is suitable for the `chpasswd -e` command. ${passwordDescription} ''; }; + passwordFile = mkOption { + type = with types; nullOr (passwdEntry str); + default = null; + visible = false; + description = lib.mdDoc "Deprecated alias of hashedPasswordFile"; + }; + initialHashedPassword = mkOption { type = with types; nullOr (passwdEntry str); default = null; @@ -447,7 +455,7 @@ let users = mapAttrsToList (_: u: { inherit (u) name uid group description home homeMode createHome isSystemUser - password passwordFile hashedPassword + password hashedPasswordFile hashedPassword autoSubUidGidRange subUidRanges subGidRanges initialPassword initialHashedPassword expires; shell = utils.toShellPath u.shell; @@ -756,7 +764,7 @@ in { && (allowsLogin cfg.hashedPassword || cfg.password != null - || cfg.passwordFile != null + || cfg.hashedPasswordFile != null || cfg.openssh.authorizedKeys.keys != [] || cfg.openssh.authorizedKeys.keyFiles != []) ) cfg.users ++ [ @@ -845,9 +853,13 @@ in { The password hash of user "${user.name}" may be invalid. You must set a valid hash or the user will be locked out of their account. Please check the value of option `users.users."${user.name}".hashedPassword`.'' - else null - )); - + else null) + ++ flip mapAttrsToList cfg.users (name: user: + if user.passwordFile != null then + ''The option `users.users."${name}".passwordFile' has been renamed '' + + ''to `users.users."${name}".hashedPasswordFile'.'' + else null) + ); }; }