Merge pull request #287506 from Ma27/warn-user-password-options

nixos/users-groups: warn on ambiguous password settings
This commit is contained in:
Linus Heckemann 2024-02-16 22:20:38 +01:00 committed by GitHub
commit 5863c27340
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -649,7 +649,6 @@ in {
home = "/root";
shell = mkDefault cfg.defaultUserShell;
group = "root";
initialHashedPassword = mkDefault "!";
};
nobody = {
uid = ids.uids.nobody;
@ -897,7 +896,26 @@ in {
));
warnings =
builtins.filter (x: x != null) (
flip concatMap (attrValues cfg.users) (user: let
unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([
user.hashedPassword
user.hashedPasswordFile
user.password
] ++ optionals cfg.mutableUsers [
# For immutable users, initialHashedPassword is set to hashedPassword,
# so using these options would always trigger the assertion.
user.initialHashedPassword
user.initialPassword
]));
in optional (!unambiguousPasswordConfiguration) ''
The user '${user.name}' has multiple of the options
`hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`
& `initialHashedPassword` set to a non-null value.
The options silently discard others by the order of precedence
given above which can lead to surprising results. To resolve this warning,
set at most one of the options above to a non-`null` value.
'')
++ builtins.filter (x: x != null) (
flip mapAttrsToList cfg.users (_: user:
# This regex matches a subset of the Modular Crypto Format (MCF)[1]
# informal standard. Since this depends largely on the OS or the