nixos/pam: pam_mkhomedir umask to 0077
pam_mkhomedir should create homedirs with the same umask as the rest of the system. Currently it creates homedirs with go+rx which makes it readable for other non-privileged users.
This commit is contained in:
parent
e62c9ce932
commit
90bac670c0
3 changed files with 11 additions and 1 deletions
|
@ -1851,6 +1851,14 @@ Superuser created successfully.
|
|||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>security.pam.services.<name>.makeHomeDir</literal>
|
||||
now uses <literal>umask=0077</literal> instead of
|
||||
<literal>umask=0022</literal> when creating the home
|
||||
directory.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
|
|
@ -514,3 +514,5 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
- The `services.unifi.dataDir` option is removed and the data is now always located under `/var/lib/unifi/data`. This is done to make better use of systemd state direcotiry and thus making the service restart more reliable.
|
||||
- The unifi logs can now be found under: `/var/log/unifi` instead of `/var/lib/unifi/logs`.
|
||||
- The unifi run directory can now be found under: `/run/unifi` instead of `/var/lib/unifi/run`.
|
||||
|
||||
- `security.pam.services.<name>.makeHomeDir` now uses `umask=0077` instead of `umask=0022` when creating the home directory.
|
||||
|
|
|
@ -483,7 +483,7 @@ let
|
|||
if config.boot.isContainer then "optional" else "required"
|
||||
} pam_loginuid.so"}
|
||||
${optionalString cfg.makeHomeDir
|
||||
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"}
|
||||
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077"}
|
||||
${optionalString cfg.updateWtmp
|
||||
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
|
||||
${optionalString config.security.pam.enableEcryptfs
|
||||
|
|
Loading…
Reference in a new issue