Commit graph

36 commits

Author SHA1 Message Date
Michael Raskin
f6bc3d61cf To prevent glibc bug exploitation, make setuid-wrappers unreadable to non-root users
svn path=/nixos/trunk/; revision=24378
2010-10-20 09:29:02 +00:00
Lluís Batlle i Rossell
79ded36abf Making cron/fcron set their setuid wrappers. And made fcron use the nixos systemCrontabJobs by
default.
It does not look very modular, and the manual may not look very good, but I think it
works better than before. And setting cron.enable = false and fcron.enable = true works fine.


svn path=/nixos/trunk/; revision=24199
2010-10-10 11:35:15 +00:00
Eelco Dolstra
f729f12e4e Some cleanups in the activation script:
* Moved some scriptlets to the appropriate modules.
* Put the scriptlet that sets the default path at the start, since it
  never makes sense not to have it there.  It no longer needs to be
  declared as a dependency.
* If a scriptlet has no dependencies, it can be denoted as a plain
  string (i.e., `noDepEntry' is not needed anymore).

svn path=/nixos/trunk/; revision=23762
2010-09-13 15:41:38 +00:00
Yury G. Kudryashov
f0eb823a34 Add unix_chkpwd suid wrapper
svn path=/nixos/trunk/; revision=23165
2010-08-13 14:07:34 +00:00
David Guibert
6c8c1f935a nixos: authenticate through kerberos
config.krb5.enable needs to be set as true.
Also use pam_ccreds to cache Kerberos credentials for offline logins.

svn path=/nixos/trunk/; revision=22986
2010-08-06 08:50:48 +00:00
Eelco Dolstra
82be7d8d65 * `pam_console' maintains the set of locally logged in users in
/var/run/console.  This is obsolete, but D-Bus still uses it for its
  `at_console' feature.  So maintain it using a ConsoleKit session
  script.  Borrowed from
  http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-auth/consolekit/files/pam-foreground-compat.ck

svn path=/nixos/trunk/; revision=22720
2010-07-23 14:23:08 +00:00
Eelco Dolstra
c089738bdc * Use the shadow' package instead of pwdutils', `pam_login' and
`su'.
* The `usermod' from `shadow' allows setting a supplementary group
  equal to the user's primary group, so the special hack for the
  `nixbld' group is no longer needed.
* Removed /etc/default/passwd since it's not used by the new passwd.
  The hash is configured in pam_unix.
* Move some values for `security.setuidPrograms' and
  `security.pam.services' to the appropriate modules.

svn path=/nixos/trunk/; revision=22107
2010-06-02 21:10:48 +00:00
Eelco Dolstra
876954d15d * Use pam_unix (from the PAM package) instead of pam_unix2. All the
functionality we needed from pam_unix2 (more secure hashes, and,
  uh...) has been merged into pam_unix.

svn path=/nixos/trunk/; revision=22106
2010-06-02 19:59:44 +00:00
Eelco Dolstra
540c673364 * Enable the `chfn' program. Note that by default non-root users are
still not permitted to change their account information, as
  specified in login.defs.

svn path=/nixos/trunk/; revision=22049
2010-05-28 14:59:34 +00:00
Yury G. Kudryashov
a0b97de260 Use polkit-agent-helper-1 from libexec/polkit-1
svn path=/nixos/trunk/; revision=21844
2010-05-18 16:46:32 +00:00
Yury G. Kudryashov
7ae39feedb Get rid of extraSetuidPrograms.
Also state in description that it is obsolete.

svn path=/nixos/trunk/; revision=21777
2010-05-14 21:01:06 +00:00
Yury G. Kudryashov
03caab4572 Enable polkit-1
Now both polkit-1 and old policykit are enabled. Packages that can use both will
be migrated to new polkit-1, than old one can be disabled.

svn path=/nixos/trunk/; revision=21776
2010-05-14 20:28:04 +00:00
Eelco Dolstra
8a6346e477 * Provide a bundle of CA certificates in /etc/ca-bundle.crt, and set
the CURL_CA_BUNDLE environment variable.  This allows curl to work
  without the `-k' flag on https sites with a properly signed
  certificate.

svn path=/nixos/trunk/; revision=19572
2010-01-20 14:22:47 +00:00
Ludovic Courtès
c68f5fbae4 Add support for pam_limits.
svn path=/nixos/trunk/; revision=19370
2010-01-12 11:02:23 +00:00
Nicolas Pierron
d2901e979d * Add support for pam_usb.
svn path=/nixos/trunk/; revision=19185
2010-01-03 11:59:08 +00:00
Eelco Dolstra
5dfaf565bf * On the CD or on a newly installed system, create the root account
with an empty password, rather than with a hashed empty password.
  The latter is a security risk, because it allows remote root logins
  if a user enables sshd before setting a proper root password.
* Allow empty passwords for login and slim, but nothing else.

svn path=/nixos/trunk/; revision=17833
2009-10-15 14:41:59 +00:00
Marc Weber
ccd2a0b617 sudo default configFile: replace outdated comment
svn path=/nixos/trunk/; revision=17790
2009-10-13 21:29:30 +00:00
Eelco Dolstra
d933f55e45 * Tell PolicyKit about the policies of HAL and ConsoleKit.
svn path=/nixos/trunk/; revision=17439
2009-09-26 10:32:57 +00:00
Eelco Dolstra
3d5462c980 * Install a PolicyKit policy configuration file. There should be a
configuration option to add to this file.

svn path=/nixos/trunk/; revision=17436
2009-09-26 00:07:52 +00:00
Eelco Dolstra
69f68c319d * A module for the old PolicyKit.
svn path=/nixos/trunk/; revision=17433
2009-09-25 23:06:38 +00:00
Eelco Dolstra
3e5912833d * For consistency with Nixpkgs.
svn path=/nixos/trunk/; revision=17427
2009-09-25 20:12:35 +00:00
Eelco Dolstra
379778c385 * For X logins, don't use pam_ck_connector since it doesn't really
work for X logins.  (The documentation also says so.)  Instead just
  call ck-launch-session from the xsession script.

svn path=/nixos/trunk/; revision=17090
2009-09-13 14:05:21 +00:00
Eelco Dolstra
447c1ac34a * SLiM / ConsoleKit compatibility hack.
svn path=/nixos/trunk/; revision=16744
2009-08-17 01:35:48 +00:00
Eelco Dolstra
7ab616f659 * Added support for ConsoleKit.
* Let ConsoleKit track the current logins instead of pam_console.
  Udev now takes care of setting the device permissions to the active
  user.  This works much better, since pam_console wouldn't apply
  permissions to new (hot-plugged) devices.  Also, the udev+ConsoleKit
  approach supports user switching.  (We don't have that for X yet,
  but it already works for logins on virtual consoles: if you switch
  between different users on differents VCs with Alt+Fn, the device
  ownership will be changed automatically.)

svn path=/nixos/trunk/; revision=16743
2009-08-17 01:16:38 +00:00
Eelco Dolstra
ac24c7834d * A module for policy-kit (not enabled yet).
svn path=/nixos/trunk/; revision=16738
2009-08-16 21:48:46 +00:00
Eelco Dolstra
26439de75b * security.setuidPrograms: don't set the default in the "default"
mkOption argument, because then we lose them if somebody sets
  security.setuidPrograms somewhere else.  (Shouldn't "default" be
  merged as well?)

svn path=/nixos/trunk/; revision=16734
2009-08-16 21:11:04 +00:00
Eelco Dolstra
dba1964122 * setuid-wrappers: support setting the mode. For instance, some
programs require that the mode is 4550 so that execution of the
  setuid program can be restricted to members of a group.
* setuid-wrappers: remove a race condition in the creation of the
  wrappers if the ownership or mode was different than root:root and
  4555.
* setuid-wrappers: allow the full path of the wrapped program to be
  specified, rather than looking it up in $PATH.

svn path=/nixos/trunk/; revision=16733
2009-08-16 17:24:59 +00:00
Eelco Dolstra
f31e2718b7 * Print an error if the exec fails.
svn path=/nixos/trunk/; revision=16732
2009-08-16 16:46:00 +00:00
Eelco Dolstra
3b931f7861 * We still need /etc/pam.d/other to keep usermod happy.
svn path=/nixos/trunk/; revision=16731
2009-08-16 15:46:24 +00:00
Eelco Dolstra
2884c9a836 * Style change.
svn path=/nixos/trunk/; revision=16730
2009-08-16 14:54:31 +00:00
Eelco Dolstra
39bffdb34c * Make the generation of /etc/pam.d more declarative. There now is an
option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729
2009-08-16 14:49:14 +00:00
Eelco Dolstra
720d51179e * kdm needs the "kde" PAM module, but you only get it when KDE is
enabled as a session type.  Since I'm lazy, provide it
  unconditionally.  Also have it include "common-console" to set
  device ownership when logging in.

svn path=/nixos/branches/modular-nixos/; revision=15800
2009-05-29 14:57:31 +00:00
Eelco Dolstra
14f1c81822 * Move PAM configuration to modules/security/pam.nix.
svn path=/nixos/branches/modular-nixos/; revision=15766
2009-05-28 13:10:02 +00:00
Nicolas Pierron
47f70fda2f Fix fullDepEntry location in setuid-wrappers.nix.
svn path=/nixos/branches/modular-nixos/; revision=15733
2009-05-26 14:10:20 +00:00
Eelco Dolstra
c96f0d75f0 * Move the setuid wrappers activation scriptlet to
modules/security/setuid-wrappers.nix.
* Removed the "path" activation scriptlet.  The partial ordering was
  underspecified (there was nothing ensuring that it came near the end
  of the activation script), and it wasn't needed in any case.

svn path=/nixos/branches/modular-nixos/; revision=15726
2009-05-25 15:36:57 +00:00
Eelco Dolstra
a65aae0140 * Moved more modules.
svn path=/nixos/branches/modular-nixos/; revision=15722
2009-05-25 13:42:46 +00:00