Commit graph

161 commits

Author SHA1 Message Date
Tobias Geerinckx-Rice
c90eb862fc nixos: prey module: fix option descriptions 2015-09-06 23:50:03 +02:00
Jaka Hudoklin
c7bb64cb97 Merge pull request #7344 from joachifm/apparmor-pam
nixos: add AppArmor PAM support
2015-08-29 18:59:53 +02:00
obadz
172522e153 ecryptfs:
- upgrade 106 -> 108
- fix passphrase rewrapper (password changing should now work fine) as
  discussed on https://bugs.launchpad.net/ecryptfs/+bug/1486470
- add lsof dependency so ecryptfs-migrate-home should work out of the
  box
2015-08-19 12:16:57 +01:00
Joachim Fasting
2e0933787b nixos: add AppArmor PAM support
Enables attaching AppArmor profiles at the user/group level.

This is not intended to be used directly, but as part of a
role-based access control scheme. For now, profile attachment
is 'session optional', but should be changed to 'required' once
a more comprehensive solution is in place.
2015-07-15 12:40:06 +02:00
William A. Kennington III
d605663ae2 Merge branch 'master.upstream' into staging.upstream 2015-07-05 13:06:02 -07:00
Thomas Strobel
7b6f279142 pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-04 23:42:31 +02:00
William A. Kennington III
8e19ac8d7c Merge branch 'master.upstream' into staging.upstream 2015-06-17 11:57:40 -07:00
Eelco Dolstra
6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
William A. Kennington III
9d6555dc0a Merge branch 'master.upstream' into staging.upstream 2015-06-06 12:04:42 -07:00
William A. Kennington III
ffd0539eba cacert: store ca-bundle.crt in $out/etc/ssl/certs instead of $out 2015-06-05 13:00:52 -07:00
William A. Kennington III
867d2c5c46 openssl: Remove References to OPENSSL_X509_CERT_FILE 2015-05-31 15:50:51 -07:00
William A. Kennington III
d6cbb061e3 cacert: Build directly from nss instead of our own tarball 2015-05-29 13:52:07 -07:00
Ricardo M. Correia
aa75bb25d8 grsecurity: Update stable and test patches
stable: 3.1-3.14.41-201505072056 -> 3.1-3.14.41-201505101121
test:   3.1-4.0.2-201505072057   -> 3.1-4.0.2-201505101122
2015-05-11 02:45:38 +02:00
Vladimír Čunát
3b9ef2c71b fix "libc}/lib" and similar references
Done mostly without any verification.
I didn't bother with libc}/include, as the path is still correct.
2015-05-05 11:52:08 +02:00
Philip Potter
2216728979 add support for pam_u2f to nixos pam module
This adds support for authenticating using a U2F device such as a
yubikey neo.
2015-05-03 19:22:00 +01:00
Austin Seipp
8d3b8d0dc8 Merge pull request #7149 from joachifm/grsec-gradm-optional
grsecurity module: configure gradm iff RBAC is enabled
2015-04-13 17:11:29 -05:00
Austin Seipp
b86f6a3ed6 Merge pull request #7148 from joachifm/grsec-trivial
grsecurity module: trivial improvements
2015-04-13 17:10:47 -05:00
Nicolas B. Pierron
6de931a0f8 Merge rename.nix changes. 2015-04-03 23:12:12 +02:00
Arseniy Seroka
8592c6c004 Merge pull request #7150 from joachifm/grsec-types
grsecurity module: use types.enum
2015-04-03 16:03:49 +03:00
Joachim Fasting
3e847d512d grsecurity module: configure gradm iff RBAC is enabled 2015-04-03 13:45:57 +02:00
Joachim Fasting
ba93a75724 grsecurity module: use types.enum
Also
- set desktop as default system
- make virtualisationSoftware nullOr
- make virtualisationConfig nullOr
2015-04-03 13:45:45 +02:00
Joachim Fasting
66c4f51046 grsecurity module: simplify assertion 2015-04-03 13:38:32 +02:00
Joachim Fasting
2e88605a91 grsecurity module: remove reference to systemd-sysctl
First, that's not what the service is called, and secondly it's
most likely irrelevant to the user.
2015-04-03 13:38:32 +02:00
Arseniy Seroka
4fa554e32b Merge pull request #7017 from obadz/sg+sudo-g
Ability to switch groups with sg and sudo -g
2015-04-02 02:11:10 +03:00
obadz
be7f104502 sg: add setuid wrapper. (newgrp is a symlink to sg and was already setuid).
sudo: add ability for wheel users to change group (as well as user)
2015-03-30 23:50:45 +01:00
Austin Seipp
3ff22a924f Merge pull request #6871 from joachifm/apparmor-fixups
Apparmor fixups
2015-03-20 15:36:42 -05:00
Joachim Fasting
532337d673 Cleanup AppArmor module
Remove excessive whitespace & comment sections
2015-03-18 12:07:43 +01:00
Austin Seipp
ef95600372 Merge pull request #6771 from joachifm/apparmor-2.9
Apparmor 2.9
2015-03-15 14:16:24 -05:00
Ricardo M. Correia
7c8247a8c5 grsecurity: Update stable and test patches
stable: 3.1-3.14.35-201503071140 -> 3.1-3.14.35-201503092203
test:   3.1-3.18.9-201503071142  -> 3.1-3.19.1-201503122205
2015-03-15 03:49:58 +01:00
Shea Levy
1d62ad4746 modules.nix: Generate the extra argument set from the configuration
This allows for module arguments to be handled modularly, in particular
allowing the nixpkgs module to handle the nixpkgs import internally.
This creates the __internal option namespace, which should only be added
to by the module system itself.
2015-03-12 23:42:57 +01:00
Joachim Fasting
7a9a24a95e Update AppArmor service module
- Use AppArmor 2.9
- Enable PAM support
2015-03-12 11:49:05 +01:00
obadz
e5d4624420 PAM/eCryptfs now able to mount ecryptfs'd home directories on login 2015-03-08 16:03:51 -07:00
lethalman
c97d7819ab Merge pull request #6624 from joachifm/grsec-lock
nixos: grsec-lock service fixes
2015-03-02 18:49:39 +01:00
Joachim Fasting
18320d3b21 nixos: fix grsec-lock requires 2015-03-02 18:39:04 +01:00
Joachim Fasting
ccd6f5a313 nixos: make the grsec-lock unit depend on the path it writes to
The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.
2015-03-02 18:39:01 +01:00
Lluís Batlle i Rossell
b26e939111 fix pam (OATH related)
the pam config was wrong.

Issue #6551
2015-02-24 17:52:41 +01:00
Lluís Batlle i Rossell
4e99901961 nixos: Adding OATH in pam.
(cherry picked from commit cb3cba54a1b87c376d0801238cb827eadb18e39e)

Conflicts:
	nixos/modules/security/pam.nix
2015-02-22 15:25:38 +01:00
Eelco Dolstra
5092d625d6 /etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt
Even though there is no "official" standard location, it's better to
stick to what most distros are using.
2015-02-15 19:06:31 +01:00
Eelco Dolstra
75e1b5e317 Provide symlinks to ca-bundle.crt for compat with other distros
There is no "standard" location for the certificate bundle, so many
programs/libraries have various hard-coded default locations that
don't exist on NixOS. To make these more likely to work, provide
some symlinks.
2015-02-15 19:06:31 +01:00
Eelco Dolstra
d2bfb5ceb0 Add options for installing additional root certificates 2015-02-05 18:08:35 +01:00
Ricardo M. Correia
a11dc2f0a3 grsecurity: Add denyUSB option to grsec NixOS module
The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.

After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.
2015-01-20 19:18:06 +01:00
Luca Bruno
804a958663 pam: add pam_wheel 2015-01-14 18:32:08 +01:00
Shea Levy
cca8bae86e Merge branch 'rngd-fix' of git://github.com/abbradar/nixpkgs 2015-01-08 09:36:29 -05:00
Nikolay Amiantov
dbc0395b2b nixos/rngd: some fixes 2015-01-06 17:27:07 +03:00
Nikolay Amiantov
a164a0b4c5 nixos/fprintd: add service and pam support 2015-01-03 19:50:40 +03:00
Tobias Geerinckx-Rice
c64257b8e5 Fix user-facing typos (mainly in descriptions) 2014-12-30 03:31:03 +01:00
Ricardo M. Correia
1d44322d53 grsecurity: Update stable and test patches
stable: 3.0-3.14.27-201412211908 -> 3.0-3.14.27-201412280859
test:   3.0-3.17.7-201412211910  -> 3.0-3.18.1-201412281149
2014-12-29 03:00:47 +01:00
Eelco Dolstra
89697b0fc1 Improve /etc/sudoers message 2014-12-18 11:51:42 +01:00
wmertens
3cecef15d7 Revert $GIT_SSL_CAINFO removal
Users have an older git in their user environment and it doesn't work without it. We should keep it around for a while.
2014-12-01 23:07:50 +01:00
wmertens
45c1b9147f Merge pull request #5130 from wmertens/git-ssl-env
Let git use $SSL_CERT_FILE
2014-11-27 13:24:08 +01:00
Wout Mertens
72b81cf8bb Remove unnecessary $GIT_SSL_CAINFO from sys env 2014-11-26 00:30:07 +01:00
Ricardo M. Correia
389143d808 grsecurity: Update assertion msg to correct major kernel versions 2014-11-16 18:52:39 +01:00
Mathijs Kwik
f356cee747 sudo: allow adding extra configuration options to the bottom of sudoers
from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
2014-11-02 13:27:05 +01:00
Ricardo M. Correia
10348a0f2c grsecurity: Update documentation to mention correct kernels 2014-10-22 16:50:36 +02:00
Eelco Dolstra
bb9ee6a13f Remove some setuid wrappers for non-standard programs 2014-09-05 14:46:36 +02:00
Eelco Dolstra
cd7129a037 Revert "nixos: add setuid wrappers for some networked filesystems' helpers"
This reverts commit 26a4001a98. It
breaks the NFS test:

  http://hydra.nixos.org/build/13943148

Also, having more setuid programs is a bad thing security-wise.
2014-09-05 14:43:11 +02:00
Michael Raskin
419031bcfc Merge pull request #2644 from lethalman/pam_tally
pam: Add logFailures option for adding pam_tally to su
2014-09-02 00:58:30 +04:00
Jan Malakhovski
26a4001a98 nixos: add setuid wrappers for some networked filesystems' helpers
So that `user` mount option would work allowing normal users to mount
and umount stuff marked with it in `fileSystems.<name>.options`.
2014-09-01 10:33:48 +04:00
Jan Malakhovski
8f50d803ef nixos: add support for mkhomedir in PAM 2014-09-01 10:33:48 +04:00
Eelco Dolstra
785ed2b528 Don't silently ignore errors from the activation script 2014-08-15 02:14:34 +02:00
Vladimír Čunát
87c3c0e885 Merge master into #2129
Conflicts (easy, just UID shifted):
	nixos/modules/misc/ids.nix
	nixos/modules/module-list.nix
2014-08-12 19:24:08 +02:00
Eelco Dolstra
36f99a9a82 Set $SSL_CERT_FILE
It's more standard than $OPENSSL_X509_CERT_FILE (which I guess was a
totally unnecessary patch to OpenSSL). Since curl respects
$SSL_CERT_FILE, it's no longer needed to set $CURL_CA_BUNDLE. Git
unfortunately doesn't.
2014-07-28 19:09:32 +02:00
Rastus Vernon
d5daa8ae6f Fix repeated typo
"Can either by" should be "Can either be". There are three occurrences of this mistake, all in descriptions of configuration options.
2014-07-11 23:14:53 -04:00
Jaka Hudoklin
16f801cba9 nixos/pam: make pam_loginuid optional if in container 2014-06-30 11:08:39 +02:00
Austin Seipp
0399c5ee24 grsecurity: update stable/testing kernels, refactoring
This updates the new stable kernel to 3.14, and the new testing kernel
to 3.15.

This also removes the vserver kernel, since it's probably not nearly as
used.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-22 22:29:10 -05:00
William A. Kennington III
ef4ea24420 sudo: Always keepVisudo in order to simplify sudo build 2014-06-17 22:41:32 -05:00
Ricardo M. Correia
f8e108c865 nixos.tests.installer: Fix test failures due to network being disabled 2014-06-17 18:41:26 +02:00
Eelco Dolstra
f5055e2ef6 Rename environment.systemVariables -> environment.sessionVariables
This makes it clearer that they're part of PAM sessions.
2014-06-13 17:57:04 +02:00
Eelco Dolstra
8ae659f16c Revert "Revert "Merge #2692: Use pam_env to properly setup system-wide env""
This reverts commit 491c088731.
2014-06-10 13:07:10 +02:00
Eelco Dolstra
491c088731 Revert "Merge #2692: Use pam_env to properly setup system-wide env"
This reverts commit 18a0cdd864.
2014-06-10 13:03:44 +02:00
Vladimír Čunát
18a0cdd864 Merge #2692: Use pam_env to properly setup system-wide env 2014-06-10 11:42:59 +02:00
Michael Raskin
e68a5b265a Enable checking sudoers syntax. Fixes #2850, probably. 2014-06-09 00:54:21 +04:00
Ricardo M. Correia
f0cf8f4140 grsecurity: Fix module evaluation 2014-05-22 20:17:34 +02:00
Austin Seipp
e31f212f6b nixos/duosec: Add an option to allow TCP forwarding
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-20 02:42:38 -05:00
Austin Seipp
67c309fe75 Fix fallout from 4f27ad14
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-18 07:38:13 -05:00
Austin Seipp
4f27ad14a1 grsec: refactor grsecurity packages
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:43 -05:00
Austin Seipp
92abc4c610 kernel: enable AppArmor by default
AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order
to work properly (with the minor catch grsecurity -stable includes the
3.2 patches.) This adds them to the kernel builds by default, removes
features.apparmor (since it's always true) and makes it the default MAC
system.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:09 -05:00
Luca Bruno
1d5d7fdee2 pam: Add logFailures option for adding pam_tally to su 2014-05-14 17:54:21 +02:00
Aristid Breitkreuz
204fc0a397 sudo: env_keep TERMINFO for urxvt 2014-05-04 14:42:16 +02:00
Eelco Dolstra
4353220202 polkit: Remove unnecessary restart
There already is a restart trigger that takes care of this.
2014-04-28 23:57:37 +02:00
Eelco Dolstra
379c8ba237 polkit: Restart using systemctl
The use of pkill is now particularly bad due to containers (it might
kill processes in containers).
2014-04-28 12:38:50 +02:00
Alexander Kjeldaas
baf4faeddc Only disable TPM access by rngd when tcsd is enabled. 2014-04-22 14:05:09 +02:00
Alexander Kjeldaas
64311899db Don't let rngd read /dev/tpm0.
Only one process can interact with the TPM module and
that process should be tcsd.  The tpm_rng kernel module
should instead be loaded and /dev/hwrnd be used to
read the TPM random generator.
Also, log which random generator devices are used by
rngd on startup.
2014-04-22 14:05:09 +02:00
Rickard Nilsson
5db9287b7c rtkit: Update from 0.10 to 0.11 2014-04-21 23:22:10 +02:00
Ricardo M. Correia
5d5ca7b260 grsecurity: Update all patches
stable:  3.0-3.2.57-201404131252            -> 3.0-3.2.57-201404182109
test:    3.0-3.13.10-201404141717           -> 3.0-3.14.1-201404201132
vserver: 3.0-3.2.57-vs2.3.2.16-201404131253 -> 3.0-3.2.57-vs2.3.2.16-201404182110
2014-04-21 18:46:41 +02:00
Eelco Dolstra
fa9ed04997 Restart polkit if its configuration may have changed 2014-04-19 14:29:02 +02:00
Eelco Dolstra
9f1c9404da Put /var/setuid-wrappers on a tmpfs
This allows all other filesystems to be mounted without the suid
option.
2014-04-19 12:40:09 +02:00
Eelco Dolstra
fa1a46a01c setuid-wrapper: Fix broken string comparison 2014-04-19 10:58:30 +02:00
Eelco Dolstra
b80e6b27c7 setuid-wrapper: Drop runtime dependency on setuid-wrapper.c 2014-04-19 10:53:17 +02:00
Eelco Dolstra
a8aa9f3fd4 setuid-wrapper.c: Remove tabs 2014-04-19 10:53:05 +02:00
Eelco Dolstra
5378da25a0 Apply pam_loginuid before pam_systemd
As recommended by the pam_systemd manpage.
2014-04-17 11:35:18 +02:00
Austin Seipp
da6bc44dd7 nixos: transmission improvements
This mostly upgrades transmission, and does some very minor touchups on
AppArmor support.

In particular, there is now no need to ever specify the umask as part of
the settings, as it will be mixed in by default (which is essentially
always what you want). Also, the default configuration is now more
sensible: Downloads are put in /var/lib/transmission/Downloads, and
incomplete files are put in /var/lib/transmission/.incomplete - this
also allows easy use of file syncing probrams, like BitTorrent Sync.

Finally, this unconditionally enables the AppArmor profiles for the
daemon, if AppArmor is enabled - rather than letting the user specify
profile support, it's best to default to supporting profiles for daemons
transparently in all places.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 06:54:51 -05:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Bjørn Forsman
6fa1ad04da nixos: extend documentation example for security.setuidOwners
Show that it is possible to set custom permission bits.
2014-04-13 12:31:08 +02:00
Austin Seipp
64efd184ed grsecurity: Fix GRKERNSEC_PROC restrictions
Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.

This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.

This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 11:16:05 -05:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
Austin Seipp
29d46452dd nixos: add Duo Security module
This module adds the security.duosec attributes, which you can use to
enable simple two-factor authentication for NixOS logins.

The module currently provides PAM and SSH support, although the PAM unix
system configuration isn't automatically dealt with (although the
configuration is automatically built).

Enabling it is as easy as saying:

  security.duosec.ssh.enable = true;
  security.duosec.ikey       = "XXXXXXXX...";
  security.duosec.skey       = "XXXXXXXX...";
  security.duosec.host       = "api-XXXXXXX.duosecurity.com";
  security.duosec.group      = "duosec";

which will enforce two-factor authentication for SSH logins for users in
the 'duosec' group.

This requires uid/gid support in the environment.etc module.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 07:11:50 -05:00
Eelco Dolstra
9c616e3bf4 Remove /etc/ca-bundle.crt
Applications should use /etc/ssl/certs/ca-bundle.crt instead.
2014-02-11 17:13:36 +01:00
Eelco Dolstra
bc56bb7546 polkit: Add some examples 2013-11-18 18:04:17 +01:00
Eelco Dolstra
7ea47df0a4 polkit: Fix authenticating as a wheel user
In Javascript-based PolKit, "unix-user:0;unix-group:wheel" is not
valid; it should be a list "unix-user:0", "unix-group:wheel".
2013-11-18 18:04:17 +01:00