a3c7dcd88d
Fixes the default for tools like chpasswd, chgpasswd and gpasswd. Closes: #230880
131 lines
3.9 KiB
Nix
131 lines
3.9 KiB
Nix
# Configuration for the pwdutils suite of tools: passwd, useradd, etc.
|
|
|
|
{ config, lib, utils, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
/*
|
|
There are three different sources for user/group id ranges, each of which gets
|
|
used by different programs:
|
|
- The login.defs file, used by the useradd, groupadd and newusers commands
|
|
- The update-users-groups.pl file, used by NixOS in the activation phase to
|
|
decide on which ids to use for declaratively defined users without a static
|
|
id
|
|
- Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used
|
|
by systemd for features like ConditionUser=@system and systemd-sysusers
|
|
*/
|
|
loginDefs =
|
|
''
|
|
DEFAULT_HOME yes
|
|
|
|
SYS_UID_MIN 400
|
|
SYS_UID_MAX 999
|
|
UID_MIN 1000
|
|
UID_MAX 29999
|
|
|
|
SYS_GID_MIN 400
|
|
SYS_GID_MAX 999
|
|
GID_MIN 1000
|
|
GID_MAX 29999
|
|
|
|
TTYGROUP tty
|
|
TTYPERM 0620
|
|
|
|
# Ensure privacy for newly created home directories.
|
|
UMASK 077
|
|
|
|
# Uncomment this and install chfn SUID to allow non-root
|
|
# users to change their account GECOS information.
|
|
# This should be made configurable.
|
|
#CHFN_RESTRICT frwh
|
|
|
|
# The default crypt() method, keep in sync with the PAM default
|
|
ENCRYPT_METHOD YESCRYPT
|
|
'';
|
|
|
|
mkSetuidRoot = source:
|
|
{ setuid = true;
|
|
owner = "root";
|
|
group = "root";
|
|
inherit source;
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
users.defaultUserShell = lib.mkOption {
|
|
description = lib.mdDoc ''
|
|
This option defines the default shell assigned to user
|
|
accounts. This can be either a full system path or a shell package.
|
|
|
|
This must not be a store path, since the path is
|
|
used outside the store (in particular in /etc/passwd).
|
|
'';
|
|
example = literalExpression "pkgs.zsh";
|
|
type = types.either types.path types.shellPackage;
|
|
};
|
|
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = {
|
|
|
|
environment.systemPackages =
|
|
lib.optional config.users.mutableUsers pkgs.shadow ++
|
|
lib.optional (types.shellPackage.check config.users.defaultUserShell)
|
|
config.users.defaultUserShell;
|
|
|
|
environment.etc =
|
|
{ # /etc/login.defs: global configuration for pwdutils. You
|
|
# cannot login without it!
|
|
"login.defs".source = pkgs.writeText "login.defs" loginDefs;
|
|
|
|
# /etc/default/useradd: configuration for useradd.
|
|
"default/useradd".source = pkgs.writeText "useradd"
|
|
''
|
|
GROUP=100
|
|
HOME=/home
|
|
SHELL=${utils.toShellPath config.users.defaultUserShell}
|
|
'';
|
|
};
|
|
|
|
security.pam.services =
|
|
{ chsh = { rootOK = true; };
|
|
chfn = { rootOK = true; };
|
|
su = { rootOK = true; forwardXAuth = true; logFailures = true; };
|
|
passwd = {};
|
|
# Note: useradd, groupadd etc. aren't setuid root, so it
|
|
# doesn't really matter what the PAM config says as long as it
|
|
# lets root in.
|
|
useradd = { rootOK = true; };
|
|
usermod = { rootOK = true; };
|
|
userdel = { rootOK = true; };
|
|
groupadd = { rootOK = true; };
|
|
groupmod = { rootOK = true; };
|
|
groupmems = { rootOK = true; };
|
|
groupdel = { rootOK = true; };
|
|
login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; };
|
|
chpasswd = { rootOK = true; };
|
|
};
|
|
|
|
security.wrappers = {
|
|
su = mkSetuidRoot "${pkgs.shadow.su}/bin/su";
|
|
sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg";
|
|
newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp";
|
|
newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap";
|
|
newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap";
|
|
} // lib.optionalAttrs config.users.mutableUsers {
|
|
chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh";
|
|
passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd";
|
|
};
|
|
};
|
|
}
|