gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/users:added users.allowLoginless

Browse Source 
Correct the assertion logic

Fixed indentation

Better wording od allowLoginless' description

Co-authored-by: Eelco Dolstra <edolstra@gmail.com>

Better formatting

Co-authored-by: Eelco Dolstra <edolstra@gmail.com>

allowLoginless -> allowNoPasswordLogin

Clarified users.allowNoPasswordLogin's  description

Clarified assertion expression

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>

Reworded assertion message to gude to safer alternative
This commit is contained in:
Pasquale
2019-11-09 11:52:35 +01:00
parent 0ab30f0ddc
commit 07abf6942f
1 changed files with 24 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
nixos/modules/config/users-groups.nix
View File

@@ -449,16 +449,10 @@ in {
imports = [ imports = [
(mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ])
(mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ])
(mkChangedOptionModule (mkRenamedOptionModule ["security" "initialRootPassword"] ["users" "users" "root" "initialHashedPassword"])
[ "security" "initialRootPassword" ]
[ "users" "users" "root" "initialHashedPassword" ]
(cfg: if cfg.security.initialRootPassword == "!"
then null
else cfg.security.initialRootPassword))
]; ];
###### interface ###### interface
options = { options = {
users.mutableUsers = mkOption { users.mutableUsers = mkOption {
@@ -526,6 +520,17 @@ in {
''; '';
}; };
users.allowNoPasswordLogin = mkOption {
type = types.bool;
default = false;
description = ''
Disable checking that at least the <literal>root</literal> user or a user in the <literal>wheel</literal> group can log in using
a password or an SSH key.
WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing.
'';
};
}; };
@@ -540,6 +545,7 @@ in {
home = "/root"; home = "/root";
shell = mkDefault cfg.defaultUserShell; shell = mkDefault cfg.defaultUserShell;
group = "root"; group = "root";
initialHashedPassword = mkDefault "!";
}; };
nobody = { nobody = {
uid = ids.uids.nobody; uid = ids.uids.nobody;
@@ -616,9 +622,11 @@ in {
# there is at least one "privileged" account that has a # there is at least one "privileged" account that has a
# password or an SSH authorized key. Privileged accounts are # password or an SSH authorized key. Privileged accounts are
# root and users in the wheel group. # root and users in the wheel group.
assertion = !cfg.mutableUsers -> # The check does not apply when users.disableLoginPossibilityAssertion
any id ((mapAttrsToList (_: cfg: # The check does not apply when users.mutableUsers
(cfg.name == "root" assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin ->
any id (mapAttrsToList (name: cfg:
(name == "root"
|| cfg.group == "wheel" || cfg.group == "wheel"
|| elem "wheel" cfg.extraGroups) || elem "wheel" cfg.extraGroups)
&& &&
@@ -629,10 +637,14 @@ in {
|| cfg.openssh.authorizedKeys.keyFiles != []) || cfg.openssh.authorizedKeys.keyFiles != [])
) cfg.users) ++ [ ) cfg.users) ++ [
config.security.googleOsLogin.enable config.security.googleOsLogin.enable
]); ];
message = '' message = ''
Neither the root account nor any wheel user has a password or SSH authorized key. Neither the root account nor any wheel user has a password or SSH authorized key.
You must set one to prevent being locked out of your system.''; You must set one to prevent being locked out of your system.
If you really want to be locked out of your system, set users.allowNoPasswordLogin = true;
However you are most probably better off by setting users.mutableUsers = true; and
manually running passwd root to set the root password.
'';
} }
] ++ flatten (flip mapAttrsToList cfg.users (name: user: ] ++ flatten (flip mapAttrsToList cfg.users (name: user:
[ [