summary refs log tree commit diff
diff options
context:
space:
mode:
authorNikolay Amiantov <ab@fmap.me>2022-01-05 13:20:47 +0300
committerNikolay Amiantov <ab@fmap.me>2022-01-09 09:43:55 +0300
commitf2c5970a7654c8fed9ba13f70071c29161d80c7c (patch)
treed5c68ce8a21f5f5f13646431e85d5d2b7a564859
parent95e4f1eff7d887c866241e82aa5bf27e7e237c1a (diff)
downloadnixpkgs-f2c5970a7654c8fed9ba13f70071c29161d80c7c.tar
nixpkgs-f2c5970a7654c8fed9ba13f70071c29161d80c7c.tar.gz
nixpkgs-f2c5970a7654c8fed9ba13f70071c29161d80c7c.tar.bz2
nixpkgs-f2c5970a7654c8fed9ba13f70071c29161d80c7c.tar.lz
nixpkgs-f2c5970a7654c8fed9ba13f70071c29161d80c7c.tar.xz
nixpkgs-f2c5970a7654c8fed9ba13f70071c29161d80c7c.tar.zst
nixpkgs-f2c5970a7654c8fed9ba13f70071c29161d80c7c.zip
users-groups service: add autoSubUidGidRange option
Previously we allocated subuids automatically for all normal users.
Make this explicitly configurable, so that one can use this for system
users too (or explicitly disable for normal users). Also don't allocate
automatically by default if a user already has ranges specified statically.
Diffstat
-rw-r--r--nixos/doc/manual/from_md/release-notes/rl-2205.section.xml9
-rw-r--r--nixos/doc/manual/release-notes/rl-2205.section.md2
-rw-r--r--nixos/modules/config/update-users-groups.pl2
-rw-r--r--nixos/modules/config/users-groups.nix15
4 files changed, 26 insertions, 2 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index fde5eec857b..c389d19de14 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -228,6 +228,15 @@
           to your configuration.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          Normal users (with <literal>isNormalUser = true</literal>)
+          which have non-empty <literal>subUidRanges</literal> or
+          <literal>subGidRanges</literal> set no longer have additional
+          implicit ranges allocated. To enable automatic allocation back
+          set <literal>autoSubUidGidRange = true</literal>.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="sec-release-22.05-notable-changes">
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index f8145a1aa9d..c5da4acb87d 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -77,6 +77,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - `documentation.man` has been refactored to support choosing a man implementation other than GNU's `man-db`. For this, `documentation.man.manualPages` has been renamed to `documentation.man.man-db.manualPages`. If you want to use the new alternative man implementation `mandoc`, add `documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }` to your configuration.
 
+- Normal users (with `isNormalUser = true`) which have non-empty `subUidRanges` or `subGidRanges` set no longer have additional implicit ranges allocated. To enable automatic allocation back set `autoSubUidGidRange = true`.
+
 ## Other Notable Changes {#sec-release-22.05-notable-changes}
 
 - The option [services.redis.servers](#opt-services.redis.servers) was added
diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl
index 232f886789d..26ce561013b 100644
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@@ -351,7 +351,7 @@ foreach my $u (values %usersOut) {
         push @subGids, $value;
     }
 
-    if($u->{isNormalUser}) {
+    if($u->{autoSubUidGidRange}) {
         my $subordinate = allocSubUid($name);
         $subUidMap->{$name} = $subordinate;
         my $value = join(":", ($name, $subordinate, 65536));
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index a34d2814341..2470d8b5bfe 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -204,6 +204,16 @@ let
         '';
       };
 
+      autoSubUidGidRange = mkOption {
+        type = types.bool;
+        default = false;
+        example = true;
+        description = ''
+          Automatically allocate subordinate user and group ids for this user.
+          Allocated range is currently always of size 65536.
+        '';
+      };
+
       createHome = mkOption {
         type = types.bool;
         default = false;
@@ -320,6 +330,9 @@ let
         (mkIf (!cfg.mutableUsers && config.initialHashedPassword != null) {
           hashedPassword = mkDefault config.initialHashedPassword;
         })
+        (mkIf (config.isNormalUser && config.subUidRanges == [] && config.subGidRanges == []) {
+          autoSubUidGidRange = mkDefault true;
+        })
       ];
 
   };
@@ -419,7 +432,7 @@ let
       { inherit (u)
           name uid group description home createHome isSystemUser
           password passwordFile hashedPassword
-          isNormalUser subUidRanges subGidRanges
+          autoSubUidGidRange subUidRanges subGidRanges
           initialPassword initialHashedPassword;
         shell = utils.toShellPath u.shell;
       }) cfg.users;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-18 14:14:25 +0000