diff options
| author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2023-10-01 11:01:02 +0200 |
|---|---|---|
| committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2023-10-06 19:33:01 +0200 |
| commit | fa8ace36188cd0c3c0a8e865785cd79788d523ee (patch) | |
| tree | 16de20b690065289ce269f75d569522f1908e9d3 /flake.nix | |
| parent | b64632d21ab648f786633b2f8c85c5a0e4a6dfca (diff) | |
| download | nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.gz nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.bz2 nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.lz nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.xz nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.zst nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.zip | |
nixos: don't implicitly map missing user groups to `nogroup`
Before: `users.users.user1.group = "group-not-defined-anywhere-else"`
would result in user1 having the primary group `nogroup`, assigned at
activation time and only with a (easy to miss) warning from the
activation script. This behaviour is a security issue becase no files
should be owned by `nogroup` and it allows for unrelated users (and
services) to accidentally have access to files they shouldn't have.
After: The configuration above results in this eval error:
- The following users have a primary group that is undefined: user1
Hint: Add this to your NixOS config:
users.groups.group-not-defined-anywhere-else = {};
Diffstat (limited to 'flake.nix')
0 files changed, 0 insertions, 0 deletions