diff options
author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2023-10-01 11:01:02 +0200 |
---|---|---|
committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2023-10-06 19:33:01 +0200 |
commit | fa8ace36188cd0c3c0a8e865785cd79788d523ee (patch) | |
tree | 16de20b690065289ce269f75d569522f1908e9d3 /flake.nix | |
parent | b64632d21ab648f786633b2f8c85c5a0e4a6dfca (diff) | |
download | nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.gz nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.bz2 nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.lz nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.xz nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.zst nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.zip |
nixos: don't implicitly map missing user groups to `nogroup`
Before: `users.users.user1.group = "group-not-defined-anywhere-else"` would result in user1 having the primary group `nogroup`, assigned at activation time and only with a (easy to miss) warning from the activation script. This behaviour is a security issue becase no files should be owned by `nogroup` and it allows for unrelated users (and services) to accidentally have access to files they shouldn't have. After: The configuration above results in this eval error: - The following users have a primary group that is undefined: user1 Hint: Add this to your NixOS config: users.groups.group-not-defined-anywhere-else = {};
Diffstat (limited to 'flake.nix')
0 files changed, 0 insertions, 0 deletions