diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2010-06-02 21:10:48 +0000 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2010-06-02 21:10:48 +0000 |
| commit | c089738bdcff78a3bf75911665301f7a93a73ba9 (patch) | |
| tree | 45c310b9a1aca69c316e461ad49c3e6cbecdf2ea /modules/programs/pwdutils/pwdutils.nix | |
| parent | 876954d15d541716a95da690d1e9332e818ca613 (diff) | |
| download | nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.gz nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.bz2 nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.lz nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.xz nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.zst nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.zip | |
* Use the `shadow' package instead of `pwdutils', `pam_login' and
`su'. * The `usermod' from `shadow' allows setting a supplementary group equal to the user's primary group, so the special hack for the `nixbld' group is no longer needed. * Removed /etc/default/passwd since it's not used by the new passwd. The hash is configured in pam_unix. * Move some values for `security.setuidPrograms' and `security.pam.services' to the appropriate modules. svn path=/nixos/trunk/; revision=22107
Diffstat (limited to 'modules/programs/pwdutils/pwdutils.nix')
| -rw-r--r-- | modules/programs/pwdutils/pwdutils.nix | 88 |
1 files changed, 54 insertions, 34 deletions
diff --git a/modules/programs/pwdutils/pwdutils.nix b/modules/programs/pwdutils/pwdutils.nix index a690d7dab3e..cb77a0e4346 100644 --- a/modules/programs/pwdutils/pwdutils.nix +++ b/modules/programs/pwdutils/pwdutils.nix @@ -4,6 +4,12 @@ let +in + +{ + + ###### interface + options = { users.defaultUserShell = pkgs.lib.mkOption { @@ -19,39 +25,53 @@ let }; -in + + ###### implementation -{ - require = [options]; - - environment.etc = - [ { # /etc/login.defs: global configuration for pwdutils. You - # cannot login without it! - source = ./login.defs; - target = "login.defs"; - } - - { # /etc/default/passwd: configuration for passwd and friends - # (e.g., hash algorithm for /etc/passwd). - source = pkgs.substituteAll { - src = ./passwd.conf; - # This depends on pam_unix2 being built with libxcrypt or libc's libcrypt. - # Only in the first case it will understand 'blowfish'. And pam_unix2 - # is not built with libxcrypt at the time of writing (it did not build) - filesCipher = if (pkgs.stdenv.system == "armv5tel-linux") then - "des" else "blowfish"; - }; - target = "default/passwd"; - } - - { # /etc/default/useradd: configuration for useradd. - source = pkgs.writeText "useradd" - '' - GROUP=100 - HOME=/home - SHELL=${config.users.defaultUserShell} - ''; - target = "default/useradd"; - } - ]; + config = { + + environment.systemPackages = [ pkgs.shadow ]; + + environment.etc = + [ { # /etc/login.defs: global configuration for pwdutils. You + # cannot login without it! + source = ./login.defs; + target = "login.defs"; + } + + { # /etc/default/useradd: configuration for useradd. + source = pkgs.writeText "useradd" + '' + GROUP=100 + HOME=/home + SHELL=${config.users.defaultUserShell} + ''; + target = "default/useradd"; + } + ]; + + security.pam.services = + [ { name = "chsh"; rootOK = true; } + { name = "chfn"; rootOK = true; } + { name = "su"; rootOK = true; forwardXAuth = true; } + { name = "passwd"; } + # Note: useradd, groupadd etc. aren't setuid root, so it + # doesn't really matter what the PAM config says as long as it + # lets root in. + { name = "useradd"; rootOK = true; } + { name = "usermod"; rootOK = true; } + { name = "userdel"; rootOK = true; } + { name = "groupadd"; rootOK = true; } + { name = "groupmod"; rootOK = true; } + { name = "groupmems"; rootOK = true; } + { name = "groupdel"; rootOK = true; } + { name = "login"; ownDevices = true; allowNullPassword = true; + limits = config.security.pam.loginLimits; + } + ]; + + security.setuidPrograms = [ "passwd" "chfn" "su" ]; + + }; + } |