diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2010-06-02 21:10:48 +0000 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2010-06-02 21:10:48 +0000 |
commit | c089738bdcff78a3bf75911665301f7a93a73ba9 (patch) | |
tree | 45c310b9a1aca69c316e461ad49c3e6cbecdf2ea /modules/programs | |
parent | 876954d15d541716a95da690d1e9332e818ca613 (diff) | |
download | nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.gz nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.bz2 nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.lz nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.xz nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.tar.zst nixpkgs-c089738bdcff78a3bf75911665301f7a93a73ba9.zip |
* Use the `shadow' package instead of `pwdutils', `pam_login' and
`su'. * The `usermod' from `shadow' allows setting a supplementary group equal to the user's primary group, so the special hack for the `nixbld' group is no longer needed. * Removed /etc/default/passwd since it's not used by the new passwd. The hash is configured in pam_unix. * Move some values for `security.setuidPrograms' and `security.pam.services' to the appropriate modules. svn path=/nixos/trunk/; revision=22107
Diffstat (limited to 'modules/programs')
-rw-r--r-- | modules/programs/pwdutils/login.defs | 8 | ||||
-rw-r--r-- | modules/programs/pwdutils/passwd.conf | 15 | ||||
-rw-r--r-- | modules/programs/pwdutils/pwdutils.nix | 88 |
3 files changed, 58 insertions, 53 deletions
diff --git a/modules/programs/pwdutils/login.defs b/modules/programs/pwdutils/login.defs index 98610a88ca8..9d789fe7805 100644 --- a/modules/programs/pwdutils/login.defs +++ b/modules/programs/pwdutils/login.defs @@ -1,12 +1,12 @@ DEFAULT_HOME yes -SYSTEM_UID_MIN 100 -SYSTEM_UID_MAX 499 +SYS_UID_MIN 100 +SYS_UID_MAX 499 UID_MIN 1000 UID_MAX 29999 -SYSTEM_GID_MIN 100 -SYSTEM_GID_MAX 499 +SYS_GID_MIN 100 +SYS_GID_MAX 499 GID_MIN 1000 GID_MAX 29999 diff --git a/modules/programs/pwdutils/passwd.conf b/modules/programs/pwdutils/passwd.conf deleted file mode 100644 index 3b10fa350b5..00000000000 --- a/modules/programs/pwdutils/passwd.conf +++ /dev/null @@ -1,15 +0,0 @@ -# Define default crypt hash -# CRYPT={des,md5,blowfish} -CRYPT=des - -# for local files, use a more secure hash. We -# don't need to be portable here: -CRYPT_FILES=@filesCipher@ - -# sometimes we need to specify special options for -# a hash (variable is prepended by the name of the -# crypt hash). -BLOWFISH_CRYPT_FILES=10 - -# For NIS, we should always use DES: -CRYPT_YP=des diff --git a/modules/programs/pwdutils/pwdutils.nix b/modules/programs/pwdutils/pwdutils.nix index a690d7dab3e..cb77a0e4346 100644 --- a/modules/programs/pwdutils/pwdutils.nix +++ b/modules/programs/pwdutils/pwdutils.nix @@ -4,6 +4,12 @@ let +in + +{ + + ###### interface + options = { users.defaultUserShell = pkgs.lib.mkOption { @@ -19,39 +25,53 @@ let }; -in + + ###### implementation -{ - require = [options]; - - environment.etc = - [ { # /etc/login.defs: global configuration for pwdutils. You - # cannot login without it! - source = ./login.defs; - target = "login.defs"; - } - - { # /etc/default/passwd: configuration for passwd and friends - # (e.g., hash algorithm for /etc/passwd). - source = pkgs.substituteAll { - src = ./passwd.conf; - # This depends on pam_unix2 being built with libxcrypt or libc's libcrypt. - # Only in the first case it will understand 'blowfish'. And pam_unix2 - # is not built with libxcrypt at the time of writing (it did not build) - filesCipher = if (pkgs.stdenv.system == "armv5tel-linux") then - "des" else "blowfish"; - }; - target = "default/passwd"; - } - - { # /etc/default/useradd: configuration for useradd. - source = pkgs.writeText "useradd" - '' - GROUP=100 - HOME=/home - SHELL=${config.users.defaultUserShell} - ''; - target = "default/useradd"; - } - ]; + config = { + + environment.systemPackages = [ pkgs.shadow ]; + + environment.etc = + [ { # /etc/login.defs: global configuration for pwdutils. You + # cannot login without it! + source = ./login.defs; + target = "login.defs"; + } + + { # /etc/default/useradd: configuration for useradd. + source = pkgs.writeText "useradd" + '' + GROUP=100 + HOME=/home + SHELL=${config.users.defaultUserShell} + ''; + target = "default/useradd"; + } + ]; + + security.pam.services = + [ { name = "chsh"; rootOK = true; } + { name = "chfn"; rootOK = true; } + { name = "su"; rootOK = true; forwardXAuth = true; } + { name = "passwd"; } + # Note: useradd, groupadd etc. aren't setuid root, so it + # doesn't really matter what the PAM config says as long as it + # lets root in. + { name = "useradd"; rootOK = true; } + { name = "usermod"; rootOK = true; } + { name = "userdel"; rootOK = true; } + { name = "groupadd"; rootOK = true; } + { name = "groupmod"; rootOK = true; } + { name = "groupmems"; rootOK = true; } + { name = "groupdel"; rootOK = true; } + { name = "login"; ownDevices = true; allowNullPassword = true; + limits = config.security.pam.loginLimits; + } + ]; + + security.setuidPrograms = [ "passwd" "chfn" "su" ]; + + }; + } |