diff options
| author | Klemens Nanni <klemens@posteo.de> | 2020-11-22 23:42:02 +0100 |
|---|---|---|
| committer | Andreas Rammhold <andreas@rammhold.de> | 2020-12-16 03:40:29 +0100 |
| commit | 8833983f261c6afa0361465f31c4dbc39c45b386 (patch) | |
| tree | efab8ed7006a9c87c0fedc521d3be5acf6de363b /nixos/doc/manual/release-notes/rl-2103.xml | |
| parent | 5d5e970ce04933576957dfbf99cb7d4c1802c60d (diff) | |
| download | nixpkgs-8833983f261c6afa0361465f31c4dbc39c45b386.tar nixpkgs-8833983f261c6afa0361465f31c4dbc39c45b386.tar.gz nixpkgs-8833983f261c6afa0361465f31c4dbc39c45b386.tar.bz2 nixpkgs-8833983f261c6afa0361465f31c4dbc39c45b386.tar.lz nixpkgs-8833983f261c6afa0361465f31c4dbc39c45b386.tar.xz nixpkgs-8833983f261c6afa0361465f31c4dbc39c45b386.tar.zst nixpkgs-8833983f261c6afa0361465f31c4dbc39c45b386.zip | |
nixos/users-groups: createHome: Ensure HOME permissions, fix description
configuration.nix(1) states
users.extraUsers.<name>.createHome
[...] If [...] the home directory already exists but is not
owned by the user, directory owner and group will be changed to
match the user.
i.e. ownership would change only if the user mismatched; the code
however ignores the owner, it is sufficient to enable `createHome`:
if ($u->{createHome}) {
make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
chown $u->{uid}, $u->{gid}, $u->{home};
}
Furthermore, permissions are ignored on already existing directories and
therefore may allow others to read private data eventually.
Given that createHome already acts as switch to not only create but
effectively own the home directory, manage permissions in the same
manner to ensure the intended default and cover all primary attributes.
Avoid yet another configuration option to have administrators make a
clear and simple choice between securely managing home directories
and optionally defering management to own code (taking care of custom
location, ownership, mode, extended attributes, etc.).
While here, simplify and thereby fix misleading documentation.
Diffstat (limited to 'nixos/doc/manual/release-notes/rl-2103.xml')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2103.xml | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 35c10d3e593..a8f961a06dc 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -409,6 +409,13 @@ been dropped from upstream releases. </para> </listitem> + <listitem> + <para> + <xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>. + Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. + The option's description was incorrect regarding ownership management and has been simplified greatly. + </para> + </listitem> </itemizedlist> </section> </section> |