diff options
| author | Jan Tojnar <jtojnar@gmail.com> | 2020-07-15 09:29:01 +0200 |
|---|---|---|
| committer | Jan Tojnar <jtojnar@gmail.com> | 2020-07-15 09:29:01 +0200 |
| commit | 821dba740e7240d9df3a56072700cdc6b0f2471f (patch) | |
| tree | c1b8cbed4a0824a60b8aa638a74d4fc0f2405cc7 /nixos/modules/config | |
| parent | ac94f1ab7edf19d9de695042f1a804871d81725a (diff) | |
| parent | 5788f7173e9dadaa8b2053fd6bb9406a7a5912e4 (diff) | |
| download | nixpkgs-821dba740e7240d9df3a56072700cdc6b0f2471f.tar nixpkgs-821dba740e7240d9df3a56072700cdc6b0f2471f.tar.gz nixpkgs-821dba740e7240d9df3a56072700cdc6b0f2471f.tar.bz2 nixpkgs-821dba740e7240d9df3a56072700cdc6b0f2471f.tar.lz nixpkgs-821dba740e7240d9df3a56072700cdc6b0f2471f.tar.xz nixpkgs-821dba740e7240d9df3a56072700cdc6b0f2471f.tar.zst nixpkgs-821dba740e7240d9df3a56072700cdc6b0f2471f.zip | |
Merge branch 'staging-next' into staging
Diffstat (limited to 'nixos/modules/config')
| -rw-r--r-- | nixos/modules/config/update-users-groups.pl | 55 | ||||
| -rw-r--r-- | nixos/modules/config/users-groups.nix | 28 |
2 files changed, 59 insertions, 24 deletions
diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index 15e448b787a..e1c7a46e430 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -281,3 +281,58 @@ foreach my $u (values %usersOut) { } updateFile("/etc/shadow", \@shadowNew, 0600); + +# Rewrite /etc/subuid & /etc/subgid to include default container mappings + +my $subUidMapFile = "/var/lib/nixos/auto-subuid-map"; +my $subUidMap = -e $subUidMapFile ? decode_json(read_file($subUidMapFile)) : {}; + +my (%subUidsUsed, %subUidsPrevUsed); + +$subUidsPrevUsed{$_} = 1 foreach values %{$subUidMap}; + +sub allocSubUid { + my ($name, @rest) = @_; + + # TODO: No upper bounds? + my ($min, $max, $up) = (100000, 100000 * 100, 1); + my $prevId = $subUidMap->{$name}; + if (defined $prevId && !defined $subUidsUsed{$prevId}) { + $subUidsUsed{$prevId} = 1; + return $prevId; + } + + my $id = allocId(\%subUidsUsed, \%subUidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) }); + my $offset = $id - 100000; + my $count = $offset * 65536; + my $subordinate = 100000 + $count; + return $subordinate; +} + +my @subGids; +my @subUids; +foreach my $u (values %usersOut) { + my $name = $u->{name}; + + foreach my $range (@{$u->{subUidRanges}}) { + my $value = join(":", ($name, $range->{startUid}, $range->{count})); + push @subUids, $value; + } + + foreach my $range (@{$u->{subGidRanges}}) { + my $value = join(":", ($name, $range->{startGid}, $range->{count})); + push @subGids, $value; + } + + if($u->{isNormalUser}) { + my $subordinate = allocSubUid($name); + $subUidMap->{$name} = $subordinate; + my $value = join(":", ($name, $subordinate, 65536)); + push @subUids, $value; + push @subGids, $value; + } +} + +updateFile("/etc/subuid", join("\n", @subUids) . "\n"); +updateFile("/etc/subgid", join("\n", @subGids) . "\n"); +updateFile($subUidMapFile, encode_json($subUidMap) . "\n"); diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 12d9be94663..ee64f785f5b 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -375,18 +375,6 @@ let }; }; - mkSubuidEntry = user: concatStrings ( - map (range: "${user.name}:${toString range.startUid}:${toString range.count}\n") - user.subUidRanges); - - subuidFile = concatStrings (map mkSubuidEntry (attrValues cfg.users)); - - mkSubgidEntry = user: concatStrings ( - map (range: "${user.name}:${toString range.startGid}:${toString range.count}\n") - user.subGidRanges); - - subgidFile = concatStrings (map mkSubgidEntry (attrValues cfg.users)); - idsAreUnique = set: idAttr: !(fold (name: args@{ dup, acc }: let id = builtins.toString (builtins.getAttr idAttr (builtins.getAttr name set)); @@ -406,6 +394,7 @@ let { inherit (u) name uid group description home createHome isSystemUser password passwordFile hashedPassword + isNormalUser subUidRanges subGidRanges initialPassword initialHashedPassword; shell = utils.toShellPath u.shell; }) cfg.users; @@ -430,9 +419,9 @@ in { (mkChangedOptionModule [ "security" "initialRootPassword" ] [ "users" "users" "root" "initialHashedPassword" ] - (cfg: if cfg.security.initialHashedPassword == "!" + (cfg: if cfg.security.initialRootPassword == "!" then null - else cfg.security.initialHashedPassword)) + else cfg.security.initialRootPassword)) ]; ###### interface @@ -567,16 +556,7 @@ in { # Install all the user shells environment.systemPackages = systemShells; - environment.etc = { - subuid = { - text = subuidFile; - mode = "0644"; - }; - subgid = { - text = subgidFile; - mode = "0644"; - }; - } // (mapAttrs' (name: { packages, ... }: { + environment.etc = (mapAttrs' (name: { packages, ... }: { name = "profiles/per-user/${name}"; value.source = pkgs.buildEnv { name = "user-environment"; |