diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-09-02 16:09:05 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-09-02 16:17:33 +0200 |
commit | 6e767657951788775451859f1c36d4eb0230581c (patch) | |
tree | d3a3b3f1a9e7f48746b6f446b95451cff6d39797 /nixos/modules/config | |
parent | e70f8c58cc145cc2dd833388a3279988ec5b44d6 (diff) | |
download | nixpkgs-6e767657951788775451859f1c36d4eb0230581c.tar nixpkgs-6e767657951788775451859f1c36d4eb0230581c.tar.gz nixpkgs-6e767657951788775451859f1c36d4eb0230581c.tar.bz2 nixpkgs-6e767657951788775451859f1c36d4eb0230581c.tar.lz nixpkgs-6e767657951788775451859f1c36d4eb0230581c.tar.xz nixpkgs-6e767657951788775451859f1c36d4eb0230581c.tar.zst nixpkgs-6e767657951788775451859f1c36d4eb0230581c.zip |
If !cfg.mutableUsers, require a password or SSH authorized key
Fixes https://github.com/NixOS/nixpkgs/issues/7308
Diffstat (limited to 'nixos/modules/config')
-rw-r--r-- | nixos/modules/config/users-groups.nix | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 478f433b431..776c482bf7f 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -216,7 +216,7 @@ let exist. If <option>users.mutableUsers</option> is true, the password can be changed subsequently using the <command>passwd</command> command. Otherwise, it's - equivalent to setting the <option>password</option> option. + equivalent to setting the <option>hashedPassword</option> option. ${hashedPasswordDescription} ''; @@ -525,6 +525,27 @@ in { { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique); message = "UIDs and GIDs must be unique!"; } + { # If mutableUsers is false, to prevent users creating a + # configuration that locks them out of the system, ensure that + # there is at least one "privileged" account that has a + # password or an SSH authorized key. Privileged accounts are + # root and users in the wheel group. + assertion = !cfg.mutableUsers -> + any id (mapAttrsToList (name: cfg: + (name == "root" + || cfg.group == "wheel" + || elem "wheel" cfg.extraGroups) + && + ((cfg.hashedPassword != null && cfg.hashedPassword != "!") + || cfg.password != null + || cfg.passwordFile != null + || cfg.openssh.authorizedKeys.keys != [] + || cfg.openssh.authorizedKeys.keyFiles != []) + ) cfg.extraUsers); + message = '' + Neither the root account nor any wheel user has a password or SSH authorized key. + You must set one to prevent being locked out of your system.''; + } ]; }; |