diff options
author | Thomas Tuegel <ttuegel@gmail.com> | 2014-02-10 08:15:24 -0600 |
---|---|---|
committer | Thomas Tuegel <ttuegel@gmail.com> | 2014-02-10 08:16:22 -0600 |
commit | 3dc6168b317fb3923f2ae073575a8582d01d3ba9 (patch) | |
tree | c6847b315c8d6dac9d6706ff56055f09f6489bf6 /nixos | |
parent | 6a8cc9ab11765d101023076f022e8682d40ad7f0 (diff) | |
download | nixpkgs-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar nixpkgs-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.gz nixpkgs-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.bz2 nixpkgs-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.lz nixpkgs-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.xz nixpkgs-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.zst nixpkgs-3dc6168b317fb3923f2ae073575a8582d01d3ba9.zip |
Properly escape passwords sent to chpasswd
The mutableUsers feature uses `chpasswd` to set users passwords. Passwords and their hashes were being piped into the program using double quotes ("") to escape. This causes any `$` characters to be expanded as shell variables. This is a serious problem because all the password hash methods besides DES use multiple `$` in the hashes. Single quotes ('') should be used instead to prevent shell variable expansion.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/users-groups.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index f70e8c292c4..09e7fc53c76 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -411,13 +411,13 @@ in if [ "$setpw" == "yes" ]; then ${if !(isNull u.hashedPassword) then '' - echo "${u.name}:${u.hashedPassword}" | \ + echo '${u.name}:${u.hashedPassword}' | \ ${pkgs.shadow}/sbin/chpasswd -e'' else if u.password == "" then "passwd -d '${u.name}' &>/dev/null" else if !(isNull u.password) then '' - echo "${u.name}:${u.password}" | ${pkgs.shadow}/sbin/chpasswd'' + echo '${u.name}:${u.password}' | ${pkgs.shadow}/sbin/chpasswd'' else if !(isNull u.passwordFile) then '' echo -n "${u.name}:" | cat - "${u.passwordFile}" | \ |