diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-05-09 00:04:48 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-05-09 00:52:02 +0200 |
commit | 4fc151b5a3c749833554379a96bd87676f6c5740 (patch) | |
tree | 14a62675151cc14645867df383ffd7c4a940d177 /nixos | |
parent | 8919d736a034c85eb3e38bc3d9baedcb00356e4e (diff) | |
download | nixpkgs-4fc151b5a3c749833554379a96bd87676f6c5740.tar nixpkgs-4fc151b5a3c749833554379a96bd87676f6c5740.tar.gz nixpkgs-4fc151b5a3c749833554379a96bd87676f6c5740.tar.bz2 nixpkgs-4fc151b5a3c749833554379a96bd87676f6c5740.tar.lz nixpkgs-4fc151b5a3c749833554379a96bd87676f6c5740.tar.xz nixpkgs-4fc151b5a3c749833554379a96bd87676f6c5740.tar.zst nixpkgs-4fc151b5a3c749833554379a96bd87676f6c5740.zip |
nixos-install: Ask the user to set a root password
This removes the need to have an initially empty root password.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/installation.xml | 15 | ||||
-rw-r--r-- | nixos/doc/manual/man-nixos-install.xml | 3 | ||||
-rw-r--r-- | nixos/modules/config/users-groups.nix | 8 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nixos-install.sh | 20 | ||||
-rw-r--r-- | nixos/modules/virtualisation/amazon-image.nix | 5 | ||||
-rw-r--r-- | nixos/modules/virtualisation/containers.nix | 1 | ||||
-rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 5 | ||||
-rw-r--r-- | nixos/modules/virtualisation/nixos-container.pl | 1 | ||||
-rw-r--r-- | nixos/modules/virtualisation/virtualbox-image.nix | 5 |
9 files changed, 39 insertions, 24 deletions
diff --git a/nixos/doc/manual/installation.xml b/nixos/doc/manual/installation.xml index dcbb20b19ee..fa4b89e6ba8 100644 --- a/nixos/doc/manual/installation.xml +++ b/nixos/doc/manual/installation.xml @@ -209,7 +209,20 @@ $ nixos-install</screen> a network issue while downloading binaries from the NixOS binary cache), you can just re-run <command>nixos-install</command>. Otherwise, fix your <filename>configuration.nix</filename> and - then re-run <command>nixos-install</command>.</para></listitem> + then re-run <command>nixos-install</command>.</para> + + <para>As the last step, <command>nixos-install</command> will ask + you to set the password for the <literal>root</literal> user, e.g. + +<screen> +setting root password... +Enter new UNIX password: *** +Retype new UNIX password: *** +</screen> + + </para> + + </listitem> <listitem><para>If everything went well: diff --git a/nixos/doc/manual/man-nixos-install.xml b/nixos/doc/manual/man-nixos-install.xml index d5157859857..0ebee7d23f9 100644 --- a/nixos/doc/manual/man-nixos-install.xml +++ b/nixos/doc/manual/man-nixos-install.xml @@ -42,6 +42,9 @@ the following steps: and generates a GRUB configuration file that boots into the NixOS configuration just installed.</para></listitem> + <listitem><para>It prompts you for a password for the root + account.</para></listitem> + </itemizedlist> </para> diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 2c37dccd6ce..e7afb518157 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -374,8 +374,8 @@ in { security.initialRootPassword = mkOption { type = types.str; - default = ""; - example = "!"; + default = "!"; + example = ""; description = '' The (hashed) password for the root account set on initial installation. The empty string denotes that root can login @@ -383,9 +383,9 @@ in { as SSH, or indirectly via <command>su</command> or <command>sudo</command>). The string <literal>!</literal> prevents root from logging in using a password. - Note, setting this option sets + Note that setting this option sets <literal>users.extraUsers.root.hashedPassword</literal>. - Note, if <literal>users.mutableUsers</literal> is false + Also, if <literal>users.mutableUsers</literal> is false you cannot change the root password manually, so in that case the name of this option is a bit misleading, since it will define the root password beyond the user initialisation phase. diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 1b481d4c65f..e708521c93f 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -73,16 +73,18 @@ fi # Mount some stuff in the target root directory. We bind-mount /etc # into the chroot because we need networking and the nixbld user # accounts in /etc/passwd. But we do need the target's /etc/nixos. -mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc +mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run mkdir -m 01777 -p $mountPoint/tmp mkdir -m 0755 -p $mountPoint/tmp/root -mkdir -m 0755 -p $mountPoint/var +mkdir -m 0755 -p $mountPoint/var/setuid-wrappers mount --rbind /dev $mountPoint/dev mount --rbind /proc $mountPoint/proc mount --rbind /sys $mountPoint/sys mount --rbind / $mountPoint/tmp/root mount --bind /etc $mountPoint/etc mount --bind $mountPoint/tmp/root/$mountPoint/etc/nixos $mountPoint/etc/nixos +mount -t tmpfs -o "mode=0755" none $mountPoint/run +mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers # Create the necessary Nix directories on the target device, if they @@ -215,3 +217,17 @@ touch $mountPoint/etc/NIXOS echo "finalising the installation..." NIXOS_INSTALL_GRUB=1 chroot $mountPoint \ /nix/var/nix/profiles/system/bin/switch-to-configuration boot + + +# Run the activation script. +chroot $mountPoint /nix/var/nix/profiles/system/activate + + +# Ask the user to set a root password. +if [ -t 0 ] ; then + echo "setting root password..." + chroot $mountPoint passwd +fi + + +echo "installation finished!" diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index 18b18dd4b23..8ce89c09b24 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -160,9 +160,4 @@ with lib; environment.systemPackages = [ pkgs.cryptsetup ]; boot.initrd.supportedFilesystems = [ "unionfs-fuse" ]; - - # Prevent logging in as root without a password. This doesn't really matter, - # since the only PAM services that allow logging in with a null - # password are local ones that are inaccessible on EC2 machines. - security.initialRootPassword = mkDefault "!"; } diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index a0238277f5d..d0d04d9a1e5 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -117,7 +117,6 @@ in modules = let extraConfig = { boot.isContainer = true; - security.initialRootPassword = mkDefault "!"; networking.hostName = mkDefault name; networking.useDHCP = false; }; diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 34b8b0e9c1c..d55b7420243 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -114,11 +114,6 @@ in # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; - # Prevent logging in as root without a password. This doesn't really matter, - # since the only PAM services that allow logging in with a null - # password are local ones that are inaccessible on Google Compute machines. - security.initialRootPassword = mkDefault "!"; - # Configure default metadata hostnames networking.extraHosts = '' 169.254.169.254 metadata.google.internal metadata diff --git a/nixos/modules/virtualisation/nixos-container.pl b/nixos/modules/virtualisation/nixos-container.pl index 8a1e6f927b3..c60662d8d39 100644 --- a/nixos/modules/virtualisation/nixos-container.pl +++ b/nixos/modules/virtualisation/nixos-container.pl @@ -64,7 +64,6 @@ sub writeNixOSConfig { with lib; { boot.isContainer = true; - security.initialRootPassword = mkDefault "!"; networking.hostName = mkDefault "$containerName"; networking.useDHCP = false; $extraConfig diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index 3247881784e..594b3e93ffe 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -107,9 +107,4 @@ with lib; boot.loader.grub.device = "/dev/sda"; services.virtualbox.enable = true; - - # Prevent logging in as root without a password. For NixOps, we - # don't need this because the user can login via SSH, and for the - # demo images, there is a demo user account that can sudo to root. - security.initialRootPassword = mkDefault "!"; } |