diff options
author | Janne Heß <janne@hess.ooo> | 2022-05-23 12:27:49 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-05-23 12:27:49 +0200 |
commit | e9bdd5fa74bcbae7d0b587bc4c12d2353fd92611 (patch) | |
tree | 5ade524a8dc5ea62fbaa01a069495de738b72046 /nixos | |
parent | 855dee370a8429b4566694a65a96ba44e1368f64 (diff) | |
parent | 572ff94f55b8dc9ee230212df72c2d40beefc73e (diff) | |
download | nixpkgs-e9bdd5fa74bcbae7d0b587bc4c12d2353fd92611.tar nixpkgs-e9bdd5fa74bcbae7d0b587bc4c12d2353fd92611.tar.gz nixpkgs-e9bdd5fa74bcbae7d0b587bc4c12d2353fd92611.tar.bz2 nixpkgs-e9bdd5fa74bcbae7d0b587bc4c12d2353fd92611.tar.lz nixpkgs-e9bdd5fa74bcbae7d0b587bc4c12d2353fd92611.tar.xz nixpkgs-e9bdd5fa74bcbae7d0b587bc4c12d2353fd92611.tar.zst nixpkgs-e9bdd5fa74bcbae7d0b587bc4c12d2353fd92611.zip |
Merge pull request #168168 from fedeinthemix/home-mode
nixos/users-group: Add 'homeMode' option.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/update-users-groups.pl | 6 | ||||
-rw-r--r-- | nixos/modules/config/users-groups.nix | 9 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/user-home-mode.nix | 27 |
4 files changed, 39 insertions, 4 deletions
diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index 26ce561013b..5a21cb45d52 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -223,10 +223,10 @@ foreach my $u (@{$spec->{users}}) { } # Ensure home directory incl. ownership and permissions. - if ($u->{createHome}) { - make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home} and ! $is_dry; + if ($u->{createHome} and !$is_dry) { + make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home}; chown $u->{uid}, $u->{gid}, $u->{home}; - chmod 0700, $u->{home}; + chmod oct($u->{homeMode}), $u->{home}; } if (defined $u->{passwordFile}) { diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 9b0b4935b98..d3bdf218c33 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -139,6 +139,12 @@ let description = "The user's home directory."; }; + homeMode = mkOption { + type = types.strMatching "[0-7]{1,5}"; + default = "700"; + description = "The user's home directory mode in numeric format. See chmod(1). The mode is only applied if <option>users.users.<name>.createHome</option> is true."; + }; + cryptHomeLuks = mkOption { type = with types; nullOr str; default = null; @@ -319,6 +325,7 @@ let group = mkDefault "users"; createHome = mkDefault true; home = mkDefault "/home/${config.name}"; + homeMode = mkDefault "700"; useDefaultShell = mkDefault true; isSystemUser = mkDefault false; }) @@ -430,7 +437,7 @@ let inherit (cfg) mutableUsers; users = mapAttrsToList (_: u: { inherit (u) - name uid group description home createHome isSystemUser + name uid group description home homeMode createHome isSystemUser password passwordFile hashedPassword autoSubUidGidRange subUidRanges subGidRanges initialPassword initialHashedPassword; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 0de71030c4f..f4b6ee73562 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -580,6 +580,7 @@ in uptermd = handleTest ./uptermd.nix {}; usbguard = handleTest ./usbguard.nix {}; user-activation-scripts = handleTest ./user-activation-scripts.nix {}; + user-home-mode = handleTest ./user-home-mode.nix {}; uwsgi = handleTest ./uwsgi.nix {}; v2ray = handleTest ./v2ray.nix {}; vault = handleTest ./vault.nix {}; diff --git a/nixos/tests/user-home-mode.nix b/nixos/tests/user-home-mode.nix new file mode 100644 index 00000000000..1366d102a99 --- /dev/null +++ b/nixos/tests/user-home-mode.nix @@ -0,0 +1,27 @@ +import ./make-test-python.nix ({ lib, ... }: { + name = "user-home-mode"; + meta = with lib.maintainers; { maintainers = [ fbeffa ]; }; + + nodes.machine = { + users.users.alice = { + initialPassword = "pass1"; + isNormalUser = true; + }; + users.users.bob = { + initialPassword = "pass2"; + isNormalUser = true; + homeMode = "750"; + }; + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("getty@tty1.service") + machine.wait_until_tty_matches(1, "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches(1, "Password: ") + machine.send_chars("pass1\n") + machine.succeed('[ "$(stat -c %a /home/alice)" == "700" ]') + machine.succeed('[ "$(stat -c %a /home/bob)" == "750" ]') + ''; +}) |