diff options
author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2023-10-01 11:01:02 +0200 |
---|---|---|
committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2023-10-06 19:33:01 +0200 |
commit | fa8ace36188cd0c3c0a8e865785cd79788d523ee (patch) | |
tree | 16de20b690065289ce269f75d569522f1908e9d3 /nixos | |
parent | b64632d21ab648f786633b2f8c85c5a0e4a6dfca (diff) | |
download | nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.gz nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.bz2 nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.lz nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.xz nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.tar.zst nixpkgs-fa8ace36188cd0c3c0a8e865785cd79788d523ee.zip |
nixos: don't implicitly map missing user groups to `nogroup`
Before: `users.users.user1.group = "group-not-defined-anywhere-else"` would result in user1 having the primary group `nogroup`, assigned at activation time and only with a (easy to miss) warning from the activation script. This behaviour is a security issue becase no files should be owned by `nogroup` and it allows for unrelated users (and services) to accidentally have access to files they shouldn't have. After: The configuration above results in this eval error: - The following users have a primary group that is undefined: user1 Hint: Add this to your NixOS config: users.groups.group-not-defined-anywhere-else = {};
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/users-groups.nix | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 785084209b0..f11a1f82fc2 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -449,6 +449,8 @@ let gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.groups) "gid"; sdInitrdUidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) config.boot.initrd.systemd.users) "uid"; sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid"; + groupNames = lib.mapAttrsToList (n: g: g.name) cfg.groups; + usersWithoutExistingGroup = lib.filterAttrs (n: u: !lib.elem u.group groupNames) cfg.users; spec = pkgs.writeText "users-groups.json" (builtins.toJSON { inherit (cfg) mutableUsers; @@ -750,6 +752,18 @@ in { { assertion = !cfg.enforceIdUniqueness || (sdInitrdUidsAreUnique && sdInitrdGidsAreUnique); message = "systemd initrd UIDs and GIDs must be unique!"; } + { assertion = usersWithoutExistingGroup == {}; + message = + let + errUsers = lib.attrNames usersWithoutExistingGroup; + missingGroups = lib.unique (lib.mapAttrsToList (n: u: u.group) usersWithoutExistingGroup); + mkConfigHint = group: "users.groups.${group} = {};"; + in '' + The following users have a primary group that is undefined: ${lib.concatStringsSep " " errUsers} + Hint: Add this to your NixOS configuration: + ${lib.concatStringsSep "\n " (map mkConfigHint missingGroups)} + ''; + } { # If mutableUsers is false, to prevent users creating a # configuration that locks them out of the system, ensure that # there is at least one "privileged" account that has a |