diff options
| -rw-r--r-- | lib/maintainers.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 23 | ||||
| -rw-r--r-- | nixos/modules/services/x11/display-managers/gdm.nix | 23 | ||||
| -rw-r--r-- | pkgs/tools/security/ecryptfs/default.nix | 32 |
4 files changed, 65 insertions, 14 deletions
diff --git a/lib/maintainers.nix b/lib/maintainers.nix index ece8f1041f8..fef535e06d5 100644 --- a/lib/maintainers.nix +++ b/lib/maintainers.nix @@ -131,6 +131,7 @@ notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>"; np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>"; nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>"; + obadz = "obadz <dav-nixos@odav.org>"; ocharles = "Oliver Charles <ollie@ocharles.org.uk>"; offline = "Jaka Hudoklin <jakahudoklin@gmail.com>"; olcai = "Erik Timan <dev@timan.info>"; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index aa8d9224e35..e81278a95d5 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -211,7 +211,9 @@ let ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} ${optionalString cfg.unixAuth - "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"} + "auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"} + ${optionalString config.security.pam.enableEcryptfs + "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} ${optionalString cfg.otpwAuth "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} ${optionalString cfg.oathAuth @@ -223,9 +225,11 @@ let auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass ''} - auth required pam_deny.so + ${optionalString (! config.security.pam.enableEcryptfs) "auth required pam_deny.so"} # Password management. + ${optionalString config.security.pam.enableEcryptfs + "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} password requisite pam_unix.so nullok sha512 ${optionalString config.users.ldap.enable "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} @@ -245,6 +249,8 @@ let "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"} ${optionalString cfg.updateWtmp "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} + ${optionalString config.security.pam.enableEcryptfs + "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} ${optionalString config.users.ldap.enable "session optional ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.krb5.enable @@ -357,6 +363,13 @@ in ''; }; + security.pam.enableEcryptfs = mkOption { + default = false; + description = '' + Enable eCryptfs PAM module (mounting ecryptfs home directory on login). + ''; + }; + users.motd = mkOption { default = null; example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."; @@ -377,7 +390,11 @@ in ++ optional config.users.ldap.enable pam_ldap ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] - ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ]; + ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ] + ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; + + security.setuidPrograms = + optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ]; environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index b3da0cda04a..a7ebafa28b3 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -95,15 +95,23 @@ in auth required pam_succeed_if.so uid >= 1000 quiet auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so - auth sufficient pam_unix.so nullok likeauth - auth required pam_deny.so + auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth + ${optionalString config.security.pam.enableEcryptfs + "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} + + ${optionalString (! config.security.pam.enableEcryptfs) + "auth required pam_deny.so"} account sufficient pam_unix.so password requisite pam_unix.so nullok sha512 + ${optionalString config.security.pam.enableEcryptfs + "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} session required pam_env.so envfile=${config.system.build.pamEnvironment} session required pam_unix.so + ${optionalString config.security.pam.enableEcryptfs + "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} session required pam_loginuid.so session optional ${pkgs.systemd}/lib/security/pam_systemd.so session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start @@ -115,15 +123,22 @@ in auth required pam_succeed_if.so uid >= 1000 quiet auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so - auth sufficient pam_unix.so nullok likeauth - auth required pam_deny.so + auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth + ${optionalString config.security.pam.enableEcryptfs + "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} + ${optionalString (! config.security.pam.enableEcryptfs) + "auth required pam_deny.so"} account sufficient pam_unix.so password requisite pam_unix.so nullok sha512 + ${optionalString config.security.pam.enableEcryptfs + "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} session required pam_env.so envfile=${config.system.build.pamEnvironment} session required pam_unix.so + ${optionalString config.security.pam.enableEcryptfs + "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} session required pam_loginuid.so session optional ${pkgs.systemd}/lib/security/pam_systemd.so session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start diff --git a/pkgs/tools/security/ecryptfs/default.nix b/pkgs/tools/security/ecryptfs/default.nix index 13046aa0b2d..e0f27b5d732 100644 --- a/pkgs/tools/security/ecryptfs/default.nix +++ b/pkgs/tools/security/ecryptfs/default.nix @@ -1,5 +1,5 @@ -{ stdenv, fetchurl, pkgconfig, perl, keyutils, nss, nspr, python, pam -, intltool, makeWrapper, coreutils, gettext, cryptsetup, lvm2, rsync, which }: +{ stdenv, fetchurl, pkgconfig, perl, utillinux, keyutils, nss, nspr, python, pam +, intltool, makeWrapper, coreutils, bash, gettext, cryptsetup, lvm2, rsync, which }: stdenv.mkDerivation { name = "ecryptfs-104"; @@ -9,16 +9,33 @@ stdenv.mkDerivation { sha256 = "0f3lzpjw97vcdqzzgii03j3knd6pgwn1y0lpaaf46iidaiv0282a"; }; + #TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir; + preConfigure = '' + FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)" + for file in $FILES; do + substituteInPlace "$file" \ + --replace /sbin/mount.ecryptfs_private /var/setuid-wrappers/mount.ecryptfs_private \ + --replace /sbin/umount.ecryptfs_private /var/setuid-wrappers/umount.ecryptfs_private \ + --replace /sbin/mount.ecryptfs $out/sbin/mount.ecryptfs \ + --replace /sbin/umount.ecryptfs $out/sbin/umount.ecryptfs \ + --replace /usr/bin/ecryptfs-rewrite-file $out/bin/ecryptfs-rewrite-file \ + --replace /usr/bin/ecryptfs-mount-private $out/bin/ecryptfs-mount-private \ + --replace /usr/bin/ecryptfs-setup-private $out/bin/ecryptfs-setup-private \ + --replace /sbin/cryptsetup ${cryptsetup}/sbin/cryptsetup \ + --replace /sbin/dmsetup ${lvm2}/sbin/dmsetup \ + --replace /bin/mount ${utillinux}/bin/mount \ + --replace /bin/umount ${utillinux}/bin/umount \ + --replace /sbin/unix_chkpwd /var/setuid-wrappers/unix_chkpwd \ + --replace /bin/bash ${bash}/bin/bash + done + ''; + buildInputs = [ pkgconfig perl nss nspr python pam intltool makeWrapper ]; propagatedBuildInputs = [ coreutils gettext cryptsetup lvm2 rsync keyutils which ]; postInstall = '' - FILES="$(grep -r '/bin/sh' $out/bin | sed 's,:.*,,' | uniq)" + FILES="$(grep -r '/bin/sh' $out/bin -l)" for file in $FILES; do - sed -i $file -e "s,\(/sbin/u\?mount.ecryptfs\(_private\)\?\),$out\1," \ - -e "s,\(/sbin/cryptsetup\),${cryptsetup}\1," \ - -e "s,\(/sbin/dmsetup\),${lvm2}\1," \ - -e 's,/sbin/\(unix_chkpwd\),\1,' wrapProgram $file \ --prefix PATH ":" "${coreutils}/bin" \ --prefix PATH ":" "${gettext}/bin" \ @@ -32,6 +49,7 @@ stdenv.mkDerivation { meta = with stdenv.lib; { description = "Enterprise-class stacked cryptographic filesystem"; license = licenses.gpl2Plus; + maintainers = [ lib.maintainers.obadz ]; platforms = platforms.linux; }; } |