From fa8ace36188cd0c3c0a8e865785cd79788d523ee Mon Sep 17 00:00:00 2001
From: Bjørn Forsman <bjorn.forsman@gmail.com>
Date: Sun, 1 Oct 2023 11:01:02 +0200
Subject: nixos: don't implicitly map missing user groups to `nogroup`

Before: `users.users.user1.group = "group-not-defined-anywhere-else"`
would result in user1 having the primary group `nogroup`, assigned at
activation time and only with a (easy to miss) warning from the
activation script. This behaviour is a security issue becase no files
should be owned by `nogroup` and it allows for unrelated users (and
services) to accidentally have access to files they shouldn't have.

After: The configuration above results in this eval error:
  - The following users have a primary group that is undefined: user1
  Hint: Add this to your NixOS config:
    users.groups.group-not-defined-anywhere-else = {};
---
 nixos/modules/config/users-groups.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'nixos/modules/config')

diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index 785084209b0..f11a1f82fc2 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -449,6 +449,8 @@ let
   gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.groups) "gid";
   sdInitrdUidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) config.boot.initrd.systemd.users) "uid";
   sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid";
+  groupNames = lib.mapAttrsToList (n: g: g.name) cfg.groups;
+  usersWithoutExistingGroup = lib.filterAttrs (n: u: !lib.elem u.group groupNames) cfg.users;
 
   spec = pkgs.writeText "users-groups.json" (builtins.toJSON {
     inherit (cfg) mutableUsers;
@@ -750,6 +752,18 @@ in {
       { assertion = !cfg.enforceIdUniqueness || (sdInitrdUidsAreUnique && sdInitrdGidsAreUnique);
         message = "systemd initrd UIDs and GIDs must be unique!";
       }
+      { assertion = usersWithoutExistingGroup == {};
+        message =
+          let
+            errUsers = lib.attrNames usersWithoutExistingGroup;
+            missingGroups = lib.unique (lib.mapAttrsToList (n: u: u.group) usersWithoutExistingGroup);
+            mkConfigHint = group: "users.groups.${group} = {};";
+          in ''
+            The following users have a primary group that is undefined: ${lib.concatStringsSep " " errUsers}
+            Hint: Add this to your NixOS configuration:
+              ${lib.concatStringsSep "\n  " (map mkConfigHint missingGroups)}
+          '';
+      }
       { # If mutableUsers is false, to prevent users creating a
         # configuration that locks them out of the system, ensure that
         # there is at least one "privileged" account that has a
-- 
cgit 1.4.1