From 9fc01af1cc8f9ffe40bf87b96cbafd1810856ea7 Mon Sep 17 00:00:00 2001 From: Federico Beffa Date: Sun, 10 Apr 2022 21:06:19 +0200 Subject: nixos/users-group: Add 'homeMode' option. --- nixos/modules/config/update-users-groups.pl | 2 +- nixos/modules/config/users-groups.nix | 9 ++++++++- nixos/tests/all-tests.nix | 1 + nixos/tests/user-home-mode.nix | 27 +++++++++++++++++++++++++++ 4 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 nixos/tests/user-home-mode.nix (limited to 'nixos') diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index 26ce561013b..6ceb668a595 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -226,7 +226,7 @@ foreach my $u (@{$spec->{users}}) { if ($u->{createHome}) { make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home} and ! $is_dry; chown $u->{uid}, $u->{gid}, $u->{home}; - chmod 0700, $u->{home}; + chmod oct($u->{homeMode}), $u->{home}; } if (defined $u->{passwordFile}) { diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index b0f96c754fa..e9ce9d5e411 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -139,6 +139,12 @@ let description = "The user's home directory."; }; + homeMode = mkOption { + type = types.strMatching "[0-7]{1,5}"; + default = "700"; + description = "The user's home directory mode in numeric format. See chmod(1)."; + }; + cryptHomeLuks = mkOption { type = with types; nullOr str; default = null; @@ -319,6 +325,7 @@ let group = mkDefault "users"; createHome = mkDefault true; home = mkDefault "/home/${config.name}"; + homeMode = mkDefault "700"; useDefaultShell = mkDefault true; isSystemUser = mkDefault false; }) @@ -430,7 +437,7 @@ let inherit (cfg) mutableUsers; users = mapAttrsToList (_: u: { inherit (u) - name uid group description home createHome isSystemUser + name uid group description home homeMode createHome isSystemUser password passwordFile hashedPassword autoSubUidGidRange subUidRanges subGidRanges initialPassword initialHashedPassword; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index ffccb6b4466..9e206bfcc64 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -556,6 +556,7 @@ in upnp = handleTest ./upnp.nix {}; usbguard = handleTest ./usbguard.nix {}; user-activation-scripts = handleTest ./user-activation-scripts.nix {}; + user-home-mode = handleTest ./user-home-mode.nix {}; uwsgi = handleTest ./uwsgi.nix {}; v2ray = handleTest ./v2ray.nix {}; vault = handleTest ./vault.nix {}; diff --git a/nixos/tests/user-home-mode.nix b/nixos/tests/user-home-mode.nix new file mode 100644 index 00000000000..1366d102a99 --- /dev/null +++ b/nixos/tests/user-home-mode.nix @@ -0,0 +1,27 @@ +import ./make-test-python.nix ({ lib, ... }: { + name = "user-home-mode"; + meta = with lib.maintainers; { maintainers = [ fbeffa ]; }; + + nodes.machine = { + users.users.alice = { + initialPassword = "pass1"; + isNormalUser = true; + }; + users.users.bob = { + initialPassword = "pass2"; + isNormalUser = true; + homeMode = "750"; + }; + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("getty@tty1.service") + machine.wait_until_tty_matches(1, "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches(1, "Password: ") + machine.send_chars("pass1\n") + machine.succeed('[ "$(stat -c %a /home/alice)" == "700" ]') + machine.succeed('[ "$(stat -c %a /home/bob)" == "750" ]') + ''; +}) -- cgit 1.4.1 From 311aa6d05d57fe1e94d16509b8eff43dbd6dbc7d Mon Sep 17 00:00:00 2001 From: Federico Beffa Date: Sat, 14 May 2022 11:47:48 +0200 Subject: nixos/users-group: Update description of 'homeMode' option. --- nixos/modules/config/users-groups.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index e9ce9d5e411..16e387a44c0 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -142,7 +142,7 @@ let homeMode = mkOption { type = types.strMatching "[0-7]{1,5}"; default = "700"; - description = "The user's home directory mode in numeric format. See chmod(1)."; + description = "The user's home directory mode in numeric format. See chmod(1). The mode is only applied if is true."; }; cryptHomeLuks = mkOption { -- cgit 1.4.1 From 572ff94f55b8dc9ee230212df72c2d40beefc73e Mon Sep 17 00:00:00 2001 From: Federico Beffa Date: Sat, 21 May 2022 14:18:10 +0200 Subject: nixos/users-group: make homeMode respect is_dry and create home directly with right permissions --- nixos/modules/config/update-users-groups.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index 6ceb668a595..5a21cb45d52 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -223,8 +223,8 @@ foreach my $u (@{$spec->{users}}) { } # Ensure home directory incl. ownership and permissions. - if ($u->{createHome}) { - make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home} and ! $is_dry; + if ($u->{createHome} and !$is_dry) { + make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home}; chown $u->{uid}, $u->{gid}, $u->{home}; chmod oct($u->{homeMode}), $u->{home}; } -- cgit 1.4.1