diff options
author | Thomas Tuegel <ttuegel@gmail.com> | 2014-02-10 08:15:24 -0600 |
---|---|---|
committer | Thomas Tuegel <ttuegel@gmail.com> | 2014-02-10 08:16:22 -0600 |
commit | 3dc6168b317fb3923f2ae073575a8582d01d3ba9 (patch) | |
tree | c6847b315c8d6dac9d6706ff56055f09f6489bf6 /nixos/modules/config/users-groups.nix | |
parent | 6a8cc9ab11765d101023076f022e8682d40ad7f0 (diff) | |
download | nixlib-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar nixlib-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.gz nixlib-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.bz2 nixlib-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.lz nixlib-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.xz nixlib-3dc6168b317fb3923f2ae073575a8582d01d3ba9.tar.zst nixlib-3dc6168b317fb3923f2ae073575a8582d01d3ba9.zip |
Properly escape passwords sent to chpasswd
The mutableUsers feature uses `chpasswd` to set users passwords. Passwords and their hashes were being piped into the program using double quotes ("") to escape. This causes any `$` characters to be expanded as shell variables. This is a serious problem because all the password hash methods besides DES use multiple `$` in the hashes. Single quotes ('') should be used instead to prevent shell variable expansion.
Diffstat (limited to 'nixos/modules/config/users-groups.nix')
-rw-r--r-- | nixos/modules/config/users-groups.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index f70e8c292c41..09e7fc53c76f 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -411,13 +411,13 @@ in if [ "$setpw" == "yes" ]; then ${if !(isNull u.hashedPassword) then '' - echo "${u.name}:${u.hashedPassword}" | \ + echo '${u.name}:${u.hashedPassword}' | \ ${pkgs.shadow}/sbin/chpasswd -e'' else if u.password == "" then "passwd -d '${u.name}' &>/dev/null" else if !(isNull u.password) then '' - echo "${u.name}:${u.password}" | ${pkgs.shadow}/sbin/chpasswd'' + echo '${u.name}:${u.password}' | ${pkgs.shadow}/sbin/chpasswd'' else if !(isNull u.passwordFile) then '' echo -n "${u.name}:" | cat - "${u.passwordFile}" | \ |