diff options
| author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2018-02-10 09:58:36 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-10 09:58:36 +0000 |
| commit | 9fab083b792ad32b788363e158dcd8455fc14f82 (patch) | |
| tree | e1e9dbaca6b7bd0758d78be5f052a5e4097c3ba1 /nixos/modules/services/security | |
| parent | 7914e6be3e819217632382dc053888ffb09e27fc (diff) | |
| parent | cfd22b733bc4c4d6486e179b45b671b25b546778 (diff) | |
| download | nixlib-9fab083b792ad32b788363e158dcd8455fc14f82.tar nixlib-9fab083b792ad32b788363e158dcd8455fc14f82.tar.gz nixlib-9fab083b792ad32b788363e158dcd8455fc14f82.tar.bz2 nixlib-9fab083b792ad32b788363e158dcd8455fc14f82.tar.lz nixlib-9fab083b792ad32b788363e158dcd8455fc14f82.tar.xz nixlib-9fab083b792ad32b788363e158dcd8455fc14f82.tar.zst nixlib-9fab083b792ad32b788363e158dcd8455fc14f82.zip | |
Merge pull request #34524 from Infinisil/physlock-allowAnyUser
nixos/physlock: add allowAnyUser option
Diffstat (limited to 'nixos/modules/services/security')
| -rw-r--r-- | nixos/modules/services/security/physlock.nix | 64 |
1 files changed, 43 insertions, 21 deletions
diff --git a/nixos/modules/services/security/physlock.nix b/nixos/modules/services/security/physlock.nix index 30224d7fc6ba..97fbd6aae6e0 100644 --- a/nixos/modules/services/security/physlock.nix +++ b/nixos/modules/services/security/physlock.nix @@ -30,6 +30,20 @@ in ''; }; + allowAnyUser = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow any user to lock the screen. This will install a + setuid wrapper to allow any user to start physlock as root, which + is a minor security risk. Call the physlock binary to use this instead + of using the systemd service. + + Note that you might need to relog to have the correct binary in your + PATH upon changing this option. + ''; + }; + disableSysRq = mkOption { type = types.bool; default = true; @@ -79,28 +93,36 @@ in ###### implementation - config = mkIf cfg.enable { - - # for physlock -l and physlock -L - environment.systemPackages = [ pkgs.physlock ]; - - systemd.services."physlock" = { - enable = true; - description = "Physlock"; - wantedBy = optional cfg.lockOn.suspend "suspend.target" - ++ optional cfg.lockOn.hibernate "hibernate.target" - ++ cfg.lockOn.extraTargets; - before = optional cfg.lockOn.suspend "systemd-suspend.service" - ++ optional cfg.lockOn.hibernate "systemd-hibernate.service" - ++ cfg.lockOn.extraTargets; - serviceConfig.Type = "forking"; - script = '' - ${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"} - ''; - }; + config = mkIf cfg.enable (mkMerge [ + { + + # for physlock -l and physlock -L + environment.systemPackages = [ pkgs.physlock ]; + + systemd.services."physlock" = { + enable = true; + description = "Physlock"; + wantedBy = optional cfg.lockOn.suspend "suspend.target" + ++ optional cfg.lockOn.hibernate "hibernate.target" + ++ cfg.lockOn.extraTargets; + before = optional cfg.lockOn.suspend "systemd-suspend.service" + ++ optional cfg.lockOn.hibernate "systemd-hibernate.service" + ++ cfg.lockOn.extraTargets; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}"; + }; + }; - security.pam.services.physlock = {}; + security.pam.services.physlock = {}; - }; + } + + (mkIf cfg.allowAnyUser { + + security.wrappers.physlock = { source = "${pkgs.physlock}/bin/physlock"; user = "root"; }; + + }) + ]); } |