summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorRickard Nilsson <rickynils@gmail.com>2014-02-05 15:07:20 +0100
committerRickard Nilsson <rickynils@gmail.com>2014-02-05 15:56:51 +0100
commit0b92ad02c87b9eff8dbc45cc4221289d737d29a6 (patch)
tree1883bac12f17b7cf84591f79119c82690dab87dc /nixos
parent03ee174032530af70b3deb278cd37c393dcaf096 (diff)
downloadnixlib-0b92ad02c87b9eff8dbc45cc4221289d737d29a6.tar
nixlib-0b92ad02c87b9eff8dbc45cc4221289d737d29a6.tar.gz
nixlib-0b92ad02c87b9eff8dbc45cc4221289d737d29a6.tar.bz2
nixlib-0b92ad02c87b9eff8dbc45cc4221289d737d29a6.tar.lz
nixlib-0b92ad02c87b9eff8dbc45cc4221289d737d29a6.tar.xz
nixlib-0b92ad02c87b9eff8dbc45cc4221289d737d29a6.tar.zst
nixlib-0b92ad02c87b9eff8dbc45cc4221289d737d29a6.zip
Re-introduce security.initialRootPassword, and add a new option users.extraUsers.<user>.hashedPassword
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/config/users-groups.nix83


-rw-r--r--nixos/modules/virtualisation/amazon-image.nix2


-rw-r--r--nixos/modules/virtualisation/virtualbox-image.nix2


3 files changed, 64 insertions, 23 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index 97bf67262795..e38593d56023 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -7,6 +7,24 @@ let
   ids = config.ids;
   cfg = config.users;
 
+  passwordDescription = ''
+    The options <literal>hashedPassword</literal>,
+    <literal>password</literal> and <literal>passwordFile</literal>
+    controls what password is set for the user.
+    <literal>hashedPassword</literal> overrides both
+    <literal>password</literal> and <literal>passwordFile</literal>.
+    <literal>password</literal> overrides <literal>passwordFile</literal>.
+    If none of these three options are set, no password is assigned to
+    the user, and the user will not be able to do password logins.
+    If the option <literal>users.mutableUsers</literal> is true, the
+    password defined in one of the three options will only be set when
+    the user is created for the first time. After that, you are free to
+    change the password with the ordinary user management commands. If
+    <literal>users.mutableUsers</literal> is false, you cannot change
+    user passwords, they will always be set according to the password
+    options.
+  '';
+
   userOpts = { name, config, ... }: {
 
     options = {
@@ -76,24 +94,24 @@ let
         '';
       };
 
+      hashedPassword = mkOption {
+        type = with types; uniq (nullOr str);
+        default = null;
+        description = ''
+          Specifies the (hashed) password for the user.
+          ${passwordDescription}
+        '';
+      };
+
       password = mkOption {
         type = with types; uniq (nullOr str);
         default = null;
         description = ''
-          The user's password. If undefined, no password is set for
-          the user.  Warning: do not set confidential information here
-          because it is world-readable in the Nix store.  This option
-          should only be used for public accounts such as
-          <literal>guest</literal>.
-          The option <literal>password</literal> overrides
-          <literal>passwordFile</literal>, if both are specified.
-          If none of the options <literal>password</literal> or
-          <literal>passwordFile</literal> are specified, the user account will
-          be locked for password logins. This is the default behavior except
-          for the root account, which has an empty password by default. If you
-          want to lock the root account for password logins, set
-          <literal>users.extraUsers.root.password</literal> to
-          <literal>null</literal>.
+          Specifies the (clear text) password for the user.
+          Warning: do not set confidential information here
+          because it is world-readable in the Nix store. This option
+          should only be used for public accounts.
+          ${passwordDescription}
         '';
       };
 
@@ -105,8 +123,7 @@ let
           file is read on each system activation. The file should contain
           exactly one line, which should be the password in an encrypted form
           that is suitable for the <literal>chpasswd -e</literal> command.
-          See the <literal>password</literal> for more details on how passwords
-          are assigned.
+          ${passwordDescription}
         '';
       };
 
@@ -297,6 +314,26 @@ in
       options = [ groupOpts ];
     };
 
+    security.initialRootPassword = mkOption {
+      type = types.str;
+      default = "";
+      example = "!";
+      description = ''
+        The (hashed) password for the root account set on initial
+        installation. The empty string denotes that root can login
+        locally without a password (but not via remote services such
+        as SSH, or indirectly via <command>su</command> or
+        <command>sudo</command>). The string <literal>!</literal>
+        prevents root from logging in using a password.
+        Note, setting this option sets
+        <literal>users.extraUsers.root.hashedPassword</literal>.
+        Note, if <literal>users.mutableUsers</literal> is false
+        you cannot change the root password manually, so in that case
+        the name of this option is a bit misleading, since it will define
+        the root password beyond the user initialisation phase.
+      '';
+    };
+
   };
 
 
@@ -311,7 +348,7 @@ in
         home = "/root";
         shell = cfg.defaultUserShell;
         group = "root";
-        password = mkDefault "";
+        hashedPassword = config.security.initialRootPassword;
       };
       nobody = {
         uid = ids.uids.nobody;
@@ -351,17 +388,21 @@ in
             test "$(getent shadow '${u.name}' | cut -d: -f2)" != "x" && setpw=no
           ''}
           if [ "$setpw" == "yes" ]; then
-            ${if u.password == ""
+            ${if !(isNull u.hashedPassword)
+              then ''
+                echo "${u.name}:${u.hashedPassword}" | \
+                  ${pkgs.shadow}/sbin/chpasswd -e''
+              else if u.password == ""
               then "passwd -d '${u.name}' &>/dev/null"
-              else if (isNull u.password && isNull u.passwordFile)
-              then "passwd -l '${u.name}' &>/dev/null"
               else if !(isNull u.password)
               then ''
                 echo "${u.name}:${u.password}" | ${pkgs.shadow}/sbin/chpasswd''
-              else ''
+              else if !(isNull u.passwordFile)
+              then ''
                 echo -n "${u.name}:" | cat - "${u.passwordFile}" | \
                   ${pkgs.shadow}/sbin/chpasswd -e
               ''
+              else "passwd -l '${u.name}' &>/dev/null"
             }
           fi
         '';
diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix
index 701e95af7d3f..abd2a1084bd9 100644
--- a/nixos/modules/virtualisation/amazon-image.nix
+++ b/nixos/modules/virtualisation/amazon-image.nix
@@ -164,5 +164,5 @@ with pkgs.lib;
   # Prevent logging in as root without a password.  This doesn't really matter,
   # since the only PAM services that allow logging in with a null
   # password are local ones that are inaccessible on EC2 machines.
-  users.extraUsers.root.password = null;
+  security.initialRootPassword = "!";
 }
diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix
index a89c8264a33f..71bdf31a98d2 100644
--- a/nixos/modules/virtualisation/virtualbox-image.nix
+++ b/nixos/modules/virtualisation/virtualbox-image.nix
@@ -111,5 +111,5 @@ with pkgs.lib;
   # Prevent logging in as root without a password.  For NixOps, we
   # don't need this because the user can login via SSH, and for the
   # demo images, there is a demo user account that can sudo to root.
-  users.extraUsers.root.password = null;
+  security.initialRootPassword = "!";
 }

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-30 06:13:46 +0000