diff options
author | Michael Raskin <7c6f434c@mail.ru> | 2014-08-29 00:42:57 +0400 |
---|---|---|
committer | Michael Raskin <7c6f434c@mail.ru> | 2014-08-29 00:42:57 +0400 |
commit | 1fd14fa415b277eb5f1482481d6090fc2daa15c2 (patch) | |
tree | 609d85454d734701b382a97c70404eec67abe953 /nixos | |
parent | 0036f4d79294925c3f8103f754f249c79503f571 (diff) | |
parent | 08b214a8f2b6c9101636df43ded09c07ea9b8259 (diff) | |
download | nixlib-1fd14fa415b277eb5f1482481d6090fc2daa15c2.tar nixlib-1fd14fa415b277eb5f1482481d6090fc2daa15c2.tar.gz nixlib-1fd14fa415b277eb5f1482481d6090fc2daa15c2.tar.bz2 nixlib-1fd14fa415b277eb5f1482481d6090fc2daa15c2.tar.lz nixlib-1fd14fa415b277eb5f1482481d6090fc2daa15c2.tar.xz nixlib-1fd14fa415b277eb5f1482481d6090fc2daa15c2.tar.zst nixlib-1fd14fa415b277eb5f1482481d6090fc2daa15c2.zip |
Merge pull request #3100 from tailhook/new-shadow
Upgrade "shadow" to 4.2.1
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/users-groups.nix | 83 | ||||
-rw-r--r-- | nixos/modules/programs/shadow.nix | 4 |
2 files changed, 86 insertions, 1 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 7783f13b14b1..f1ddd377ed01 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -100,6 +100,36 @@ let description = "The path to the user's shell."; }; + subUidRanges = mkOption { + type = types.listOf types.optionSet; + default = []; + example = [ + { startUid = 1000; count = 1; } + { startUid = 100001; count = 65534; } + ]; + options = [ subordinateUidRange ]; + description = '' + Subordinate user ids that user is allowed to use. + They are set into <filename>/etc/subuid</filename> and are used + by <literal>newuidmap</literal> for user namespaces. + ''; + }; + + subGidRanges = mkOption { + type = types.listOf types.optionSet; + default = []; + example = [ + { startGid = 100; count = 1; } + { startGid = 1001; count = 999; } + ]; + options = [ subordinateGidRange ]; + description = '' + Subordinate group ids that user is allowed to use. + They are set into <filename>/etc/subgid</filename> and are used + by <literal>newgidmap</literal> for user namespaces. + ''; + }; + createHome = mkOption { type = types.bool; default = false; @@ -211,6 +241,36 @@ let }; + subordinateUidRange = { + startUid = mkOption { + type = types.int; + description = '' + Start of the range of subordinate user ids that user is + allowed to use. + ''; + }; + count = mkOption { + type = types.int; + default = 1; + description = ''Count of subordinate user ids''; + }; + }; + + subordinateGidRange = { + startGid = mkOption { + type = types.int; + description = '' + Start of the range of subordinate group ids that user is + allowed to use. + ''; + }; + count = mkOption { + type = types.int; + default = 1; + description = ''Count of subordinate group ids''; + }; + }; + getGroup = gname: let groups = mapAttrsToList (n: g: g) ( @@ -265,6 +325,20 @@ let )) ); + mkSubuidEntry = user: concatStrings ( + map (range: "${user.name}:${toString range.startUid}:${toString range.count}\n") + user.subUidRanges); + + subuidFile = concatStrings (map mkSubuidEntry ( + sortOn "uid" (attrValues cfg.extraUsers))); + + mkSubgidEntry = user: concatStrings ( + map (range: "${user.name}:${toString range.startGid}:${toString range.count}\n") + user.subGidRanges); + + subgidFile = concatStrings (map mkSubgidEntry ( + sortOn "uid" (attrValues cfg.extraUsers))); + # If mutableUsers is true, this script adds all users/groups defined in # users.extra{Users,Groups} to /etc/{passwd,group} iff there isn't any # existing user/group with the same name in those files. @@ -504,6 +578,15 @@ in { # for backwards compatibility system.activationScripts.groups = stringAfter [ "users" ] ""; + environment.etc."subuid" = { + text = subuidFile; + mode = "0644"; + }; + environment.etc."subgid" = { + text = subgidFile; + mode = "0644"; + }; + assertions = [ { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique); message = "uids and gids must be unique!"; diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 658b08b3d870..5a467e112c23 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -100,7 +100,9 @@ in chgpasswd = { rootOK = true; }; }; - security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" ]; + security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" + "newuidmap" "newgidmap" # new in shadow 4.2.x + ]; }; |