diff options
author | Linus Heckemann <git@sphalerite.org> | 2024-02-16 22:20:38 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-16 22:20:38 +0100 |
commit | 5863c27340ba4de8f83e7e3c023b9599c3cb3c80 (patch) | |
tree | 9ee030fbca465381078aaf36a7ffe2a445086c68 /nixos | |
parent | 5ec215f2166bd74022d43257dde7da90acca48d7 (diff) | |
parent | f6954309e8f0193ad5904cf787bbcfe47b63fa54 (diff) | |
download | nixlib-5863c27340ba4de8f83e7e3c023b9599c3cb3c80.tar nixlib-5863c27340ba4de8f83e7e3c023b9599c3cb3c80.tar.gz nixlib-5863c27340ba4de8f83e7e3c023b9599c3cb3c80.tar.bz2 nixlib-5863c27340ba4de8f83e7e3c023b9599c3cb3c80.tar.lz nixlib-5863c27340ba4de8f83e7e3c023b9599c3cb3c80.tar.xz nixlib-5863c27340ba4de8f83e7e3c023b9599c3cb3c80.tar.zst nixlib-5863c27340ba4de8f83e7e3c023b9599c3cb3c80.zip |
Merge pull request #287506 from Ma27/warn-user-password-options
nixos/users-groups: warn on ambiguous password settings
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/users-groups.nix | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 967ad0846d75..dd34771c0b42 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -649,7 +649,6 @@ in { home = "/root"; shell = mkDefault cfg.defaultUserShell; group = "root"; - initialHashedPassword = mkDefault "!"; }; nobody = { uid = ids.uids.nobody; @@ -897,7 +896,26 @@ in { )); warnings = - builtins.filter (x: x != null) ( + flip concatMap (attrValues cfg.users) (user: let + unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([ + user.hashedPassword + user.hashedPasswordFile + user.password + ] ++ optionals cfg.mutableUsers [ + # For immutable users, initialHashedPassword is set to hashedPassword, + # so using these options would always trigger the assertion. + user.initialHashedPassword + user.initialPassword + ])); + in optional (!unambiguousPasswordConfiguration) '' + The user '${user.name}' has multiple of the options + `hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword` + & `initialHashedPassword` set to a non-null value. + The options silently discard others by the order of precedence + given above which can lead to surprising results. To resolve this warning, + set at most one of the options above to a non-`null` value. + '') + ++ builtins.filter (x: x != null) ( flip mapAttrsToList cfg.users (_: user: # This regex matches a subset of the Modular Crypto Format (MCF)[1] # informal standard. Since this depends largely on the OS or the |