diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-09-06 17:23:27 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-09-06 17:23:27 +0200 |
commit | 98102ebd92ab52e198271dce02515023baa7d6d5 (patch) | |
tree | 664687e57f945db51d740d547c7deb9db111ec41 /nixos | |
parent | 9ab141ce273940e65f5243022d34740e4aa005d0 (diff) | |
download | nixlib-98102ebd92ab52e198271dce02515023baa7d6d5.tar nixlib-98102ebd92ab52e198271dce02515023baa7d6d5.tar.gz nixlib-98102ebd92ab52e198271dce02515023baa7d6d5.tar.bz2 nixlib-98102ebd92ab52e198271dce02515023baa7d6d5.tar.lz nixlib-98102ebd92ab52e198271dce02515023baa7d6d5.tar.xz nixlib-98102ebd92ab52e198271dce02515023baa7d6d5.tar.zst nixlib-98102ebd92ab52e198271dce02515023baa7d6d5.zip |
Enable the runuser command from util-linux
Fixes #14701.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/programs/shadow.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 21 |
2 files changed, 20 insertions, 2 deletions
diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 878c9cc0cf09..ce4d46e19bf9 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -99,7 +99,6 @@ in groupdel = { rootOK = true; }; login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; }; chpasswd = { rootOK = true; }; - chgpasswd = { rootOK = true; }; }; security.setuidPrograms = [ "su" "chfn" ] diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 77815cd6dcc1..814dd21b53de 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -105,6 +105,16 @@ let ''; }; + setEnvironment = mkOption { + type = types.bool; + default = true; + description = '' + Whether the service should set the environment variables + listed in <option>environment.sessionVariables</option> + using <literal>pam_env.so</literal>. + ''; + }; + setLoginUid = mkOption { type = types.bool; description = '' @@ -284,7 +294,9 @@ let "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"} # Session management. - session required pam_env.so envfile=${config.system.build.pamEnvironment} + ${optionalString cfg.setEnvironment '' + session required pam_env.so envfile=${config.system.build.pamEnvironment} + ''} session required pam_unix.so ${optionalString cfg.setLoginUid "session ${ @@ -477,6 +489,13 @@ in vlock = {}; xlock = {}; xscreensaver = {}; + + runuser = { rootOK = true; unixAuth = false; setEnvironment = false; }; + + /* FIXME: should runuser -l start a systemd session? Currently + it complains "Cannot create session: Already running in a + session". */ + runuser-l = { rootOK = true; unixAuth = false; }; }; }; |