diff options
Diffstat (limited to 'nixos')
5 files changed, 60 insertions, 22 deletions
diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index 742376378dea..e5fb95f7dcf0 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -29,13 +29,14 @@ </para> <para> - You are logged-in automatically as <literal>root</literal>. (The - <literal>root</literal> user account has an empty password.) + You are logged-in automatically as <literal>nixos</literal>. + The <literal>nixos</literal> user account has an empty password so you + can use <command>sudo</command> without a password. </para> <para> If you downloaded the graphical ISO image, you can run <command>systemctl - start display-manager</command> to start KDE. If you want to continue on the + start display-manager</command> to start the desktop environment. If you want to continue on the terminal, you can use <command>loadkeys</command> to switch to your preferred keyboard layout. (We even provide neo2 via <command>loadkeys de neo</command>!) @@ -65,9 +66,9 @@ <para> If you would like to continue the installation from a different machine you - need to activate the SSH daemon via <literal>systemctl start - sshd</literal>. In order to be able to login you also need to set a - password for <literal>root</literal> using <literal>passwd</literal>. + need to activate the SSH daemon via <command>systemctl start + sshd</command>. You then must set a password for either <literal>root</literal> or + <literal>nixos</literal> with <command>passwd></command> to be able to login. </para> </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index b12858cfc963..d4d87716be37 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -42,6 +42,12 @@ set up binfmt interpreters for each of those listed systems. </para> </listitem> + <listitem> + <para> + The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root. + To gain root privileges use <literal>sudo -i</literal> without a password. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix index f65239a5bc0a..1578e1547bc1 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix @@ -8,16 +8,30 @@ with lib; { imports = [ ./installation-cd-base.nix ]; + # Whitelist wheel users to do anything + # This is useful for things like pkexec + # + # WARNING: this is dangerous for systems + # outside the installation-cd and shouldn't + # be used anywhere else. + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (subject.isInGroup("wheel")) { + return polkit.Result.YES; + } + }); + ''; + services.xserver = { enable = true; # Don't start the X server by default. autorun = mkForce false; - # Automatically login as root. + # Automatically login as nixos. displayManager.slim = { enable = true; - defaultUser = "root"; + defaultUser = "nixos"; autoLogin = true; }; @@ -33,7 +47,6 @@ with lib; # Enable sound in graphical iso's. hardware.pulseaudio.enable = true; - hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root. environment.systemPackages = [ # Include gparted for partitioning disks. diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix index 1c3c9cb30b41..2536ba73a1de 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix @@ -1,5 +1,5 @@ # This module defines a NixOS installation CD that contains X11 and -# Plasma5. +# Plasma 5. { config, lib, pkgs, ... }: @@ -30,15 +30,20 @@ with lib; Version=1.0 Type=Application Name=NixOS Manual - Exec=firefox ${config.system.build.manual.manualHTMLIndex} + Exec=firefox ${config.system.build.manual.manual}/share/doc/nixos/index.html Icon=text-html ''; + homeDir = "/home/nixos/"; + desktopDir = homeDir + "Desktop/"; + in '' - mkdir -p /root/Desktop - ln -sfT ${manualDesktopFile} /root/Desktop/nixos-manual.desktop - ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop - ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop + mkdir -p ${desktopDir} + chown nixos ${homeDir} ${desktopDir} + + ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"} + ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"} + ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop ${desktopDir + "org.kde.konsole.desktop"} ''; } diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 580ea4a58e5b..1a6e06995603 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -32,19 +32,35 @@ with lib; #services.rogue.enable = true; # Disable some other stuff we don't need. - security.sudo.enable = mkDefault false; services.udisks2.enable = mkDefault false; + # Use less privileged nixos user + users.users.nixos = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "video" ]; + # Allow the graphical user to login without password + initialHashedPassword = ""; + }; + + # Allow the user to log in as root without a password. + users.users.root.initialHashedPassword = ""; + + # Allow passwordless sudo from nixos user + security.sudo = { + enable = mkDefault true; + wheelNeedsPassword = mkForce false; + }; + # Automatically log in at the virtual consoles. - services.mingetty.autologinUser = "root"; + services.mingetty.autologinUser = "nixos"; # Some more help text. services.mingetty.helpLine = '' - The "root" account has an empty password. ${ + The "nixos" and "root" account have empty passwords. ${ optionalString config.services.xserver.enable - "Type `systemctl start display-manager' to\nstart the graphical user interface."} + "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."} ''; # Allow sshd to be started manually through "systemctl start sshd". @@ -86,8 +102,5 @@ with lib; # because we have the firewall enabled. This makes installs from the # console less cumbersome if the machine has a public IP. networking.firewall.logRefusedConnections = mkDefault false; - - # Allow the user to log in as root without a password. - users.users.root.initialHashedPassword = ""; }; } |