diff options
Diffstat (limited to 'nixpkgs/nixos/modules/config/users-groups.nix')
-rw-r--r-- | nixpkgs/nixos/modules/config/users-groups.nix | 64 |
1 files changed, 34 insertions, 30 deletions
diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index e0a77b08b7e9..1bb1317a8e85 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -35,8 +35,19 @@ let ''; hashedPasswordDescription = '' - To generate hashed password install <literal>mkpasswd</literal> + To generate a hashed password install the <literal>mkpasswd</literal> package and run <literal>mkpasswd -m sha-512</literal>. + + If set to an empty string (<literal>""</literal>), this user will + be able to log in without being asked for a password (but not via remote + services such as SSH, or indirectly via <command>su</command> or + <command>sudo</command>). This should only be used for e.g. bootable + live systems. Note: this is different from setting an empty password, + which ca be achieved using <option>users.users.<name?>.password</option>. + + If set to <literal>null</literal> (default) this user will not + be able to log in using a password (i.e. via <command>login</command> + command). ''; userOpts = { name, config, ... }: { @@ -364,18 +375,6 @@ let }; }; - mkSubuidEntry = user: concatStrings ( - map (range: "${user.name}:${toString range.startUid}:${toString range.count}\n") - user.subUidRanges); - - subuidFile = concatStrings (map mkSubuidEntry (attrValues cfg.users)); - - mkSubgidEntry = user: concatStrings ( - map (range: "${user.name}:${toString range.startGid}:${toString range.count}\n") - user.subGidRanges); - - subgidFile = concatStrings (map mkSubgidEntry (attrValues cfg.users)); - idsAreUnique = set: idAttr: !(fold (name: args@{ dup, acc }: let id = builtins.toString (builtins.getAttr idAttr (builtins.getAttr name set)); @@ -395,6 +394,7 @@ let { inherit (u) name uid group description home createHome isSystemUser password passwordFile hashedPassword + isNormalUser subUidRanges subGidRanges initialPassword initialHashedPassword; shell = utils.toShellPath u.shell; }) cfg.users; @@ -419,9 +419,9 @@ in { (mkChangedOptionModule [ "security" "initialRootPassword" ] [ "users" "users" "root" "initialHashedPassword" ] - (cfg: if cfg.security.initialHashedPassword == "!" + (cfg: if cfg.security.initialRootPassword == "!" then null - else cfg.security.initialHashedPassword)) + else cfg.security.initialRootPassword)) ]; ###### interface @@ -463,7 +463,7 @@ in { users.users = mkOption { default = {}; - type = with types; loaOf (submodule userOpts); + type = with types; attrsOf (submodule userOpts); example = { alice = { uid = 1234; @@ -487,7 +487,7 @@ in { { students.gid = 1001; hackers = { }; }; - type = with types; loaOf (submodule groupOpts); + type = with types; attrsOf (submodule groupOpts); description = '' Additional groups to be created automatically by the system. ''; @@ -537,6 +537,7 @@ in { input.gid = ids.gids.input; kvm.gid = ids.gids.kvm; render.gid = ids.gids.render; + shadow.gid = ids.gids.shadow; }; system.activationScripts.users = stringAfter [ "stdio" ] @@ -556,16 +557,7 @@ in { # Install all the user shells environment.systemPackages = systemShells; - environment.etc = { - subuid = { - text = subuidFile; - mode = "0644"; - }; - subgid = { - text = subgidFile; - mode = "0644"; - }; - } // (mapAttrs' (name: { packages, ... }: { + environment.etc = (mapAttrs' (name: { packages, ... }: { name = "profiles/per-user/${name}"; value.source = pkgs.buildEnv { name = "user-environment"; @@ -590,7 +582,7 @@ in { # password or an SSH authorized key. Privileged accounts are # root and users in the wheel group. assertion = !cfg.mutableUsers -> - any id (mapAttrsToList (name: cfg: + any id ((mapAttrsToList (name: cfg: (name == "root" || cfg.group == "wheel" || elem "wheel" cfg.extraGroups) @@ -600,12 +592,24 @@ in { || cfg.passwordFile != null || cfg.openssh.authorizedKeys.keys != [] || cfg.openssh.authorizedKeys.keyFiles != []) - ) cfg.users); + ) cfg.users) ++ [ + config.security.googleOsLogin.enable + ]); message = '' Neither the root account nor any wheel user has a password or SSH authorized key. You must set one to prevent being locked out of your system.''; } - ]; + ] ++ flip mapAttrsToList cfg.users (name: user: + { + assertion = (user.hashedPassword != null) + -> (builtins.match ".*:.*" user.hashedPassword == null); + message = '' + The password hash of user "${name}" contains a ":" character. + This is invalid and would break the login system because the fields + of /etc/shadow (file where hashes are stored) are colon-separated. + Please check the value of option `users.users."${name}".hashedPassword`.''; + } + ); warnings = builtins.filter (x: x != null) ( |