diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security')
27 files changed, 3598 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/security/acme.nix b/nixpkgs/nixos/modules/security/acme.nix new file mode 100644 index 000000000000..092704c6fc3f --- /dev/null +++ b/nixpkgs/nixos/modules/security/acme.nix @@ -0,0 +1,391 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security.acme; + + certOpts = { name, ... }: { + options = { + webroot = mkOption { + type = types.str; + example = "/var/lib/acme/acme-challenges"; + description = '' + Where the webroot of the HTTP vhost is located. + <filename>.well-known/acme-challenge/</filename> directory + will be created below the webroot if it doesn't exist. + <literal>http://example.org/.well-known/acme-challenge/</literal> must also + be available (notice unencrypted HTTP). + ''; + }; + + domain = mkOption { + type = types.str; + default = name; + description = "Domain to fetch certificate for (defaults to the entry name)"; + }; + + email = mkOption { + type = types.nullOr types.str; + default = null; + description = "Contact email address for the CA to be able to reach you."; + }; + + user = mkOption { + type = types.str; + default = "root"; + description = "User running the ACME client."; + }; + + group = mkOption { + type = types.str; + default = "root"; + description = "Group running the ACME client."; + }; + + allowKeysForGroup = mkOption { + type = types.bool; + default = false; + description = '' + Give read permissions to the specified group + (<option>security.acme.cert.<name>.group</option>) to read SSL private certificates. + ''; + }; + + postRun = mkOption { + type = types.lines; + default = ""; + example = "systemctl reload nginx.service"; + description = '' + Commands to run after new certificates go live. Typically + the web server and other servers using certificates need to + be reloaded. + + Executed in the same directory with the new certificate. + ''; + }; + + plugins = mkOption { + type = types.listOf (types.enum [ + "cert.der" "cert.pem" "chain.pem" "external.sh" + "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" + ]); + default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; + description = '' + Plugins to enable. With default settings simp_le will + store public certificate bundle in <filename>fullchain.pem</filename>, + private key in <filename>key.pem</filename> and those two previous + files combined in <filename>full.pem</filename> in its state directory. + ''; + }; + + activationDelay = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Systemd time span expression to delay copying new certificates to main + state directory. See <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; + + preDelay = mkOption { + type = types.lines; + default = ""; + description = '' + Commands to run after certificates are re-issued but before they are + activated. Typically the new certificate is published to DNS. + + Executed in the same directory with the new certificate. + ''; + }; + + extraDomains = mkOption { + type = types.attrsOf (types.nullOr types.str); + default = {}; + example = literalExample '' + { + "example.org" = "/srv/http/nginx"; + "mydomain.org" = null; + } + ''; + description = '' + A list of extra domain names, which are included in the one certificate to be issued, with their + own server roots if needed. + ''; + }; + }; + }; + +in + +{ + + ###### interface + + options = { + security.acme = { + directory = mkOption { + default = "/var/lib/acme"; + type = types.str; + description = '' + Directory where certs and other state will be stored by default. + ''; + }; + + validMin = mkOption { + type = types.int; + default = 30 * 24 * 3600; + description = "Minimum remaining validity before renewal in seconds."; + }; + + renewInterval = mkOption { + type = types.str; + default = "weekly"; + description = '' + Systemd calendar expression when to check for renewal. See + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; + + preliminarySelfsigned = mkOption { + type = types.bool; + default = true; + description = '' + Whether a preliminary self-signed certificate should be generated before + doing ACME requests. This can be useful when certificates are required in + a webserver, but ACME needs the webserver to make its requests. + + With preliminary self-signed certificate the webserver can be started and + can later reload the correct ACME certificates. + ''; + }; + + production = mkOption { + type = types.bool; + default = true; + description = '' + If set to true, use Let's Encrypt's production environment + instead of the staging environment. The main benefit of the + staging environment is to get much higher rate limits. + + See + <literal>https://letsencrypt.org/docs/staging-environment</literal> + for more detail. + ''; + }; + + certs = mkOption { + default = { }; + type = with types; attrsOf (submodule certOpts); + description = '' + Attribute set of certificates to get signed and renewed. + ''; + example = literalExample '' + { + "example.com" = { + webroot = "/var/www/challenges/"; + email = "foo@example.com"; + extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; }; + }; + "bar.example.com" = { + webroot = "/var/www/challenges/"; + email = "bar@example.com"; + }; + } + ''; + }; + }; + }; + + ###### implementation + config = mkMerge [ + (mkIf (cfg.certs != { }) { + + systemd.services = let + services = concatLists servicesLists; + servicesLists = mapAttrsToList certToServices cfg.certs; + certToServices = cert: data: + let + cpath = lpath + optionalString (data.activationDelay != null) ".staging"; + lpath = "${cfg.directory}/${cert}"; + rights = if data.allowKeysForGroup then "750" else "700"; + cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ] + ++ optionals (data.email != null) [ "--email" data.email ] + ++ concatMap (p: [ "-f" p ]) data.plugins + ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) + ++ optionals (!cfg.production) ["--server" "https://acme-staging.api.letsencrypt.org/directory"]; + acmeService = { + description = "Renew ACME Certificate for ${cert}"; + after = [ "network.target" "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + Type = "oneshot"; + SuccessExitStatus = [ "0" "1" ]; + PermissionsStartOnly = true; + User = data.user; + Group = data.group; + PrivateTmp = true; + }; + path = with pkgs; [ simp_le systemd ]; + preStart = '' + mkdir -p '${cfg.directory}' + chown 'root:root' '${cfg.directory}' + chmod 755 '${cfg.directory}' + if [ ! -d '${cpath}' ]; then + mkdir '${cpath}' + fi + chmod ${rights} '${cpath}' + chown -R '${data.user}:${data.group}' '${cpath}' + mkdir -p '${data.webroot}/.well-known/acme-challenge' + chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' + ''; + script = '' + cd '${cpath}' + set +e + simp_le ${escapeShellArgs cmdline} + EXITCODE=$? + set -e + echo "$EXITCODE" > /tmp/lastExitCode + exit "$EXITCODE" + ''; + postStop = '' + cd '${cpath}' + + if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then + ${if data.activationDelay != null then '' + + ${data.preDelay} + + if [ -d '${lpath}' ]; then + systemd-run --no-block --on-active='${data.activationDelay}' --unit acme-setlive-${cert}.service + else + systemctl --wait start acme-setlive-${cert}.service + fi + '' else data.postRun} + + # noop ensuring that the "if" block is non-empty even if + # activationDelay == null and postRun == "" + true + fi + ''; + + before = [ "acme-certificates.target" ]; + wantedBy = [ "acme-certificates.target" ]; + }; + delayService = { + description = "Set certificate for ${cert} live"; + path = with pkgs; [ rsync ]; + serviceConfig = { + Type = "oneshot"; + }; + script = '' + rsync -a --delete-after '${cpath}/' '${lpath}' + ''; + postStop = data.postRun; + }; + selfsignedService = { + description = "Create preliminary self-signed certificate for ${cert}"; + path = [ pkgs.openssl ]; + preStart = '' + if [ ! -d '${cpath}' ] + then + mkdir -p '${cpath}' + chmod ${rights} '${cpath}' + chown '${data.user}:${data.group}' '${cpath}' + fi + ''; + script = + '' + workdir="$(mktemp -d)" + + # Create CA + openssl genrsa -des3 -passout pass:xxxx -out $workdir/ca.pass.key 2048 + openssl rsa -passin pass:xxxx -in $workdir/ca.pass.key -out $workdir/ca.key + openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \ + -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com" + openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt + + # Create key + openssl genrsa -des3 -passout pass:xxxx -out $workdir/server.pass.key 2048 + openssl rsa -passin pass:xxxx -in $workdir/server.pass.key -out $workdir/server.key + openssl req -new -key $workdir/server.key -out $workdir/server.csr \ + -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com" + openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \ + -CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \ + -out $workdir/server.crt + + # Copy key to destination + cp $workdir/server.key ${cpath}/key.pem + + # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates) + cat $workdir/{server.crt,ca.crt} > "${cpath}/fullchain.pem" + + # Create full.pem for e.g. lighttpd + cat $workdir/{server.key,server.crt,ca.crt} > "${cpath}/full.pem" + + # Give key acme permissions + chown '${data.user}:${data.group}' "${cpath}/"{key,fullchain,full}.pem + chmod ${rights} "${cpath}/"{key,fullchain,full}.pem + ''; + serviceConfig = { + Type = "oneshot"; + PermissionsStartOnly = true; + PrivateTmp = true; + User = data.user; + Group = data.group; + }; + unitConfig = { + # Do not create self-signed key when key already exists + ConditionPathExists = "!${cpath}/key.pem"; + }; + before = [ + "acme-selfsigned-certificates.target" + ]; + wantedBy = [ + "acme-selfsigned-certificates.target" + ]; + }; + in ( + [ { name = "acme-${cert}"; value = acmeService; } ] + ++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; } + ++ optional (data.activationDelay != null) { name = "acme-setlive-${cert}"; value = delayService; } + ); + servicesAttr = listToAttrs services; + injectServiceDep = { + after = [ "acme-selfsigned-certificates.target" ]; + wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ]; + }; + in + servicesAttr // + (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) // + (if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {}); + + systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair + ("acme-${cert}") + ({ + description = "Renew ACME Certificate for ${cert}"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfg.renewInterval; + Unit = "acme-${cert}.service"; + Persistent = "yes"; + AccuracySec = "5m"; + RandomizedDelaySec = "1h"; + }; + }) + ); + + systemd.targets."acme-selfsigned-certificates" = mkIf cfg.preliminarySelfsigned {}; + systemd.targets."acme-certificates" = {}; + }) + + ]; + + meta = { + maintainers = with lib.maintainers; [ abbradar fpletz globin ]; + doc = ./acme.xml; + }; +} diff --git a/nixpkgs/nixos/modules/security/acme.xml b/nixpkgs/nixos/modules/security/acme.xml new file mode 100644 index 000000000000..ef71fe53d0c7 --- /dev/null +++ b/nixpkgs/nixos/modules/security/acme.xml @@ -0,0 +1,99 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-security-acme"> + <title>SSL/TLS Certificates with ACME</title> + <para> + NixOS supports automatic domain validation & certificate retrieval and + renewal using the ACME protocol. This is currently only implemented by and + for Let's Encrypt. The alternative ACME client <literal>simp_le</literal> is + used under the hood. + </para> + <section xml:id="module-security-acme-prerequisites"> + <title>Prerequisites</title> + + <para> + You need to have a running HTTP server for verification. The server must + have a webroot defined that can serve + <filename>.well-known/acme-challenge</filename>. This directory must be + writeable by the user that will run the ACME client. + </para> + + <para> + For instance, this generic snippet could be used for Nginx: +<programlisting> +http { + server { + server_name _; + listen 80; + listen [::]:80; + + location /.well-known/acme-challenge { + root /var/www/challenges; + } + + location / { + return 301 https://$host$request_uri; + } + } +} +</programlisting> + </para> + </section> + <section xml:id="module-security-acme-configuring"> + <title>Configuring</title> + + <para> + To enable ACME certificate retrieval & renewal for a certificate for + <literal>foo.example.com</literal>, add the following in your + <filename>configuration.nix</filename>: +<programlisting> +<xref linkend="opt-security.acme.certs"/>."foo.example.com" = { + <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/challenges"; + <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com"; +}; +</programlisting> + </para> + + <para> + The private key <filename>key.pem</filename> and certificate + <filename>fullchain.pem</filename> will be put into + <filename>/var/lib/acme/foo.example.com</filename>. The target directory can + be configured with the option <xref linkend="opt-security.acme.directory"/>. + </para> + + <para> + Refer to <xref linkend="ch-options" /> for all available configuration + options for the <link linkend="opt-security.acme.certs">security.acme</link> + module. + </para> + </section> + <section xml:id="module-security-acme-nginx"> + <title>Using ACME certificates in Nginx</title> + + <para> + NixOS supports fetching ACME certificates for you by setting + <literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> + = true;</literal> in a virtualHost config. We first create self-signed + placeholder certificates in place of the real ACME certs. The placeholder + certs are overwritten when the ACME certs arrive. For + <literal>foo.example.com</literal> the config would look like. + </para> + +<programlisting> +services.nginx = { + <link linkend="opt-services.nginx.enable">enable = true;</link> + <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { + "foo.example.com" = { + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; + locations."/" = { + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www"; + }; + }; + }; +} +</programlisting> + </section> +</chapter> diff --git a/nixpkgs/nixos/modules/security/apparmor-suid.nix b/nixpkgs/nixos/modules/security/apparmor-suid.nix new file mode 100644 index 000000000000..498c2f25d1c0 --- /dev/null +++ b/nixpkgs/nixos/modules/security/apparmor-suid.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.security.apparmor; +in +with lib; +{ + + options.security.apparmor.confineSUIDApplications = mkOption { + default = true; + description = '' + Install AppArmor profiles for commonly-used SUID application + to mitigate potential privilege escalation attacks due to bugs + in such applications. + + Currently available profiles: ping + ''; + }; + + config = mkIf (cfg.confineSUIDApplications) { + security.apparmor.profiles = [ (pkgs.writeText "ping" '' + #include <tunables/global> + /run/wrappers/bin/ping { + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + + capability net_raw, + capability setuid, + network inet raw, + + ${pkgs.stdenv.cc.libc.out}/lib/*.so mr, + ${pkgs.libcap.lib}/lib/libcap.so* mr, + ${pkgs.attr.out}/lib/libattr.so* mr, + + ${pkgs.iputils}/bin/ping mixr, + + #/etc/modules.conf r, + + ## Site-specific additions and overrides. See local/README for details. + ##include <local/bin.ping> + } + '') ]; + }; + +} diff --git a/nixpkgs/nixos/modules/security/apparmor.nix b/nixpkgs/nixos/modules/security/apparmor.nix new file mode 100644 index 000000000000..d323a158a4df --- /dev/null +++ b/nixpkgs/nixos/modules/security/apparmor.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption types concatMapStrings; + cfg = config.security.apparmor; +in + +{ + options = { + security.apparmor = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the AppArmor Mandatory Access Control system."; + }; + profiles = mkOption { + type = types.listOf types.path; + default = []; + description = "List of files containing AppArmor profiles."; + }; + packages = mkOption { + type = types.listOf types.package; + default = []; + description = "List of packages to be added to apparmor's include path"; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.apparmor-utils ]; + + systemd.services.apparmor = let + paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") + ([ pkgs.apparmor-profiles ] ++ cfg.packages); + in { + wantedBy = [ "local-fs.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' + ) cfg.profiles; + ExecStop = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' + ) cfg.profiles; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/security/audit.nix b/nixpkgs/nixos/modules/security/audit.nix new file mode 100644 index 000000000000..2b22bdd9f0ae --- /dev/null +++ b/nixpkgs/nixos/modules/security/audit.nix @@ -0,0 +1,123 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.security.audit; + enabled = cfg.enable == "lock" || cfg.enable; + + failureModes = { + silent = 0; + printk = 1; + panic = 2; + }; + + disableScript = pkgs.writeScript "audit-disable" '' + #!${pkgs.runtimeShell} -eu + # Explicitly disable everything, as otherwise journald might start it. + auditctl -D + auditctl -e 0 -a task,never + ''; + + # TODO: it seems like people like their rules to be somewhat secret, yet they will not be if + # put in the store like this. At the same time, it doesn't feel like a huge deal and working + # around that is a pain so I'm leaving it like this for now. + startScript = pkgs.writeScript "audit-start" '' + #!${pkgs.runtimeShell} -eu + # Clear out any rules we may start with + auditctl -D + + # Put the rules in a temporary file owned and only readable by root + rulesfile="$(mktemp)" + ${concatMapStrings (x: "echo '${x}' >> $rulesfile\n") cfg.rules} + + # Apply the requested rules + auditctl -R "$rulesfile" + + # Enable and configure auditing + auditctl \ + -e ${if cfg.enable == "lock" then "2" else "1"} \ + -b ${toString cfg.backlogLimit} \ + -f ${toString failureModes.${cfg.failureMode}} \ + -r ${toString cfg.rateLimit} + ''; + + stopScript = pkgs.writeScript "audit-stop" '' + #!${pkgs.runtimeShell} -eu + # Clear the rules + auditctl -D + + # Disable auditing + auditctl -e 0 + ''; +in { + options = { + security.audit = { + enable = mkOption { + type = types.enum [ false true "lock" ]; + default = false; + description = '' + Whether to enable the Linux audit system. The special `lock' value can be used to + enable auditing and prevent disabling it until a restart. Be careful about locking + this, as it will prevent you from changing your audit configuration until you + restart. If possible, test your configuration using build-vm beforehand. + ''; + }; + + failureMode = mkOption { + type = types.enum [ "silent" "printk" "panic" ]; + default = "printk"; + description = "How to handle critical errors in the auditing system"; + }; + + backlogLimit = mkOption { + type = types.int; + default = 64; # Apparently the kernel default + description = '' + The maximum number of outstanding audit buffers allowed; exceeding this is + considered a failure and handled in a manner specified by failureMode. + ''; + }; + + rateLimit = mkOption { + type = types.int; + default = 0; + description = '' + The maximum messages per second permitted before triggering a failure as + specified by failureMode. Setting it to zero disables the limit. + ''; + }; + + rules = mkOption { + type = types.listOf types.str; # (types.either types.str (types.submodule rule)); + default = []; + example = [ "-a exit,always -F arch=b64 -S execve" ]; + description = '' + The ordered audit rules, with each string appearing as one line of the audit.rules file. + ''; + }; + }; + }; + + config = { + systemd.services.audit = { + description = "Kernel Auditing"; + wantedBy = [ "basic.target" ]; + + unitConfig = { + ConditionVirtualization = "!container"; + ConditionSecurity = [ "audit" ]; + }; + + + path = [ pkgs.audit ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "@${if enabled then startScript else disableScript} audit-start"; + ExecStop = "@${stopScript} audit-stop"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/security/auditd.nix b/nixpkgs/nixos/modules/security/auditd.nix new file mode 100644 index 000000000000..6abac244dac2 --- /dev/null +++ b/nixpkgs/nixos/modules/security/auditd.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + options.security.auditd.enable = mkEnableOption "the Linux Audit daemon"; + + config = mkIf config.security.auditd.enable { + systemd.services.auditd = { + description = "Linux Audit daemon"; + wantedBy = [ "basic.target" ]; + + unitConfig = { + ConditionVirtualization = "!container"; + ConditionSecurity = [ "audit" ]; + DefaultDependencies = false; + }; + + path = [ pkgs.audit ]; + + serviceConfig = { + ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit"; + ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/security/ca.nix b/nixpkgs/nixos/modules/security/ca.nix new file mode 100644 index 000000000000..1c4ee421fc56 --- /dev/null +++ b/nixpkgs/nixos/modules/security/ca.nix @@ -0,0 +1,95 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security.pki; + + cacertPackage = pkgs.cacert.override { + blacklist = cfg.caCertificateBlacklist; + }; + + caCertificates = pkgs.runCommand "ca-certificates.crt" + { files = + cfg.certificateFiles ++ + [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; + preferLocalBuild = true; + } + '' + cat $files > $out + ''; + +in + +{ + + options = { + + security.pki.certificateFiles = mkOption { + type = types.listOf types.path; + default = []; + example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]"; + description = '' + A list of files containing trusted root certificates in PEM + format. These are concatenated to form + <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is + used by many programs that use OpenSSL, such as + <command>curl</command> and <command>git</command>. + ''; + }; + + security.pki.certificates = mkOption { + type = types.listOf types.str; + default = []; + example = literalExample '' + [ ''' + NixOS.org + ========= + -----BEGIN CERTIFICATE----- + MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ + TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 + ... + -----END CERTIFICATE----- + ''' + ] + ''; + description = '' + A list of trusted root certificates in PEM format. + ''; + }; + + security.pki.caCertificateBlacklist = mkOption { + type = types.listOf types.str; + default = []; + example = [ + "WoSign" "WoSign China" + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + ]; + description = '' + A list of blacklisted CA certificate names that won't be imported from + the Mozilla Trust Store into + <filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the + names from that file. + ''; + }; + + }; + + config = { + + security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ]; + + # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. + environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; + + # Old NixOS compatibility. + environment.etc."ssl/certs/ca-bundle.crt".source = caCertificates; + + # CentOS/Fedora compatibility. + environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates; + + }; + +} diff --git a/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix b/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix new file mode 100644 index 000000000000..be6acb3f1f53 --- /dev/null +++ b/nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.security.chromiumSuidSandbox; + sandbox = pkgs.chromium.sandbox; +in +{ + options.security.chromiumSuidSandbox.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to install the Chromium SUID sandbox which is an executable that + Chromium may use in order to achieve sandboxing. + + If you get the error "The SUID sandbox helper binary was found, but is not + configured correctly.", turning this on might help. + + Also, if the URL chrome://sandbox tells you that "You are not adequately + sandboxed!", turning this on might resolve the issue. + ''; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ sandbox ]; + security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}"; + }; +} diff --git a/nixpkgs/nixos/modules/security/dhparams.nix b/nixpkgs/nixos/modules/security/dhparams.nix new file mode 100644 index 000000000000..62a499ea624d --- /dev/null +++ b/nixpkgs/nixos/modules/security/dhparams.nix @@ -0,0 +1,175 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkOption types; + cfg = config.security.dhparams; + + bitType = types.addCheck types.int (b: b >= 16) // { + name = "bits"; + description = "integer of at least 16 bits"; + }; + + paramsSubmodule = { name, config, ... }: { + options.bits = mkOption { + type = bitType; + default = cfg.defaultBitSize; + description = '' + The bit size for the prime that is used during a Diffie-Hellman + key exchange. + ''; + }; + + options.path = mkOption { + type = types.path; + readOnly = true; + description = '' + The resulting path of the generated Diffie-Hellman parameters + file for other services to reference. This could be either a + store path or a file inside the directory specified by + <option>security.dhparams.path</option>. + ''; + }; + + config.path = let + generated = pkgs.runCommand "dhparams-${name}.pem" { + nativeBuildInputs = [ pkgs.openssl ]; + } "openssl dhparam -out \"$out\" ${toString config.bits}"; + in if cfg.stateful then "${cfg.path}/${name}.pem" else generated; + }; + +in { + options = { + security.dhparams = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to generate new DH params and clean up old DH params. + ''; + }; + + params = mkOption { + type = with types; let + coerce = bits: { inherit bits; }; + in attrsOf (coercedTo int coerce (submodule paramsSubmodule)); + default = {}; + example = lib.literalExample "{ nginx.bits = 3072; }"; + description = '' + Diffie-Hellman parameters to generate. + + The value is the size (in bits) of the DH params to generate. The + generated DH params path can be found in + <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>. + + <note><para>The name of the DH params is taken as being the name of + the service it serves and the params will be generated before the + said service is started.</para></note> + + <warning><para>If you are removing all dhparams from this list, you + have to leave <option>security.dhparams.enable</option> for at + least one activation in order to have them be cleaned up. This also + means if you rollback to a version without any dhparams the + existing ones won't be cleaned up. Of course this only applies if + <option>security.dhparams.stateful</option> is + <literal>true</literal>.</para></warning> + + <note><title>For module implementers:</title><para>It's recommended + to not set a specific bit size here, so that users can easily + override this by setting + <option>security.dhparams.defaultBitSize</option>.</para></note> + ''; + }; + + stateful = mkOption { + type = types.bool; + default = true; + description = '' + Whether generation of Diffie-Hellman parameters should be stateful or + not. If this is enabled, PEM-encoded files for Diffie-Hellman + parameters are placed in the directory specified by + <option>security.dhparams.path</option>. Otherwise the files are + created within the Nix store. + + <note><para>If this is <literal>false</literal> the resulting store + path will be non-deterministic and will be rebuilt every time the + <package>openssl</package> package changes.</para></note> + ''; + }; + + defaultBitSize = mkOption { + type = bitType; + default = 2048; + description = '' + This allows to override the default bit size for all of the + Diffie-Hellman parameters set in + <option>security.dhparams.params</option>. + ''; + }; + + path = mkOption { + type = types.str; + default = "/var/lib/dhparams"; + description = '' + Path to the directory in which Diffie-Hellman parameters will be + stored. This only is relevant if + <option>security.dhparams.stateful</option> is + <literal>true</literal>. + ''; + }; + }; + }; + + config = lib.mkIf (cfg.enable && cfg.stateful) { + systemd.services = { + dhparams-init = { + description = "Clean Up Old Diffie-Hellman Parameters"; + + # Clean up even when no DH params is set + wantedBy = [ "multi-user.target" ]; + + serviceConfig.RemainAfterExit = true; + serviceConfig.Type = "oneshot"; + + script = '' + if [ ! -d ${cfg.path} ]; then + mkdir -p ${cfg.path} + fi + + # Remove old dhparams + for file in ${cfg.path}/*; do + if [ ! -f "$file" ]; then + continue + fi + ${lib.concatStrings (lib.mapAttrsToList (name: { bits, path, ... }: '' + if [ "$file" = ${lib.escapeShellArg path} ] && \ + ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text \ + | head -n 1 | grep "(${toString bits} bit)" > /dev/null; then + continue + fi + '') cfg.params)} + rm $file + done + + # TODO: Ideally this would be removing the *former* cfg.path, though + # this does not seem really important as changes to it are quite + # unlikely + rmdir --ignore-fail-on-non-empty ${cfg.path} + ''; + }; + } // lib.mapAttrs' (name: { bits, path, ... }: lib.nameValuePair "dhparams-gen-${name}" { + description = "Generate Diffie-Hellman Parameters for ${name}"; + after = [ "dhparams-init.service" ]; + before = [ "${name}.service" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig.ConditionPathExists = "!${path}"; + serviceConfig.Type = "oneshot"; + script = '' + mkdir -p ${lib.escapeShellArg cfg.path} + ${pkgs.openssl}/bin/openssl dhparam -out ${lib.escapeShellArg path} \ + ${toString bits} + ''; + }) cfg.params; + }; + + meta.maintainers = with lib.maintainers; [ ekleog ]; +} diff --git a/nixpkgs/nixos/modules/security/duosec.nix b/nixpkgs/nixos/modules/security/duosec.nix new file mode 100644 index 000000000000..997328ad9e6a --- /dev/null +++ b/nixpkgs/nixos/modules/security/duosec.nix @@ -0,0 +1,203 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.security.duosec; + + boolToStr = b: if b then "yes" else "no"; + + configFilePam = '' + [duo] + ikey=${cfg.ikey} + skey=${cfg.skey} + host=${cfg.host} + ${optionalString (cfg.group != "") ("group="+cfg.group)} + failmode=${cfg.failmode} + pushinfo=${boolToStr cfg.pushinfo} + autopush=${boolToStr cfg.autopush} + prompts=${toString cfg.prompts} + fallback_local_ip=${boolToStr cfg.fallbackLocalIP} + ''; + + configFileLogin = configFilePam + '' + motd=${boolToStr cfg.motd} + accept_env_factor=${boolToStr cfg.acceptEnvFactor} + ''; + + loginCfgFile = optional cfg.ssh.enable + { source = pkgs.writeText "login_duo.conf" configFileLogin; + mode = "0600"; + user = "sshd"; + target = "duo/login_duo.conf"; + }; + + pamCfgFile = optional cfg.pam.enable + { source = pkgs.writeText "pam_duo.conf" configFilePam; + mode = "0600"; + user = "sshd"; + target = "duo/pam_duo.conf"; + }; +in +{ + options = { + security.duosec = { + ssh.enable = mkOption { + type = types.bool; + default = false; + description = "If enabled, protect SSH logins with Duo Security."; + }; + + pam.enable = mkOption { + type = types.bool; + default = false; + description = "If enabled, protect logins with Duo Security using PAM support."; + }; + + ikey = mkOption { + type = types.str; + description = "Integration key."; + }; + + skey = mkOption { + type = types.str; + description = "Secret key."; + }; + + host = mkOption { + type = types.str; + description = "Duo API hostname."; + }; + + group = mkOption { + type = types.str; + default = ""; + description = "Use Duo authentication for users only in this group."; + }; + + failmode = mkOption { + type = types.enum [ "safe" "secure" ]; + default = "safe"; + description = '' + On service or configuration errors that prevent Duo + authentication, fail "safe" (allow access) or "secure" (deny + access). The default is "safe". + ''; + }; + + pushinfo = mkOption { + type = types.bool; + default = false; + description = '' + Include information such as the command to be executed in + the Duo Push message. + ''; + }; + + autopush = mkOption { + type = types.bool; + default = false; + description = '' + If <literal>true</literal>, Duo Unix will automatically send + a push login request to the user’s phone, falling back on a + phone call if push is unavailable. If + <literal>false</literal>, the user will be prompted to + choose an authentication method. When configured with + <literal>autopush = yes</literal>, we recommend setting + <literal>prompts = 1</literal>. + ''; + }; + + motd = mkOption { + type = types.bool; + default = false; + description = '' + Print the contents of <literal>/etc/motd</literal> to screen + after a successful login. + ''; + }; + + prompts = mkOption { + type = types.enum [ 1 2 3 ]; + default = 3; + description = '' + If a user fails to authenticate with a second factor, Duo + Unix will prompt the user to authenticate again. This option + sets the maximum number of prompts that Duo Unix will + display before denying access. Must be 1, 2, or 3. Default + is 3. + + For example, when <literal>prompts = 1</literal>, the user + will have to successfully authenticate on the first prompt, + whereas if <literal>prompts = 2</literal>, if the user + enters incorrect information at the initial prompt, he/she + will be prompted to authenticate again. + + When configured with <literal>autopush = true</literal>, we + recommend setting <literal>prompts = 1</literal>. + ''; + }; + + acceptEnvFactor = mkOption { + type = types.bool; + default = false; + description = '' + Look for factor selection or passcode in the + <literal>$DUO_PASSCODE</literal> environment variable before + prompting the user for input. + + When $DUO_PASSCODE is non-empty, it will override + autopush. The SSH client will need SendEnv DUO_PASSCODE in + its configuration, and the SSH server will similarly need + AcceptEnv DUO_PASSCODE. + ''; + }; + + fallbackLocalIP = mkOption { + type = types.bool; + default = false; + description = '' + Duo Unix reports the IP address of the authorizing user, for + the purposes of authorization and whitelisting. If Duo Unix + cannot detect the IP address of the client, setting + <literal>fallbackLocalIP = yes</literal> will cause Duo Unix + to send the IP address of the server it is running on. + + If you are using IP whitelisting, enabling this option could + cause unauthorized logins if the local IP is listed in the + whitelist. + ''; + }; + + allowTcpForwarding = mkOption { + type = types.bool; + default = false; + description = '' + By default, when SSH forwarding, enabling Duo Security will + disable TCP forwarding. By enabling this, you potentially + undermine some of the SSH based login security. Note this is + not needed if you use PAM. + ''; + }; + }; + }; + + config = mkIf (cfg.ssh.enable || cfg.pam.enable) { + environment.systemPackages = [ pkgs.duo-unix ]; + + security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; + environment.etc = loginCfgFile ++ pamCfgFile; + + /* If PAM *and* SSH are enabled, then don't do anything special. + If PAM isn't used, set the default SSH-only options. */ + services.openssh.extraConfig = mkIf (cfg.ssh.enable || cfg.pam.enable) ( + if cfg.pam.enable then "UseDNS no" else '' + # Duo Security configuration + ForceCommand ${config.security.wrapperDir}/login_duo + PermitTunnel no + ${optionalString (!cfg.allowTcpForwarding) '' + AllowTcpForwarding no + ''} + ''); + }; +} diff --git a/nixpkgs/nixos/modules/security/google_oslogin.nix b/nixpkgs/nixos/modules/security/google_oslogin.nix new file mode 100644 index 000000000000..246419b681af --- /dev/null +++ b/nixpkgs/nixos/modules/security/google_oslogin.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security.googleOsLogin; + package = pkgs.google-compute-engine-oslogin; + +in + +{ + + options = { + + security.googleOsLogin.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Google OS Login + + The OS Login package enables the following components: + AuthorizedKeysCommand to query valid SSH keys from the user's OS Login + profile during ssh authentication phase. + NSS Module to provide user and group information + PAM Module for the sshd service, providing authorization and + authentication support, allowing the system to use data stored in + Google Cloud IAM permissions to control both, the ability to log into + an instance, and to perform operations as root (sudo). + ''; + }; + + }; + + config = mkIf cfg.enable { + security.pam.services.sshd = { + makeHomeDir = true; + googleOsLoginAccountVerification = true; + # disabled for now: googleOsLoginAuthentication = true; + }; + + security.sudo.extraConfig = '' + #includedir /run/google-sudoers.d + ''; + systemd.tmpfiles.rules = [ + "d /run/google-sudoers.d 750 root root -" + "d /var/google-users.d 750 root root -" + ]; + + # enable the nss module, so user lookups etc. work + system.nssModules = [ package ]; + + # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. + # So indirect by a symlink. + environment.etc."ssh/authorized_keys_command_google_oslogin" = { + mode = "0755"; + text = '' + #!/bin/sh + exec ${package}/bin/google_authorized_keys "$@" + ''; + }; + services.openssh.extraConfig = '' + AuthorizedKeysCommand /etc/ssh/authorized_keys_command_google_oslogin %u + AuthorizedKeysCommandUser nobody + ''; + }; + +} diff --git a/nixpkgs/nixos/modules/security/hidepid.nix b/nixpkgs/nixos/modules/security/hidepid.nix new file mode 100644 index 000000000000..55a48ea3c9c6 --- /dev/null +++ b/nixpkgs/nixos/modules/security/hidepid.nix @@ -0,0 +1,27 @@ +{ config, lib, ... }: +with lib; + +{ + meta = { + maintainers = [ maintainers.joachifm ]; + doc = ./hidepid.xml; + }; + + options = { + security.hideProcessInformation = mkOption { + type = types.bool; + default = false; + description = '' + Restrict process information to the owning user. + ''; + }; + }; + + config = mkIf config.security.hideProcessInformation { + users.groups.proc.gid = config.ids.gids.proc; + users.groups.proc.members = [ "polkituser" ]; + + boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; + systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; + }; +} diff --git a/nixpkgs/nixos/modules/security/hidepid.xml b/nixpkgs/nixos/modules/security/hidepid.xml new file mode 100644 index 000000000000..5a17cb1da412 --- /dev/null +++ b/nixpkgs/nixos/modules/security/hidepid.xml @@ -0,0 +1,28 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-hidepid"> + <title>Hiding process information</title> + <para> + Setting +<programlisting> +<xref linkend="opt-security.hideProcessInformation"/> = true; +</programlisting> + ensures that access to process information is restricted to the owning user. + This implies, among other things, that command-line arguments remain private. + Unless your deployment relies on unprivileged users being able to inspect the + process information of other users, this option should be safe to enable. + </para> + <para> + Members of the <literal>proc</literal> group are exempt from process + information hiding. + </para> + <para> + To allow a service <replaceable>foo</replaceable> to run without process + information hiding, set +<programlisting> +<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ]; +</programlisting> + </para> +</chapter> diff --git a/nixpkgs/nixos/modules/security/lock-kernel-modules.nix b/nixpkgs/nixos/modules/security/lock-kernel-modules.nix new file mode 100644 index 000000000000..fc9e7939d814 --- /dev/null +++ b/nixpkgs/nixos/modules/security/lock-kernel-modules.nix @@ -0,0 +1,48 @@ +{ config, lib, ... }: + +with lib; + +{ + meta = { + maintainers = [ maintainers.joachifm ]; + }; + + options = { + security.lockKernelModules = mkOption { + type = types.bool; + default = false; + description = '' + Disable kernel module loading once the system is fully initialised. + Module loading is disabled until the next reboot. Problems caused + by delayed module loading can be fixed by adding the module(s) in + question to <option>boot.kernelModules</option>. + ''; + }; + }; + + config = mkIf config.security.lockKernelModules { + boot.kernelModules = concatMap (x: + if x.device != null + then + if x.fsType == "vfat" + then [ "vfat" "nls-cp437" "nls-iso8859-1" ] + else [ x.fsType ] + else []) config.system.build.fileSystems; + + systemd.services.disable-kernel-module-loading = rec { + description = "Disable kernel module loading"; + + wantedBy = [ config.systemd.defaultUnit ]; + + after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy; + + unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel"; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "/bin/sh -c 'echo -n 1 >/proc/sys/kernel/modules_disabled'"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/security/misc.nix b/nixpkgs/nixos/modules/security/misc.nix new file mode 100644 index 000000000000..ecf22bf81c59 --- /dev/null +++ b/nixpkgs/nixos/modules/security/misc.nix @@ -0,0 +1,135 @@ +{ config, lib, ... }: + +with lib; + +{ + meta = { + maintainers = [ maintainers.joachifm ]; + }; + + options = { + security.allowUserNamespaces = mkOption { + type = types.bool; + default = true; + description = '' + Whether to allow creation of user namespaces. + </para> + + <para> + The motivation for disabling user namespaces is the potential + presence of code paths where the kernel's permission checking + logic fails to account for namespacing, instead permitting a + namespaced process to act outside the namespace with the same + privileges as it would have inside it. This is particularly + damaging in the common case of running as root within the namespace. + </para> + + <para> + When user namespace creation is disallowed, attempting to create a + user namespace fails with "no space left on device" (ENOSPC). + root may re-enable user namespace creation at runtime. + </para> + <para> + ''; + }; + + security.protectKernelImage = mkOption { + type = types.bool; + default = false; + description = '' + Whether to prevent replacing the running kernel image. + ''; + }; + + security.allowSimultaneousMultithreading = mkOption { + type = types.bool; + default = true; + description = '' + Whether to allow SMT/hyperthreading. Disabling SMT means that only + physical CPU cores will be usable at runtime, potentially at + significant performance cost. + </para> + + <para> + The primary motivation for disabling SMT is to mitigate the risk of + leaking data between threads running on the same CPU core (due to + e.g., shared caches). This attack vector is unproven. + </para> + + <para> + Disabling SMT is a supplement to the L1 data cache flushing mitigation + (see <xref linkend="opt-security.virtualization.flushL1DataCache"/>) + versus malicious VM guests (SMT could "bring back" previously flushed + data). + </para> + <para> + ''; + }; + + security.virtualization.flushL1DataCache = mkOption { + type = types.nullOr (types.enum [ "never" "cond" "always" ]); + default = null; + description = '' + Whether the hypervisor should flush the L1 data cache before + entering guests. + See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>. + </para> + + <para> + <variablelist> + <varlistentry> + <term><literal>null</literal></term> + <listitem><para>uses the kernel default</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"never"</literal></term> + <listitem><para>disables L1 data cache flushing entirely. + May be appropriate if all guests are trusted.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"cond"</literal></term> + <listitem><para>flushes L1 data cache only for pre-determined + code paths. May leak information about the host address space + layout.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"always"</literal></term> + <listitem><para>flushes L1 data cache every time the hypervisor + enters the guest. May incur significant performance cost. + </para></listitem> + </varlistentry> + </variablelist> + ''; + }; + }; + + config = mkMerge [ + (mkIf (!config.security.allowUserNamespaces) { + # Setting the number of allowed user namespaces to 0 effectively disables + # the feature at runtime. Note that root may raise the limit again + # at any time. + boot.kernel.sysctl."user.max_user_namespaces" = 0; + + assertions = [ + { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; + message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; + } + ]; + }) + + (mkIf config.security.protectKernelImage { + # Disable hibernation (allows replacing the running kernel) + boot.kernelParams = [ "nohibernate" ]; + # Prevent replacing the running kernel image w/o reboot + boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; + }) + + (mkIf (!config.security.allowSimultaneousMultithreading) { + boot.kernelParams = [ "nosmt" ]; + }) + + (mkIf (config.security.virtualization.flushL1DataCache != null) { + boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ]; + }) + ]; +} diff --git a/nixpkgs/nixos/modules/security/oath.nix b/nixpkgs/nixos/modules/security/oath.nix new file mode 100644 index 000000000000..93bdc851117a --- /dev/null +++ b/nixpkgs/nixos/modules/security/oath.nix @@ -0,0 +1,50 @@ +# This module provides configuration for the OATH PAM modules. + +{ lib, ... }: + +with lib; + +{ + options = { + + security.pam.oath = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the OATH (one-time password) PAM module. + ''; + }; + + digits = mkOption { + type = types.enum [ 6 7 8 ]; + default = 6; + description = '' + Specify the length of the one-time password in number of + digits. + ''; + }; + + window = mkOption { + type = types.int; + default = 5; + description = '' + Specify the number of one-time passwords to check in order + to accommodate for situations where the system and the + client are slightly out of sync (iteration for HOTP or time + steps for TOTP). + ''; + }; + + usersFile = mkOption { + type = types.path; + default = "/etc/users.oath"; + description = '' + Set the path to file where the user's credentials are + stored. This file must not be world readable! + ''; + }; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/security/pam.nix b/nixpkgs/nixos/modules/security/pam.nix new file mode 100644 index 000000000000..89e71c5136e4 --- /dev/null +++ b/nixpkgs/nixos/modules/security/pam.nix @@ -0,0 +1,785 @@ +# This module provides configuration for the PAM (Pluggable +# Authentication Modules) system. + +{ config, lib, pkgs, ... }: + +with lib; + +let + parentConfig = config; + + pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in { + + options = { + + name = mkOption { + example = "sshd"; + type = types.str; + description = "Name of the PAM service."; + }; + + unixAuth = mkOption { + default = true; + type = types.bool; + description = '' + Whether users can log in with passwords defined in + <filename>/etc/shadow</filename>. + ''; + }; + + rootOK = mkOption { + default = false; + type = types.bool; + description = '' + If set, root doesn't need to authenticate (e.g. for the + <command>useradd</command> service). + ''; + }; + + u2fAuth = mkOption { + default = config.security.pam.u2f.enable; + type = types.bool; + description = '' + If set, users listed in + <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or + <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is + not set) are able to log in with the associated U2F key. Path can be + changed using <option>security.pam.u2f.authFile</option> option. + ''; + }; + + yubicoAuth = mkOption { + default = config.security.pam.yubico.enable; + type = types.bool; + description = '' + If set, users listed in + <filename>~/.yubico/authorized_yubikeys</filename> + are able to log in with the asociated Yubikey tokens. + ''; + }; + + googleAuthenticator = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + If set, users with enabled Google Authenticator (created + <filename>~/.google_authenticator</filename>) will be required + to provide Google Authenticator token to log in. + ''; + }; + }; + + usbAuth = mkOption { + default = config.security.pam.usb.enable; + type = types.bool; + description = '' + If set, users listed in + <filename>/etc/pamusb.conf</filename> are able to log in + with the associated USB key. + ''; + }; + + otpwAuth = mkOption { + default = config.security.pam.enableOTPW; + type = types.bool; + description = '' + If set, the OTPW system will be used (if + <filename>~/.otpw</filename> exists). + ''; + }; + + googleOsLoginAccountVerification = mkOption { + default = false; + type = types.bool; + description = '' + If set, will use the Google OS Login PAM modules + (<literal>pam_oslogin_login</literal>, + <literal>pam_oslogin_admin</literal>) to verify possible OS Login + users and set sudoers configuration accordingly. + This only makes sense to enable for the <literal>sshd</literal> PAM + service. + ''; + }; + + googleOsLoginAuthentication = mkOption { + default = false; + type = types.bool; + description = '' + If set, will use the <literal>pam_oslogin_login</literal>'s user + authentication methods to authenticate users using 2FA. + This only makes sense to enable for the <literal>sshd</literal> PAM + service. + ''; + }; + + fprintAuth = mkOption { + default = config.services.fprintd.enable; + type = types.bool; + description = '' + If set, fingerprint reader will be used (if exists and + your fingerprints are enrolled). + ''; + }; + + oathAuth = mkOption { + default = config.security.pam.oath.enable; + type = types.bool; + description = '' + If set, the OATH Toolkit will be used. + ''; + }; + + sshAgentAuth = mkOption { + default = false; + type = types.bool; + description = '' + If set, the calling user's SSH agent is used to authenticate + against the keys in the calling user's + <filename>~/.ssh/authorized_keys</filename>. This is useful + for <command>sudo</command> on password-less remote systems. + ''; + }; + + duoSecurity = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + If set, use the Duo Security pam module + <literal>pam_duo</literal> for authentication. Requires + configuration of <option>security.duosec</option> options. + ''; + }; + }; + + startSession = mkOption { + default = false; + type = types.bool; + description = '' + If set, the service will register a new session with + systemd's login manager. For local sessions, this will give + the user access to audio devices, CD-ROM drives. In the + default PolicyKit configuration, it also allows the user to + reboot the system. + ''; + }; + + setEnvironment = mkOption { + type = types.bool; + default = true; + description = '' + Whether the service should set the environment variables + listed in <option>environment.sessionVariables</option> + using <literal>pam_env.so</literal>. + ''; + }; + + setLoginUid = mkOption { + type = types.bool; + description = '' + Set the login uid of the process + (<filename>/proc/self/loginuid</filename>) for auditing + purposes. The login uid is only set by ‘entry points’ like + <command>login</command> and <command>sshd</command>, not by + commands like <command>sudo</command>. + ''; + }; + + forwardXAuth = mkOption { + default = false; + type = types.bool; + description = '' + Whether X authentication keys should be passed from the + calling user to the target user (e.g. for + <command>su</command>) + ''; + }; + + pamMount = mkOption { + default = config.security.pam.mount.enable; + type = types.bool; + description = '' + Enable PAM mount (pam_mount) system to mount fileystems on user login. + ''; + }; + + allowNullPassword = mkOption { + default = false; + type = types.bool; + description = '' + Whether to allow logging into accounts that have no password + set (i.e., have an empty password field in + <filename>/etc/passwd</filename> or + <filename>/etc/group</filename>). This does not enable + logging into disabled accounts (i.e., that have the password + field set to <literal>!</literal>). Note that regardless of + what the pam_unix documentation says, accounts with hashed + empty passwords are always allowed to log in. + ''; + }; + + requireWheel = mkOption { + default = false; + type = types.bool; + description = '' + Whether to permit root access only to members of group wheel. + ''; + }; + + limits = mkOption { + description = '' + Attribute set describing resource limits. Defaults to the + value of <option>security.pam.loginLimits</option>. + ''; + }; + + showMotd = mkOption { + default = false; + type = types.bool; + description = "Whether to show the message of the day."; + }; + + makeHomeDir = mkOption { + default = false; + type = types.bool; + description = '' + Whether to try to create home directories for users + with <literal>$HOME</literal>s pointing to nonexistent + locations on session login. + ''; + }; + + updateWtmp = mkOption { + default = false; + type = types.bool; + description = "Whether to update <filename>/var/log/wtmp</filename>."; + }; + + logFailures = mkOption { + default = false; + type = types.bool; + description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>."; + }; + + enableAppArmor = mkOption { + default = false; + type = types.bool; + description = '' + Enable support for attaching AppArmor profiles at the + user/group level, e.g., as part of a role based access + control scheme. + ''; + }; + + enableKwallet = mkOption { + default = false; + type = types.bool; + description = '' + If enabled, pam_wallet will attempt to automatically unlock the + user's default KDE wallet upon login. If the user has no wallet named + "kdewallet", or the login password does not match their wallet + password, KDE will prompt separately after login. + ''; + }; + sssdStrictAccess = mkOption { + default = false; + type = types.bool; + description = "enforce sssd access control"; + }; + + enableGnomeKeyring = mkOption { + default = false; + type = types.bool; + description = '' + If enabled, pam_gnome_keyring will attempt to automatically unlock the + user's default Gnome keyring upon login. If the user login password does + not match their keyring password, Gnome Keyring will prompt separately + after login. + ''; + }; + + text = mkOption { + type = types.nullOr types.lines; + description = "Contents of the PAM service file."; + }; + + }; + + config = { + name = mkDefault name; + setLoginUid = mkDefault cfg.startSession; + limits = mkDefault config.security.pam.loginLimits; + + # !!! TODO: move the LDAP stuff to the LDAP module, and the + # Samba stuff to the Samba module. This requires that the PAM + # module provides the right hooks. + text = mkDefault + ('' + # Account management. + account required pam_unix.so + ${optionalString use_ldap + "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) + "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) + "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"} + ${optionalString config.krb5.enable + "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} + ${optionalString cfg.googleOsLoginAccountVerification '' + account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so + account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so + ''} + + # Authentication management. + ${optionalString cfg.googleOsLoginAuthentication + "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"} + ${optionalString cfg.rootOK + "auth sufficient pam_rootok.so"} + ${optionalString cfg.requireWheel + "auth required pam_wheel.so use_uid"} + ${optionalString cfg.logFailures + "auth required pam_tally.so"} + ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) + "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} + ${optionalString cfg.fprintAuth + "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} + ${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth + "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"}"} + ${optionalString cfg.usbAuth + "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} + ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth + "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} + ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth + "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so id=${toString yubi.id} ${optionalString yubi.debug "debug"}"} + '' + + # Modules in this block require having the password set in PAM_AUTHTOK. + # pam_unix is marked as 'sufficient' on NixOS which means nothing will run + # after it succeeds. Certain modules need to run after pam_unix + # prompts the user for password so we run it once with 'required' at an + # earlier point and it will run again with 'sufficient' further down. + # We use try_first_pass the second time to avoid prompting password twice + (optionalString (cfg.unixAuth && + (config.security.pam.enableEcryptfs + || cfg.pamMount + || cfg.enableKwallet + || cfg.enableGnomeKeyring + || cfg.googleAuthenticator.enable + || cfg.duoSecurity.enable)) '' + auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth + ${optionalString config.security.pam.enableEcryptfs + "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} + ${optionalString cfg.pamMount + "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} + ${optionalString cfg.enableKwallet + ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} + ${optionalString cfg.enableGnomeKeyring + "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} + ${optionalString cfg.googleAuthenticator.enable + "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} + ${optionalString cfg.duoSecurity.enable + "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"} + '') + '' + ${optionalString cfg.unixAuth + "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} + ${optionalString cfg.otpwAuth + "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} + ${optionalString use_ldap + "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} + ${optionalString config.services.sssd.enable + "auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"} + ${optionalString config.krb5.enable '' + auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass + auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass + auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass + ''} + auth required pam_deny.so + + # Password management. + password sufficient pam_unix.so nullok sha512 + ${optionalString config.security.pam.enableEcryptfs + "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} + ${optionalString cfg.pamMount + "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} + ${optionalString use_ldap + "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"} + ${optionalString config.krb5.enable + "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} + ${optionalString config.services.samba.syncPasswordsByPam + "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"} + ${optionalString cfg.enableGnomeKeyring + "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} + + # Session management. + ${optionalString cfg.setEnvironment '' + session required pam_env.so envfile=${config.system.build.pamEnvironment} + ''} + session required pam_unix.so + ${optionalString cfg.setLoginUid + "session ${ + if config.boot.isContainer then "optional" else "required" + } pam_loginuid.so"} + ${optionalString cfg.makeHomeDir + "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"} + ${optionalString cfg.updateWtmp + "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} + ${optionalString config.security.pam.enableEcryptfs + "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} + ${optionalString use_ldap + "session optional ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "session optional ${pkgs.sssd}/lib/security/pam_sss.so"} + ${optionalString config.krb5.enable + "session optional ${pam_krb5}/lib/security/pam_krb5.so"} + ${optionalString cfg.otpwAuth + "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"} + ${optionalString cfg.startSession + "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"} + ${optionalString cfg.forwardXAuth + "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"} + ${optionalString (cfg.limits != []) + "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"} + ${optionalString (cfg.showMotd && config.users.motd != null) + "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} + ${optionalString cfg.pamMount + "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} + ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable) + "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"} + ${optionalString (cfg.enableKwallet) + ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} + ${optionalString (cfg.enableGnomeKeyring) + "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} + ${optionalString (config.virtualisation.lxc.lxcfs.enable) + "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} + ''); + }; + + }; + + + inherit (pkgs) pam_krb5 pam_ccreds; + + use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam); + pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; + + # Create a limits.conf(5) file. + makeLimitsConf = limits: + pkgs.writeText "limits.conf" + (concatMapStrings ({ domain, type, item, value }: + "${domain} ${type} ${item} ${toString value}\n") + limits); + + motd = pkgs.writeText "motd" config.users.motd; + + makePAMService = pamService: + { source = pkgs.writeText "${pamService.name}.pam" pamService.text; + target = "pam.d/${pamService.name}"; + }; + +in + +{ + + ###### interface + + options = { + + security.pam.loginLimits = mkOption { + default = []; + example = + [ { domain = "ftp"; + type = "hard"; + item = "nproc"; + value = "0"; + } + { domain = "@student"; + type = "-"; + item = "maxlogins"; + value = "4"; + } + ]; + + description = + '' Define resource limits that should apply to users or groups. + Each item in the list should be an attribute set with a + <varname>domain</varname>, <varname>type</varname>, + <varname>item</varname>, and <varname>value</varname> + attribute. The syntax and semantics of these attributes + must be that described in the limits.conf(5) man page. + + Note that these limits do not apply to systemd services, + whose limits can be changed via <option>systemd.extraConfig</option> + instead. + ''; + }; + + security.pam.services = mkOption { + default = []; + type = with types; loaOf (submodule pamOpts); + description = + '' + This option defines the PAM services. A service typically + corresponds to a program that uses PAM, + e.g. <command>login</command> or <command>passwd</command>. + Each attribute of this set defines a PAM service, with the attribute name + defining the name of the service. + ''; + }; + + security.pam.makeHomeDir.skelDirectory = mkOption { + type = types.str; + default = "/var/empty"; + example = "/etc/skel"; + description = '' + Path to skeleton directory whose contents are copied to home + directories newly created by <literal>pam_mkhomedir</literal>. + ''; + }; + + security.pam.enableSSHAgentAuth = mkOption { + default = false; + description = + '' + Enable sudo logins if the user's SSH agent provides a key + present in <filename>~/.ssh/authorized_keys</filename>. + This allows machines to exclusively use SSH keys instead of + passwords. + ''; + }; + + security.pam.enableOTPW = mkOption { + default = false; + description = '' + Enable the OTPW (one-time password) PAM module. + ''; + }; + + security.pam.u2f = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enables U2F PAM (<literal>pam-u2f</literal>) module. + + If set, users listed in + <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or + <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is + not set) are able to log in with the associated U2F key. The path can + be changed using <option>security.pam.u2f.authFile</option> option. + + File format is: + <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> + This file can be generated using <command>pamu2fcfg</command> command. + + More information can be found <link + xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. + ''; + }; + + authFile = mkOption { + default = null; + type = with types; nullOr path; + description = '' + By default <literal>pam-u2f</literal> module reads the keys from + <filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or + <filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is + not set). + + If you want to change auth file locations or centralize database (for + example use <filename>/etc/u2f-mappings</filename>) you can set this + option. + + File format is: + <literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal> + This file can be generated using <command>pamu2fcfg</command> command. + + More information can be found <link + xlink:href="https://developers.yubico.com/pam-u2f/">here</link>. + ''; + }; + + control = mkOption { + default = "sufficient"; + type = types.enum [ "required" "requisite" "sufficient" "optional" ]; + description = '' + This option sets pam "control". + If you want to have multi factor authentication, use "required". + If you want to use U2F device instead of regular password, use "sufficient". + + Read + <citerefentry> + <refentrytitle>pam.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for better understanding of this option. + ''; + }; + + debug = mkOption { + default = false; + type = types.bool; + description = '' + Debug output to stderr. + ''; + }; + + interactive = mkOption { + default = false; + type = types.bool; + description = '' + Set to prompt a message and wait before testing the presence of a U2F device. + Recommended if your device doesn’t have a tactile trigger. + ''; + }; + + cue = mkOption { + default = false; + type = types.bool; + description = '' + By default <literal>pam-u2f</literal> module does not inform user + that he needs to use the u2f device, it just waits without a prompt. + + If you set this option to <literal>true</literal>, + <literal>cue</literal> option is added to <literal>pam-u2f</literal> + module and reminder message will be displayed. + ''; + }; + }; + + security.pam.yubico = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enables Yubico PAM (<literal>yubico-pam</literal>) module. + + If set, users listed in + <filename>~/.yubico/authorized_yubikeys</filename> + are able to log in with the associated Yubikey tokens. + + The file must have only one line: + <literal>username:yubikey_token_id1:yubikey_token_id2</literal> + More information can be found <link + xlink:href="https://developers.yubico.com/yubico-pam/">here</link>. + ''; + }; + control = mkOption { + default = "sufficient"; + type = types.enum [ "required" "requisite" "sufficient" "optional" ]; + description = '' + This option sets pam "control". + If you want to have multi factor authentication, use "required". + If you want to use Yubikey instead of regular password, use "sufficient". + + Read + <citerefentry> + <refentrytitle>pam.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for better understanding of this option. + ''; + }; + id = mkOption { + example = "42"; + type = types.string; + description = "client id"; + }; + + debug = mkOption { + default = false; + type = types.bool; + description = '' + Debug output to stderr. + ''; + }; + }; + + security.pam.enableEcryptfs = mkOption { + default = false; + description = '' + Enable eCryptfs PAM module (mounting ecryptfs home directory on login). + ''; + }; + + users.motd = mkOption { + default = null; + example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."; + type = types.nullOr types.lines; + description = "Message of the day shown to users when they log in."; + }; + + }; + + + ###### implementation + + config = { + + environment.systemPackages = + # Include the PAM modules in the system path mostly for the manpages. + [ pkgs.pam ] + ++ optional config.users.ldap.enable pam_ldap + ++ optional config.services.sssd.enable pkgs.sssd + ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] + ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] + ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] + ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ]; + + boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ]; + + security.wrappers = { + unix_chkpwd = { + source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; + owner = "root"; + setuid = true; + }; + }; + + environment.etc = + mapAttrsToList (n: v: makePAMService v) config.security.pam.services; + + systemd.tmpfiles.rules = optionals + (any (s: s.updateWtmp) (attrValues config.security.pam.services)) + [ + "f /var/log/wtmp" + "f /var/log/lastlog" + ]; + + security.pam.services = + { other.text = + '' + auth required pam_warn.so + auth required pam_deny.so + account required pam_warn.so + account required pam_deny.so + password required pam_warn.so + password required pam_deny.so + session required pam_warn.so + session required pam_deny.so + ''; + + # Most of these should be moved to specific modules. + cups = {}; + ftp = {}; + i3lock = {}; + i3lock-color = {}; + screen = {}; + vlock = {}; + xlock = {}; + xscreensaver = {}; + + runuser = { rootOK = true; unixAuth = false; setEnvironment = false; }; + + /* FIXME: should runuser -l start a systemd session? Currently + it complains "Cannot create session: Already running in a + session". */ + runuser-l = { rootOK = true; unixAuth = false; }; + }; + + }; + +} diff --git a/nixpkgs/nixos/modules/security/pam_mount.nix b/nixpkgs/nixos/modules/security/pam_mount.nix new file mode 100644 index 000000000000..8b131c54a2a5 --- /dev/null +++ b/nixpkgs/nixos/modules/security/pam_mount.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.security.pam.mount; + + anyPamMount = any (attrByPath ["pamMount"] false) (attrValues config.security.pam.services); +in + +{ + options = { + + security.pam.mount = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable PAM mount system to mount fileystems on user login. + ''; + }; + + extraVolumes = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of volume definitions for pam_mount. + For more information, visit <link + xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. + ''; + }; + }; + + }; + + config = mkIf (cfg.enable || anyPamMount) { + + environment.systemPackages = [ pkgs.pam_mount ]; + environment.etc = [{ + target = "security/pam_mount.conf.xml"; + source = + let + extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null) config.users.users; + userVolumeEntry = user: "<volume user=\"${user.name}\" path=\"${user.cryptHomeLuks}\" mountpoint=\"${user.home}\" />\n"; + in + pkgs.writeText "pam_mount.conf.xml" '' + <?xml version="1.0" encoding="utf-8" ?> + <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> + <!-- auto generated from Nixos: modules/config/users-groups.nix --> + <pam_mount> + <debug enable="0" /> + + ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} + ${concatStringsSep "\n" cfg.extraVolumes} + + <!-- if activated, requires ofl from hxtools to be present --> + <logout wait="0" hup="no" term="no" kill="no" /> + <!-- set PATH variable for pam_mount module --> + <path>${pkgs.utillinux}/bin</path> + <!-- create mount point if not present --> + <mkmountpoint enable="1" remove="true" /> + + <!-- specify the binaries to be called --> + <cryptmount>${pkgs.pam_mount}/bin/mount.crypt %(VOLUME) %(MNTPT)</cryptmount> + <cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount> + <pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun> + </pam_mount> + ''; + }]; + + }; +} diff --git a/nixpkgs/nixos/modules/security/pam_usb.nix b/nixpkgs/nixos/modules/security/pam_usb.nix new file mode 100644 index 000000000000..c695ba075ca9 --- /dev/null +++ b/nixpkgs/nixos/modules/security/pam_usb.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security.pam.usb; + + anyUsbAuth = any (attrByPath ["usbAuth"] false) (attrValues config.security.pam.services); + +in + +{ + options = { + + security.pam.usb = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable USB login for all login systems that support it. For + more information, visit <link + xlink:href="https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users" />. + ''; + }; + + }; + + }; + + config = mkIf (cfg.enable || anyUsbAuth) { + + # Make sure pmount and pumount are setuid wrapped. + security.wrappers = { + pmount.source = "${pkgs.pmount.out}/bin/pmount"; + pumount.source = "${pkgs.pmount.out}/bin/pumount"; + }; + + environment.systemPackages = [ pkgs.pmount ]; + + }; +} diff --git a/nixpkgs/nixos/modules/security/polkit.nix b/nixpkgs/nixos/modules/security/polkit.nix new file mode 100644 index 000000000000..7f1de81d5b70 --- /dev/null +++ b/nixpkgs/nixos/modules/security/polkit.nix @@ -0,0 +1,105 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security.polkit; + +in + +{ + + options = { + + security.polkit.enable = mkOption { + type = types.bool; + default = true; + description = "Whether to enable PolKit."; + }; + + security.polkit.extraConfig = mkOption { + type = types.lines; + default = ""; + example = + '' + /* Log authorization checks. */ + polkit.addRule(function(action, subject) { + polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + }); + + /* Allow any local user to do anything (dangerous!). */ + polkit.addRule(function(action, subject) { + if (subject.local) return "yes"; + }); + ''; + description = + '' + Any polkit rules to be added to config (in JavaScript ;-). See: + http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules + ''; + }; + + security.polkit.adminIdentities = mkOption { + type = types.listOf types.str; + default = [ "unix-user:0" "unix-group:wheel" ]; + example = [ "unix-user:alice" "unix-group:admin" ]; + description = + '' + Specifies which users are considered “administrators”, for those + actions that require the user to authenticate as an + administrator (i.e. have an <literal>auth_admin</literal> + value). By default, this is the <literal>root</literal> + user and all users in the <literal>wheel</literal> group. + ''; + }; + + }; + + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ]; + + systemd.packages = [ pkgs.polkit.out ]; + + systemd.services.polkit.restartTriggers = [ config.system.path ]; + systemd.services.polkit.stopIfChanged = false; + + # The polkit daemon reads action/rule files + environment.pathsToLink = [ "/share/polkit-1" ]; + + # PolKit rules for NixOS. + environment.etc."polkit-1/rules.d/10-nixos.rules".text = + '' + polkit.addAdminRule(function(action, subject) { + return [${concatStringsSep ", " (map (i: "\"${i}\"") cfg.adminIdentities)}]; + }); + + ${cfg.extraConfig} + ''; #TODO: validation on compilation (at least against typos) + + services.dbus.packages = [ pkgs.polkit.out ]; + + security.pam.services.polkit-1 = {}; + + security.wrappers = { + pkexec.source = "${pkgs.polkit.bin}/bin/pkexec"; + "polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + }; + + systemd.tmpfiles.rules = [ + # Probably no more needed, clean up + "R /var/lib/polkit-1" + "R /var/lib/PolicyKit" + ]; + + users.users.polkituser = { + description = "PolKit daemon"; + uid = config.ids.uids.polkituser; + }; + + }; + +} + diff --git a/nixpkgs/nixos/modules/security/prey.nix b/nixpkgs/nixos/modules/security/prey.nix new file mode 100644 index 000000000000..1c643f2e1a57 --- /dev/null +++ b/nixpkgs/nixos/modules/security/prey.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.prey; + myPrey = pkgs."prey-bash-client".override { + apiKey = cfg.apiKey; + deviceKey = cfg.deviceKey; + }; +in { + options = { + + services.prey = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enables the <link xlink:href="http://preyproject.com/" /> + shell client. Be sure to specify both API and device keys. + Once enabled, a <command>cron</command> job will run every 15 + minutes to report status information. + ''; + }; + + deviceKey = mkOption { + type = types.str; + description = '' + <literal>Device key</literal> obtained by visiting + <link xlink:href="https://panel.preyproject.com/devices" /> + and clicking on your device. + ''; + }; + + apiKey = mkOption { + type = types.str; + description = '' + <literal>API key</literal> obtained from + <link xlink:href="https://panel.preyproject.com/profile" />. + ''; + }; + }; + + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ myPrey ]; + services.cron.systemCronJobs = [ "*/15 * * * * root ${myPrey}/prey.sh" ]; + }; + +} diff --git a/nixpkgs/nixos/modules/security/rngd.nix b/nixpkgs/nixos/modules/security/rngd.nix new file mode 100644 index 000000000000..a54ef2e6fcad --- /dev/null +++ b/nixpkgs/nixos/modules/security/rngd.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + security.rngd.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the rng daemon, which adds entropy from + hardware sources of randomness to the kernel entropy pool when + available. + ''; + }; + }; + + config = mkIf config.security.rngd.enable { + services.udev.extraRules = '' + KERNEL=="random", TAG+="systemd" + SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" + KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service" + ''; + + systemd.services.rngd = { + bindsTo = [ "dev-random.device" ]; + + after = [ "dev-random.device" ]; + + description = "Hardware RNG Entropy Gatherer Daemon"; + + serviceConfig.ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"; + }; + }; +} diff --git a/nixpkgs/nixos/modules/security/rtkit.nix b/nixpkgs/nixos/modules/security/rtkit.nix new file mode 100644 index 000000000000..f6dda21c6006 --- /dev/null +++ b/nixpkgs/nixos/modules/security/rtkit.nix @@ -0,0 +1,45 @@ +# A module for ‘rtkit’, a DBus system service that hands out realtime +# scheduling priority to processes that ask for it. + +{ config, lib, pkgs, ... }: + +with lib; + +{ + + options = { + + security.rtkit.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the RealtimeKit system service, which hands + out realtime scheduling priority to user processes on + demand. For example, the PulseAudio server uses this to + acquire realtime priority. + ''; + }; + + }; + + + config = mkIf config.security.rtkit.enable { + + security.polkit.enable = true; + + # To make polkit pickup rtkit policies + environment.systemPackages = [ pkgs.rtkit ]; + + systemd.packages = [ pkgs.rtkit ]; + + services.dbus.packages = [ pkgs.rtkit ]; + + users.users = singleton + { name = "rtkit"; + uid = config.ids.uids.rtkit; + description = "RealtimeKit daemon"; + }; + + }; + +} diff --git a/nixpkgs/nixos/modules/security/sudo.nix b/nixpkgs/nixos/modules/security/sudo.nix new file mode 100644 index 000000000000..573588aaeecc --- /dev/null +++ b/nixpkgs/nixos/modules/security/sudo.nix @@ -0,0 +1,231 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security.sudo; + + inherit (pkgs) sudo; + + toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; + toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; + + toCommandOptionsString = options: + "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} "; + + toCommandsString = commands: + concatStringsSep ", " ( + map (command: + if (isString command) then + command + else + "${toCommandOptionsString command.options}${command.command}" + ) commands + ); + +in + +{ + + ###### interface + + options = { + + security.sudo.enable = mkOption { + type = types.bool; + default = true; + description = + '' + Whether to enable the <command>sudo</command> command, which + allows non-root users to execute commands as root. + ''; + }; + + security.sudo.wheelNeedsPassword = mkOption { + type = types.bool; + default = true; + description = + '' + Whether users of the <code>wheel</code> group must + provide a password to run commands as super user via <command>sudo</command>. + ''; + }; + + security.sudo.configFile = mkOption { + type = types.lines; + # Note: if syntax errors are detected in this file, the NixOS + # configuration will fail to build. + description = + '' + This string contains the contents of the + <filename>sudoers</filename> file. + ''; + }; + + security.sudo.extraRules = mkOption { + description = '' + Define specific rules to be in the <filename>sudoers</filename> file. + More specific rules should come after more general ones in order to + yield the expected behavior. You can use mkBefore/mkAfter to ensure + this is the case when configuration options are merged. + ''; + default = []; + example = [ + # Allow execution of any command by all users in group sudo, + # requiring a password. + { groups = [ "sudo" ]; commands = [ "ALL" ]; } + + # Allow execution of "/home/root/secret.sh" by user `backup`, `database` + # and the group with GID `1006` without a password. + { users = [ "backup" "database" ]; groups = [ 1006 ]; + commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; } + + # Allow all users of group `bar` to run two executables as user `foo` + # with arguments being pre-set. + { groups = [ "bar" ]; runAs = "foo"; + commands = + [ "/home/baz/cmd1.sh hello-sudo" + { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; } + ]; + type = with types; listOf (submodule { + options = { + users = mkOption { + type = with types; listOf (either string int); + description = '' + The usernames / UIDs this rule should apply for. + ''; + default = []; + }; + + groups = mkOption { + type = with types; listOf (either string int); + description = '' + The groups / GIDs this rule should apply for. + ''; + default = []; + }; + + host = mkOption { + type = types.string; + default = "ALL"; + description = '' + For what host this rule should apply. + ''; + }; + + runAs = mkOption { + type = with types; string; + default = "ALL:ALL"; + description = '' + Under which user/group the specified command is allowed to run. + + A user can be specified using just the username: <code>"foo"</code>. + It is also possible to specify a user/group combination using <code>"foo:bar"</code> + or to only allow running as a specific group with <code>":bar"</code>. + ''; + }; + + commands = mkOption { + description = '' + The commands for which the rule should apply. + ''; + type = with types; listOf (either string (submodule { + + options = { + command = mkOption { + type = with types; string; + description = '' + A command being either just a path to a binary to allow any arguments, + the full command with arguments pre-set or with <code>""</code> used as the argument, + not allowing arguments to the command at all. + ''; + }; + + options = mkOption { + type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]); + description = '' + Options for running the command. Refer to the <a href="https://www.sudo.ws/man/1.7.10/sudoers.man.html">sudo manual</a>. + ''; + default = []; + }; + }; + + })); + }; + }; + }); + }; + + security.sudo.extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration text appended to <filename>sudoers</filename>. + ''; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + security.sudo.extraRules = [ + { groups = [ "wheel" ]; + commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ]; + } + ]; + + security.sudo.configFile = + '' + # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ + # or ‘security.sudo.extraRules’ instead. + + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + + # "root" is allowed to do anything. + root ALL=(ALL:ALL) SETENV: ALL + + # extraRules + ${concatStringsSep "\n" ( + lists.flatten ( + map ( + rule: if (length rule.commands != 0) then [ + (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) + (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) + ] else [] + ) cfg.extraRules + ) + )} + + ${cfg.extraConfig} + ''; + + security.wrappers = { + sudo.source = "${pkgs.sudo.out}/bin/sudo"; + sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit"; + }; + + environment.systemPackages = [ sudo ]; + + security.pam.services.sudo = { sshAgentAuth = true; }; + + environment.etc = singleton + { source = + pkgs.runCommand "sudoers" + { + src = pkgs.writeText "sudoers-in" cfg.configFile; + preferLocalBuild = true; + } + # Make sure that the sudoers file is syntactically valid. + # (currently disabled - NIXOS-66) + "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out"; + target = "sudoers"; + mode = "0440"; + }; + + }; + +} diff --git a/nixpkgs/nixos/modules/security/systemd-confinement.nix b/nixpkgs/nixos/modules/security/systemd-confinement.nix new file mode 100644 index 000000000000..cd4eb81dbe19 --- /dev/null +++ b/nixpkgs/nixos/modules/security/systemd-confinement.nix @@ -0,0 +1,199 @@ +{ config, pkgs, lib, ... }: + +let + toplevelConfig = config; + inherit (lib) types; + inherit (import ../system/boot/systemd-lib.nix { + inherit config pkgs lib; + }) mkPathSafeName; +in { + options.systemd.services = lib.mkOption { + type = types.attrsOf (types.submodule ({ name, config, ... }: { + options.confinement.enable = lib.mkOption { + type = types.bool; + default = false; + description = '' + If set, all the required runtime store paths for this service are + bind-mounted into a <literal>tmpfs</literal>-based <citerefentry> + <refentrytitle>chroot</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry>. + ''; + }; + + options.confinement.fullUnit = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to include the full closure of the systemd unit file into the + chroot, instead of just the dependencies for the executables. + + <warning><para>While it may be tempting to just enable this option to + make things work quickly, please be aware that this might add paths + to the closure of the chroot that you didn't anticipate. It's better + to use <option>confinement.packages</option> to <emphasis + role="strong">explicitly</emphasis> add additional store paths to the + chroot.</para></warning> + ''; + }; + + options.confinement.packages = lib.mkOption { + type = types.listOf (types.either types.str types.package); + default = []; + description = let + mkScOption = optName: "<option>serviceConfig.${optName}</option>"; + in '' + Additional packages or strings with context to add to the closure of + the chroot. By default, this includes all the packages from the + ${lib.concatMapStringsSep ", " mkScOption [ + "ExecReload" "ExecStartPost" "ExecStartPre" "ExecStop" + "ExecStopPost" + ]} and ${mkScOption "ExecStart"} options. If you want to have all the + dependencies of this systemd unit, you can use + <option>confinement.fullUnit</option>. + + <note><para>The store paths listed in <option>path</option> are + <emphasis role="strong">not</emphasis> included in the closure as + well as paths from other options except those listed + above.</para></note> + ''; + }; + + options.confinement.binSh = lib.mkOption { + type = types.nullOr types.path; + default = toplevelConfig.environment.binsh; + defaultText = "config.environment.binsh"; + example = lib.literalExample "\${pkgs.dash}/bin/dash"; + description = '' + The program to make available as <filename>/bin/sh</filename> inside + the chroot. If this is set to <literal>null</literal>, no + <filename>/bin/sh</filename> is provided at all. + + This is useful for some applications, which for example use the + <citerefentry> + <refentrytitle>system</refentrytitle> + <manvolnum>3</manvolnum> + </citerefentry> library function to execute commands. + ''; + }; + + options.confinement.mode = lib.mkOption { + type = types.enum [ "full-apivfs" "chroot-only" ]; + default = "full-apivfs"; + description = '' + The value <literal>full-apivfs</literal> (the default) sets up + private <filename class="directory">/dev</filename>, <filename + class="directory">/proc</filename>, <filename + class="directory">/sys</filename> and <filename + class="directory">/tmp</filename> file systems in a separate user + name space. + + If this is set to <literal>chroot-only</literal>, only the file + system name space is set up along with the call to <citerefentry> + <refentrytitle>chroot</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry>. + + <note><para>This doesn't cover network namespaces and is solely for + file system level isolation.</para></note> + ''; + }; + + config = let + rootName = "${mkPathSafeName name}-chroot"; + inherit (config.confinement) binSh fullUnit; + wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs"); + in lib.mkIf config.confinement.enable { + serviceConfig = { + RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\""; + TemporaryFileSystem = "/"; + PrivateMounts = lib.mkDefault true; + + # https://github.com/NixOS/nixpkgs/issues/14645 is a future attempt + # to change some of these to default to true. + # + # If we run in chroot-only mode, having something like PrivateDevices + # set to true by default will mount /dev within the chroot, whereas + # with "chroot-only" it's expected that there are no /dev, /proc and + # /sys file systems available. + # + # However, if this suddenly becomes true, the attack surface will + # increase, so let's explicitly set these options to true/false + # depending on the mode. + MountAPIVFS = wantsAPIVFS; + PrivateDevices = wantsAPIVFS; + PrivateTmp = wantsAPIVFS; + PrivateUsers = wantsAPIVFS; + ProtectControlGroups = wantsAPIVFS; + ProtectKernelModules = wantsAPIVFS; + ProtectKernelTunables = wantsAPIVFS; + }; + confinement.packages = let + execOpts = [ + "ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop" + "ExecStopPost" + ]; + execPkgs = lib.concatMap (opt: let + isSet = config.serviceConfig ? ${opt}; + in lib.optional isSet config.serviceConfig.${opt}) execOpts; + unitAttrs = toplevelConfig.systemd.units."${name}.service"; + allPkgs = lib.singleton (builtins.toJSON unitAttrs); + unitPkgs = if fullUnit then allPkgs else execPkgs; + in unitPkgs ++ lib.optional (binSh != null) binSh; + }; + })); + }; + + config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let + whatOpt = optName: "The 'serviceConfig' option '${optName}' for" + + " service '${name}' is enabled in conjunction with" + + " 'confinement.enable'"; + in lib.optionals cfg.confinement.enable [ + { assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false; + message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd" + + " doesn't support restricting bind-mounts to 'ExecStart'." + + " Please either define a separate service or find a way to run" + + " commands other than ExecStart within the chroot."; + } + { assertion = !cfg.serviceConfig.DynamicUser or false; + message = "${whatOpt "DynamicUser"}. Please create a dedicated user via" + + " the 'users.users' option instead as this combination is" + + " currently not supported."; + } + ]) config.systemd.services); + + config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let + rootPaths = let + contents = lib.concatStringsSep "\n" cfg.confinement.packages; + in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents; + + chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" { + closureInfo = pkgs.closureInfo { inherit rootPaths; }; + serviceName = "${name}.service"; + excludedPath = rootPaths; + } '' + mkdir -p "$out/lib/systemd/system" + serviceFile="$out/lib/systemd/system/$serviceName" + + echo '[Service]' > "$serviceFile" + + # /bin/sh is special here, because the option value could contain a + # symlink and we need to properly resolve it. + ${lib.optionalString (cfg.confinement.binSh != null) '' + binsh=${lib.escapeShellArg cfg.confinement.binSh} + realprog="$(readlink -e "$binsh")" + echo "BindReadOnlyPaths=$realprog:/bin/sh" >> "$serviceFile" + ''} + + while read storePath; do + if [ -L "$storePath" ]; then + # Currently, systemd can't cope with symlinks in Bind(ReadOnly)Paths, + # so let's just bind-mount the target to that location. + echo "BindReadOnlyPaths=$(readlink -e "$storePath"):$storePath" + elif [ "$storePath" != "$excludedPath" ]; then + echo "BindReadOnlyPaths=$storePath" + fi + done < "$closureInfo/store-paths" >> "$serviceFile" + ''; + in lib.optional cfg.confinement.enable chrootPaths) config.systemd.services); +} diff --git a/nixpkgs/nixos/modules/security/wrappers/default.nix b/nixpkgs/nixos/modules/security/wrappers/default.nix new file mode 100644 index 000000000000..dcb9c8d4ed5f --- /dev/null +++ b/nixpkgs/nixos/modules/security/wrappers/default.nix @@ -0,0 +1,202 @@ +{ config, lib, pkgs, ... }: +let + + inherit (config.security) wrapperDir wrappers; + + parentWrapperDir = dirOf wrapperDir; + + programs = + (lib.mapAttrsToList + (n: v: (if v ? "program" then v else v // {program=n;})) + wrappers); + + securityWrapper = pkgs.stdenv.mkDerivation { + name = "security-wrapper"; + phases = [ "installPhase" "fixupPhase" ]; + buildInputs = [ pkgs.libcap pkgs.libcap_ng pkgs.linuxHeaders ]; + hardeningEnable = [ "pie" ]; + installPhase = '' + mkdir -p $out/bin + $CC -Wall -O2 -DWRAPPER_DIR=\"${parentWrapperDir}\" \ + -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper + ''; + }; + + ###### Activation script for the setcap wrappers + mkSetcapProgram = + { program + , capabilities + , source + , owner ? "nobody" + , group ? "nogroup" + , permissions ? "u+rx,g+x,o+x" + , ... + }: + assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"); + '' + cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program} + echo -n "${source}" > $wrapperDir/${program}.real + + # Prevent races + chmod 0000 $wrapperDir/${program} + chown ${owner}.${group} $wrapperDir/${program} + + # Set desired capabilities on the file plus cap_setpcap so + # the wrapper program can elevate the capabilities set on + # its file into the Ambient set. + ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program} + + # Set the executable bit + chmod ${permissions} $wrapperDir/${program} + ''; + + ###### Activation script for the setuid wrappers + mkSetuidProgram = + { program + , source + , owner ? "nobody" + , group ? "nogroup" + , setuid ? false + , setgid ? false + , permissions ? "u+rx,g+x,o+x" + , ... + }: + '' + cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program} + echo -n "${source}" > $wrapperDir/${program}.real + + # Prevent races + chmod 0000 $wrapperDir/${program} + chown ${owner}.${group} $wrapperDir/${program} + + chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program} + ''; + + mkWrappedPrograms = + builtins.map + (s: if (s ? "capabilities") + then mkSetcapProgram + ({ owner = "root"; + group = "root"; + } // s) + else if + (s ? "setuid" && s.setuid) || + (s ? "setgid" && s.setgid) || + (s ? "permissions") + then mkSetuidProgram s + else mkSetuidProgram + ({ owner = "root"; + group = "root"; + setuid = true; + setgid = false; + permissions = "u+rx,g+x,o+x"; + } // s) + ) programs; +in +{ + + ###### interface + + options = { + security.wrappers = lib.mkOption { + type = lib.types.attrs; + default = {}; + example = lib.literalExample + '' + { sendmail.source = "/nix/store/.../bin/sendmail"; + ping = { + source = "${pkgs.iputils.out}/bin/ping"; + owner = "nobody"; + group = "nogroup"; + capabilities = "cap_net_raw+ep"; + }; + } + ''; + description = '' + This option allows the ownership and permissions on the setuid + wrappers for specific programs to be overridden from the + default (setuid root, but not setgid root). + + <note> + <para>The sub-attribute <literal>source</literal> is mandatory, + it must be the absolute path to the program to be wrapped. + </para> + + <para>The sub-attribute <literal>program</literal> is optional and + can give the wrapper program a new name. The default name is the same + as the attribute name itself.</para> + + <para>Additionally, this option can set capabilities on a + wrapper program that propagates those capabilities down to the + wrapped, real program.</para> + + <para>NOTE: cap_setpcap, which is required for the wrapper + program to be able to raise caps into the Ambient set is NOT + raised to the Ambient set so that the real program cannot + modify its own capabilities!! This may be too restrictive for + cases in which the real program needs cap_setpcap but it at + least leans on the side security paranoid vs. too + relaxed.</para> + </note> + ''; + }; + + security.wrapperDir = lib.mkOption { + type = lib.types.path; + default = "/run/wrappers/bin"; + internal = true; + description = '' + This option defines the path to the wrapper programs. It + should not be overriden. + ''; + }; + }; + + ###### implementation + config = { + + security.wrappers = { + fusermount.source = "${pkgs.fuse}/bin/fusermount"; + fusermount3.source = "${pkgs.fuse3}/bin/fusermount3"; + }; + + boot.specialFileSystems.${parentWrapperDir} = { + fsType = "tmpfs"; + options = [ "nodev" ]; + }; + + # Make sure our wrapperDir exports to the PATH env variable when + # initializing the shell + environment.extraInit = '' + # Wrappers override other bin directories. + export PATH="${wrapperDir}:$PATH" + ''; + + ###### setcap activation script + system.activationScripts.wrappers = + lib.stringAfter [ "specialfs" "users" ] + '' + # Look in the system path and in the default profile for + # programs to be wrapped. + WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin + + # We want to place the tmpdirs for the wrappers to the parent dir. + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) + chmod a+rx $wrapperDir + + ${lib.concatStringsSep "\n" mkWrappedPrograms} + + if [ -L ${wrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink -f ${wrapperDir}) + ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp + mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} + rm --force --recursive $old + else + # For initial setup + ln --symbolic $wrapperDir ${wrapperDir} + fi + ''; + }; +} diff --git a/nixpkgs/nixos/modules/security/wrappers/wrapper.c b/nixpkgs/nixos/modules/security/wrappers/wrapper.c new file mode 100644 index 000000000000..494e9e93ac22 --- /dev/null +++ b/nixpkgs/nixos/modules/security/wrappers/wrapper.c @@ -0,0 +1,239 @@ +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <dirent.h> +#include <assert.h> +#include <errno.h> +#include <linux/capability.h> +#include <sys/capability.h> +#include <sys/prctl.h> +#include <limits.h> +#include <cap-ng.h> + +// Make sure assertions are not compiled out, we use them to codify +// invariants about this program and we want it to fail fast and +// loudly if they are violated. +#undef NDEBUG + +extern char **environ; + +// The WRAPPER_DIR macro is supplied at compile time so that it cannot +// be changed at runtime +static char * wrapperDir = WRAPPER_DIR; + +// Wrapper debug variable name +static char * wrapperDebug = "WRAPPER_DEBUG"; + +// Update the capabilities of the running process to include the given +// capability in the Ambient set. +static void set_ambient_cap(cap_value_t cap) +{ + capng_get_caps_process(); + + if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap)) + { + perror("cannot raise the capability into the Inheritable set\n"); + exit(1); + } + + capng_apply(CAPNG_SELECT_CAPS); + + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0)) + { + perror("cannot raise the capability into the Ambient set\n"); + exit(1); + } +} + +// Given the path to this program, fetch its configured capability set +// (as set by `setcap ... /path/to/file`) and raise those capabilities +// into the Ambient set. +static int make_caps_ambient(const char *selfPath) +{ + cap_t caps = cap_get_file(selfPath); + + if(!caps) + { + if(getenv(wrapperDebug)) + fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything..."); + + return 1; + } + + // We use `cap_to_text` and iteration over the tokenized result + // string because, as of libcap's current release, there is no + // facility for retrieving an array of `cap_value_t`'s that can be + // given to `prctl` in order to lift that capability into the + // Ambient set. + // + // Some discussion was had around shot-gunning all of the + // capabilities we know about into the Ambient set but that has a + // security smell and I deemed the risk of the current + // implementation crashing the program to be lower than the risk + // of a privilege escalation security hole being introduced by + // raising all capabilities, even ones we didn't intend for the + // program, into the Ambient set. + // + // `cap_t` which is returned by `cap_get_*` is an opaque type and + // even if we could retrieve the bitmasks (which, as far as I can + // tell we cannot) in order to get the `cap_value_t` + // representation for each capability we would have to take the + // total number of capabilities supported and iterate over the + // sequence of integers up-to that maximum total, testing each one + // against the bitmask ((bitmask >> n) & 1) to see if it's set and + // aggregating each "capability integer n" that is set in the + // bitmask. + // + // That, combined with the fact that we can't easily get the + // bitmask anyway seemed much more brittle than fetching the + // `cap_t`, transforming it into a textual representation, + // tokenizing the string, and using `cap_from_name` on the token + // to get the `cap_value_t` that we need for `prctl`. There is + // indeed risk involved if the output string format of + // `cap_to_text` ever changes but at this time the combination of + // factors involving the below list have led me to the conclusion + // that the best implementation at this time is reading then + // parsing with *lots of documentation* about why we're doing it + // this way. + // + // 1. No explicit API for fetching an array of `cap_value_t`'s or + // for transforming a `cap_t` into such a representation + // 2. The risk of a crash is lower than lifting all capabilities + // into the Ambient set + // 3. libcap is depended on heavily in the Linux ecosystem so + // there is a high chance that the output representation of + // `cap_to_text` will not change which reduces our risk that + // this parsing step will cause a crash + // + // The preferred method, should it ever be available in the + // future, would be to use libcap API's to transform the result + // from a `cap_get_*` into an array of `cap_value_t`'s that can + // then be given to prctl. + // + // - Parnell + ssize_t capLen; + char* capstr = cap_to_text(caps, &capLen); + cap_free(caps); + + // TODO: For now, we assume that cap_to_text always starts its + // result string with " =" and that the first capability is listed + // immediately after that. We should verify this. + assert(capLen >= 2); + capstr += 2; + + char* saveptr = NULL; + for(char* tok = strtok_r(capstr, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr)) + { + cap_value_t capnum; + if (cap_from_name(tok, &capnum)) + { + if(getenv(wrapperDebug)) + fprintf(stderr, "cap_from_name failed, skipping: %s", tok); + } + else if (capnum == CAP_SETPCAP) + { + // Check for the cap_setpcap capability, we set this on the + // wrapper so it can elevate the capabilities to the Ambient + // set but we do not want to propagate it down into the + // wrapped program. + // + // TODO: what happens if that's the behavior you want + // though???? I'm preferring a strict vs. loose policy here. + if(getenv(wrapperDebug)) + fprintf(stderr, "cap_setpcap in set, skipping it\n"); + } + else + { + set_ambient_cap(capnum); + + if(getenv(wrapperDebug)) + fprintf(stderr, "raised %s into the Ambient capability set\n", tok); + } + } + cap_free(capstr); + + return 0; +} + +int main(int argc, char * * argv) +{ + // I *think* it's safe to assume that a path from a symbolic link + // should safely fit within the PATH_MAX system limit. Though I'm + // not positive it's safe... + char selfPath[PATH_MAX]; + int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath)); + + assert(selfPathSize > 0); + + // Assert we have room for the zero byte, this ensures the path + // isn't being truncated because it's too big for the buffer. + // + // A better way to handle this might be to use something like the + // whereami library (https://github.com/gpakosz/whereami) or a + // loop that resizes the buffer and re-reads the link if the + // contents are being truncated. + assert(selfPathSize < sizeof(selfPath)); + + // Set the zero byte since readlink doesn't do that for us. + selfPath[selfPathSize] = '\0'; + + // Make sure that we are being executed from the right location, + // i.e., `safeWrapperDir'. This is to prevent someone from creating + // hard link `X' from some other location, along with a false + // `X.real' file, to allow arbitrary programs from being executed + // with elevated capabilities. + int len = strlen(wrapperDir); + if (len > 0 && '/' == wrapperDir[len - 1]) + --len; + assert(!strncmp(selfPath, wrapperDir, len)); + assert('/' == wrapperDir[0]); + assert('/' == selfPath[len]); + + // Make *really* *really* sure that we were executed as + // `selfPath', and not, say, as some other setuid program. That + // is, our effective uid/gid should match the uid/gid of + // `selfPath'. + struct stat st; + assert(lstat(selfPath, &st) != -1); + + assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())); + assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid())); + + // And, of course, we shouldn't be writable. + assert(!(st.st_mode & (S_IWGRP | S_IWOTH))); + + // Read the path of the real (wrapped) program from <self>.real. + char realFN[PATH_MAX + 10]; + int realFNSize = snprintf (realFN, sizeof(realFN), "%s.real", selfPath); + assert (realFNSize < sizeof(realFN)); + + int fdSelf = open(realFN, O_RDONLY); + assert (fdSelf != -1); + + char sourceProg[PATH_MAX]; + len = read(fdSelf, sourceProg, PATH_MAX); + assert (len != -1); + assert (len < sizeof(sourceProg)); + assert (len > 0); + sourceProg[len] = 0; + + close(fdSelf); + + // Read the capabilities set on the wrapper and raise them in to + // the Ambient set so the program we're wrapping receives the + // capabilities too! + make_caps_ambient(selfPath); + + execve(sourceProg, argv, environ); + + fprintf(stderr, "%s: cannot run `%s': %s\n", + argv[0], sourceProg, strerror(errno)); + + exit(1); +} + + |