From a53452f3e12f4feb76a5169149d93c3bd5359363 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Thu, 9 Jun 2016 20:29:11 +0200 Subject: nixos: remove the grsecurity GID This GID was used to exempt users from Grsecurity's `/proc` restrictions; we now prefer to rely on `security.hideProcessInformation`, which uses the `proc` group for this purpose. That leaves no use for the grsecurity GID. More generally, having only a single GID to, presumably, serve as the default for all of grsecurity's GID based exemption/resriction schemes would be problematic in any event, so if we decide to enable those grsecurity features in the future, more specific GIDs should be added. --- nixos/modules/config/users-groups.nix | 2 -- 1 file changed, 2 deletions(-) (limited to 'nixos/modules/config/users-groups.nix') diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index e643b2d059b5..8231907d7999 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -468,7 +468,6 @@ in { home = "/root"; shell = mkDefault cfg.defaultUserShell; group = "root"; - extraGroups = [ "grsecurity" ]; initialHashedPassword = mkDefault config.security.initialRootPassword; }; nobody = { @@ -497,7 +496,6 @@ in { nixbld.gid = ids.gids.nixbld; utmp.gid = ids.gids.utmp; adm.gid = ids.gids.adm; - grsecurity.gid = ids.gids.grsecurity; input.gid = ids.gids.input; }; -- cgit 1.4.1