From 8c0558dbb2469b7799515abd108d2fa4adbc4636 Mon Sep 17 00:00:00 2001 From: Jesper Geertsen Jonsson Date: Sun, 14 Jan 2018 18:15:46 +0100 Subject: sg/newgrp should always be available, not chfn sg and newgrp only changes the current user session and should be available to users even if the "users.mutableUsers" option is set. These are common, useful commands. chfn does modify the /etc/passwd GECOS field which is also controlled by the option "users.users..description", so it's less appropriate to make it available when "users.mutableUsers" is set. However, because CHFN_RESTRICT in login.defs is never set in current NixOS the chfn functionality is never available to users anyway and may as well have its SUID disabled, as only root is able to use it. This is recommended in the chfn man page in this case. --- nixos/modules/programs/shadow.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'nixos/modules/programs/shadow.nix') diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 0f3f42901bab..8ec4169207db 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -26,8 +26,9 @@ let # Ensure privacy for newly created home directories. UMASK 077 - # Uncomment this to allow non-root users to change their account - #information. This should be made configurable. + # Uncomment this and install chfn SUID to allow non-root + # users to change their account GECOS information. + # This should be made configurable. #CHFN_RESTRICT frwh ''; @@ -103,13 +104,12 @@ in security.wrappers = { su.source = "${pkgs.shadow.su}/bin/su"; - chfn.source = "${pkgs.shadow.out}/bin/chfn"; + sg.source = "${pkgs.shadow.out}/bin/sg"; + newgrp.source = "${pkgs.shadow.out}/bin/newgrp"; newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap"; newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap"; } // (if config.users.mutableUsers then { passwd.source = "${pkgs.shadow.out}/bin/passwd"; - sg.source = "${pkgs.shadow.out}/bin/sg"; - newgrp.source = "${pkgs.shadow.out}/bin/newgrp"; } else {}); }; } -- cgit 1.4.1