diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2024-02-09 15:55:26 +0100 |
---|---|---|
committer | Maximilian Bosch <maximilian@mbosch.me> | 2024-02-09 16:44:35 +0100 |
commit | f6954309e8f0193ad5904cf787bbcfe47b63fa54 (patch) | |
tree | cb552e560bab30226156b8667b6cab0ee9d74595 | |
parent | a5d28c9bffb49868ca5688e5767d0782a995163b (diff) |
nixos/users-groups: warn on ambiguous password settings
After 4b128008c5d9fde881ce1b0a25e60ae0415a14d5 it took me a while in a
test setup to find out why `root` didn't have the password anymore I
declared in my config.
Because of that I got reminded how the order of preference works for the
password options:
hashedPassword > password > hashedPasswordFile
If the user is new, initialPassword & initialHashedPassword are also
relevant. Also, the override is silent in contrast to any other
conflicting definition in NixOS.
To make this less surprising I decided to warn in such a case -
assertions would probably break too much that technically works as
intended.
Also removed the `initialHashedPassword` for `root`. This would cause a
warning whenever you set something in your own config and a `!` is added
automatically by `users-groups.pl`.
`systemd-sysusers` also seems to implement these precedence rules, so
having the warning for that case also seems useful.
-rw-r--r-- | nixos/modules/config/users-groups.nix | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 967ad0846d75..dd34771c0b42 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -649,7 +649,6 @@ in { home = "/root"; shell = mkDefault cfg.defaultUserShell; group = "root"; - initialHashedPassword = mkDefault "!"; }; nobody = { uid = ids.uids.nobody; @@ -897,7 +896,26 @@ in { )); warnings = - builtins.filter (x: x != null) ( + flip concatMap (attrValues cfg.users) (user: let + unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([ + user.hashedPassword + user.hashedPasswordFile + user.password + ] ++ optionals cfg.mutableUsers [ + # For immutable users, initialHashedPassword is set to hashedPassword, + # so using these options would always trigger the assertion. + user.initialHashedPassword + user.initialPassword + ])); + in optional (!unambiguousPasswordConfiguration) '' + The user '${user.name}' has multiple of the options + `hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword` + & `initialHashedPassword` set to a non-null value. + The options silently discard others by the order of precedence + given above which can lead to surprising results. To resolve this warning, + set at most one of the options above to a non-`null` value. + '') + ++ builtins.filter (x: x != null) ( flip mapAttrsToList cfg.users (_: user: # This regex matches a subset of the Modular Crypto Format (MCF)[1] # informal standard. Since this depends largely on the OS or the |