nixos: remove the grsecurity GID

This GID was used to exempt users from Grsecurity's `/proc` restrictions; we now prefer to rely on `security.hideProcessInformation`, which uses the `proc` group for this purpose. That leaves no use for the grsecurity GID. More generally, having only a single GID to, presumably, serve as the default for all of grsecurity's GID based exemption/resriction schemes would be problematic in any event, so if we decide to enable those grsecurity features in the future, more specific GIDs should be added.
author: Joachim Fasting <joachifm@fastmail.fm> 2016-06-09 20:29:11 +0200
committer: Joachim Fasting <joachifm@fastmail.fm> 2016-06-14 03:38:17 +0200
commit: a53452f3e12f4feb76a5169149d93c3bd5359363 (patch)
tree: 0f6398e489f81a499e64b873cb38418f43e4a4f9 /nixos/modules/config/users-groups.nix
parent: 0677cc61c8fae0b699a9be837c897b8d7b6d837c (diff)
1 files changed, 0 insertions, 2 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index e643b2d059b5..8231907d7999 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -468,7 +468,6 @@ in {
         home = "/root";
         shell = mkDefault cfg.defaultUserShell;
         group = "root";
-        extraGroups = [ "grsecurity" ];
         initialHashedPassword = mkDefault config.security.initialRootPassword;
       };
       nobody = {
@@ -497,7 +496,6 @@ in {
       nixbld.gid = ids.gids.nixbld;
       utmp.gid = ids.gids.utmp;
       adm.gid = ids.gids.adm;
-      grsecurity.gid = ids.gids.grsecurity;
       input.gid = ids.gids.input;
     };
author	Joachim Fasting <joachifm@fastmail.fm>	2016-06-09 20:29:11 +0200
committer	Joachim Fasting <joachifm@fastmail.fm>	2016-06-14 03:38:17 +0200
commit	a53452f3e12f4feb76a5169149d93c3bd5359363 (patch)
tree	0f6398e489f81a499e64b873cb38418f43e4a4f9 /nixos/modules/config/users-groups.nix
parent	0677cc61c8fae0b699a9be837c897b8d7b6d837c (diff)