diff options
author | Guillaume Girol <symphorien@users.noreply.github.com> | 2021-09-13 18:29:21 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-13 18:29:21 +0000 |
commit | 359203459580a280ae4962d7f7cece321525b872 (patch) | |
tree | 5e280c2af8a02a984cc0fa03d3caa87efacc513f /nixos | |
parent | dddf775e4c938b8ae4b0ecfae6ee3d37a850b19e (diff) | |
parent | 27f0f8965b91cf8b462fd0ff5a15cbe27746c4c5 (diff) |
Merge pull request #133166 from symphorien/nonogroup
Don't default to nogroup for the primary group of users.
Diffstat (limited to 'nixos')
49 files changed, 207 insertions, 53 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 6eaba9111a2b..a150e6af7178 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -369,6 +369,33 @@ Superuser created successfully. </listitem> <listitem> <para> + <link xlink:href="options.html#opt-users.users._name_.group">users.users.<name>.group</link> + no longer defaults to <literal>nogroup</literal>, which was + insecure. Out-of-tree modules are likely to require + adaptation: instead of + </para> + <programlisting language="bash"> +{ + users.users.foo = { + isSystemUser = true; + }; +} +</programlisting> + <para> + also create a group for your user: + </para> + <programlisting language="bash"> +{ + users.users.foo = { + isSystemUser = true; + group = "foo"; + }; + users.groups.foo = {}; +} +</programlisting> + </listitem> + <listitem> + <para> <literal>services.geoip-updater</literal> was broken and has been replaced by <link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>. diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index b77bd30ea17c..56ef6320ac01 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -136,6 +136,25 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable - The `erigon` ethereum node has moved it's database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)). +- [users.users.<name>.group](options.html#opt-users.users._name_.group) no longer defaults to `nogroup`, which was insecure. Out-of-tree modules are likely to require adaptation: instead of + ```nix + { + users.users.foo = { + isSystemUser = true; + }; + } + ``` + also create a group for your user: + ```nix + { + users.users.foo = { + isSystemUser = true; + group = "foo"; + }; + users.groups.foo = {}; + } + ``` + - `services.geoip-updater` was broken and has been replaced by [services.geoipupdate](options.html#opt-services.geoipupdate.enable). - PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release. diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index d88162558e66..8e2db9107a11 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -123,7 +123,7 @@ let group = mkOption { type = types.str; apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x; - default = "nogroup"; + default = ""; description = "The user's primary group."; }; @@ -640,6 +640,16 @@ in { Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set. ''; } + { + assertion = user.group != ""; + message = '' + users.users.${user.name}.group is unset. This used to default to + nogroup, but this is unsafe. For example you can create a group + for this user with: + users.users.${user.name}.group = "${user.name}"; + users.groups.${user.name} = {}; + ''; + } ] )); diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 02ae1390ce80..30cd8615acf8 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -83,14 +83,14 @@ in #fourstore = 42; # dropped in 20.03 #fourstorehttp = 43; # dropped in 20.03 virtuoso = 44; - rtkit = 45; + #rtkit = 45; # dynamically allocated 2021-09-03 dovecot2 = 46; dovenull2 = 47; prayer = 49; mpd = 50; clamav = 51; fprot = 52; - bind = 53; + # bind = 53; #dynamically allocated as of 2021-09-03 wwwrun = 54; #adm = 55; # unused spamd = 56; @@ -134,13 +134,13 @@ in firebird = 95; #keys = 96; # unused #haproxy = 97; # dynamically allocated as of 2020-03-11 - mongodb = 98; + #mongodb = 98; #dynamically allocated as of 2021-09-03 #openldap = 99; # dynamically allocated as of PR#94610 #users = 100; # unused cgminer = 101; munin = 102; logcheck = 103; - nix-ssh = 104; + #nix-ssh = 104; #dynamically allocated as of 2021-09-03 dictd = 105; couchdb = 106; #searx = 107; # dynamically allocated as of 2020-10-27 @@ -149,9 +149,9 @@ in systemd-journal-gateway = 110; #notbit = 111; # unused aerospike = 111; - ngircd = 112; + #ngircd = 112; #dynamically allocated as of 2021-09-03 #btsync = 113; # unused - minecraft = 114; + #minecraft = 114; #dynamically allocated as of 2021-09-03 vault = 115; rippled = 116; murmur = 117; @@ -169,19 +169,19 @@ in mopidy = 130; #docker = 131; # unused gdm = 132; - dhcpd = 133; + #dhcpd = 133; # dynamically allocated as of 2021-09-03 siproxd = 134; mlmmj = 135; - neo4j = 136; + #neo4j = 136;# dynamically allocated as of 2021-09-03 riemann = 137; riemanndash = 138; - radvd = 139; - zookeeper = 140; - dnsmasq = 141; + #radvd = 139;# dynamically allocated as of 2021-09-03 + #zookeeper = 140;# dynamically allocated as of 2021-09-03 + #dnsmasq = 141;# dynamically allocated as of 2021-09-03 #uhub = 142; # unused yandexdisk = 143; mxisd = 144; # was once collectd - consul = 145; + #consul = 145;# dynamically allocated as of 2021-09-03 mailpile = 146; redmine = 147; #seeks = 148; # removed 2020-06-21 @@ -192,7 +192,7 @@ in systemd-resolve = 153; systemd-timesync = 154; liquidsoap = 155; - etcd = 156; + #etcd = 156;# dynamically allocated as of 2021-09-03 hbase = 158; opentsdb = 159; scollector = 160; @@ -204,7 +204,7 @@ in tox-bootstrapd = 166; cadvisor = 167; nylon = 168; - apache-kafka = 169; + #apache-kafka = 169;# dynamically allocated as of 2021-09-03 #panamax = 170; # unused exim = 172; #fleet = 173; # unused @@ -241,7 +241,7 @@ in gateone = 207; namecoin = 208; #lxd = 210; # unused - kibana = 211; + #kibana = 211;# dynamically allocated as of 2021-09-03 xtreemfs = 212; calibre-server = 213; heapster = 214; @@ -264,7 +264,7 @@ in avahi-autoipd = 231; nntp-proxy = 232; mjpg-streamer = 233; - radicale = 234; + #radicale = 234;# dynamically allocated as of 2021-09-03 hydra-queue-runner = 235; hydra-www = 236; syncthing = 237; @@ -272,14 +272,14 @@ in taskd = 240; # factorio = 241; # DynamicUser = true # emby = 242; # unusued, removed 2019-05-01 - graylog = 243; + #graylog = 243;# dynamically allocated as of 2021-09-03 sniproxy = 244; nzbget = 245; mosquitto = 246; toxvpn = 247; # squeezelite = 248; # DynamicUser = true turnserver = 249; - smokeping = 250; + #smokeping = 250;# dynamically allocated as of 2021-09-03 gocd-agent = 251; gocd-server = 252; terraria = 253; @@ -554,7 +554,7 @@ in #shout = 206; #unused gateone = 207; namecoin = 208; - lxd = 210; # unused + #lxd = 210; # unused #kibana = 211; xtreemfs = 212; calibre-server = 213; @@ -573,7 +573,7 @@ in cfdyndns = 227; pdnsd = 229; octoprint = 230; - radicale = 234; + #radicale = 234;# dynamically allocated as of 2021-09-03 syncthing = 237; caddy = 239; taskd = 240; @@ -585,7 +585,7 @@ in #toxvpn = 247; # unused #squeezelite = 248; #unused turnserver = 249; - smokeping = 250; + #smokeping = 250;# dynamically allocated as of 2021-09-03 gocd-agent = 251; gocd-server = 252; terraria = 253; diff --git a/nixos/modules/security/rtkit.nix b/nixos/modules/security/rtkit.nix index a7b27cbcf215..ad8746808e85 100644 --- a/nixos/modules/security/rtkit.nix +++ b/nixos/modules/security/rtkit.nix @@ -35,9 +35,12 @@ with lib; services.dbus.packages = [ pkgs.rtkit ]; users.users.rtkit = - { uid = config.ids.uids.rtkit; + { + isSystemUser = true; + group = "rtkit"; description = "RealtimeKit daemon"; }; + users.groups.rtkit = {}; }; diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index ccbc7726392d..c4174286fc0b 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -169,6 +169,7 @@ let (map (mkAuthorizedKey cfg false) cfg.authorizedKeys ++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly); useDefaultShell = true; + group = cfg.group; isSystemUser = true; }; groups.${cfg.group} = { }; diff --git a/nixos/modules/services/databases/influxdb.nix b/nixos/modules/services/databases/influxdb.nix index dd5d69b1147a..3b8c00929ba9 100644 --- a/nixos/modules/services/databases/influxdb.nix +++ b/nixos/modules/services/databases/influxdb.nix @@ -185,6 +185,7 @@ in users.users = optionalAttrs (cfg.user == "influxdb") { influxdb = { uid = config.ids.uids.influxdb; + group = "influxdb"; description = "Influxdb daemon user"; }; }; diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index ca7b20eb049a..1c06937e2f30 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -67,7 +67,9 @@ in users.users = optionalAttrs (cfg.user == "memcached") { memcached.description = "Memcached server user"; memcached.isSystemUser = true; + memcached.group = "memcached"; }; + users.groups = optionalAttrs (cfg.user == "memcached") { memcached = {}; }; environment.systemPackages = [ memcached ]; diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix index db1e5fedf50d..5121e0415db1 100644 --- a/nixos/modules/services/databases/mongodb.nix +++ b/nixos/modules/services/databases/mongodb.nix @@ -123,9 +123,11 @@ in users.users.mongodb = mkIf (cfg.user == "mongodb") { name = "mongodb"; - uid = config.ids.uids.mongodb; + isSystemUser = true; + group = "mongodb"; description = "MongoDB server user"; }; + users.groups.mongodb = mkIf (cfg.user == "mongodb") {}; environment.systemPackages = [ mongodb ]; diff --git a/nixos/modules/services/databases/neo4j.nix b/nixos/modules/services/databases/neo4j.nix index 53760bb24c4a..2a30923538db 100644 --- a/nixos/modules/services/databases/neo4j.nix +++ b/nixos/modules/services/databases/neo4j.nix @@ -651,10 +651,12 @@ in { environment.systemPackages = [ cfg.package ]; users.users.neo4j = { - uid = config.ids.uids.neo4j; + isSystemUser = true; + group = "neo4j"; description = "Neo4j daemon user"; home = cfg.directories.home; }; + users.groups.neo4j = {}; }; meta = { diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 8873f6d00e0b..1b9358c81a12 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -246,6 +246,7 @@ in { users.users.redis = { description = "Redis database user"; + group = "redis"; isSystemUser = true; }; users.groups.redis = {}; diff --git a/nixos/modules/services/games/minecraft-server.nix b/nixos/modules/services/games/minecraft-server.nix index eb9288fca586..458e57fef846 100644 --- a/nixos/modules/services/games/minecraft-server.nix +++ b/nixos/modules/services/games/minecraft-server.nix @@ -167,8 +167,10 @@ in { description = "Minecraft server service user"; home = cfg.dataDir; createHome = true; - uid = config.ids.uids.minecraft; + isSystemUser = true; + group = "minecraft"; }; + users.groups.minecraft = {}; systemd.services.minecraft-server = { description = "Minecraft Server Service"; diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix index af70d27fcf99..5e20a10f2490 100644 --- a/nixos/modules/services/logging/graylog.nix +++ b/nixos/modules/services/logging/graylog.nix @@ -128,10 +128,12 @@ in users.users = mkIf (cfg.user == "graylog") { graylog = { - uid = config.ids.uids.graylog; + isSystemUser = true; + group = "graylog"; description = "Graylog server daemon user"; }; }; + users.groups = mkIf (cfg.user == "graylog") {}; systemd.tmpfiles.rules = [ "d '${cfg.messageJournalDir}' - ${cfg.user} - - -" diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 490f6c5a5c06..c1ce515750b0 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -165,10 +165,12 @@ in { users.users.airsonic = { description = "Airsonic service user"; + group = "airsonic"; name = cfg.user; home = cfg.home; createHome = true; isSystemUser = true; }; + users.groups.airsonic = {}; }; } diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix index 69dfadfe54e0..8bc307311a42 100644 --- a/nixos/modules/services/misc/apache-kafka.nix +++ b/nixos/modules/services/misc/apache-kafka.nix @@ -120,10 +120,12 @@ in { environment.systemPackages = [cfg.package]; users.users.apache-kafka = { - uid = config.ids.uids.apache-kafka; + isSystemUser = true; + group = "apache-kafka"; description = "Apache Kafka daemon user"; home = head cfg.logDirs; }; + users.groups.apache-kafka = {}; systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs; diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix index e212f581c28a..cb68a29c530b 100644 --- a/nixos/modules/services/misc/docker-registry.nix +++ b/nixos/modules/services/misc/docker-registry.nix @@ -151,7 +151,9 @@ in { home = cfg.storagePath; } else {}) // { + group = "docker-registry"; isSystemUser = true; }; + users.groups.docker-registry = {}; }; } diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix index eb266f043ebc..2b667fab6b04 100644 --- a/nixos/modules/services/misc/etcd.nix +++ b/nixos/modules/services/misc/etcd.nix @@ -187,9 +187,11 @@ in { environment.systemPackages = [ pkgs.etcd ]; users.users.etcd = { - uid = config.ids.uids.etcd; + isSystemUser = true; + group = "etcd"; description = "Etcd daemon user"; home = cfg.dataDir; }; + users.groups.etcd = {}; }; } diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix index 1764c6d79649..d5c64fdb2647 100644 --- a/nixos/modules/services/misc/nix-ssh-serve.nix +++ b/nixos/modules/services/misc/nix-ssh-serve.nix @@ -44,9 +44,11 @@ in { users.users.nix-ssh = { description = "Nix SSH store user"; - uid = config.ids.uids.nix-ssh; + isSystemUser = true; + group = "nix-ssh"; useDefaultShell = true; }; + users.groups.nix-ssh = {}; services.openssh.enable = true; diff --git a/nixos/modules/services/misc/zookeeper.nix b/nixos/modules/services/misc/zookeeper.nix index 1d12e81a9eca..0e5880983e44 100644 --- a/nixos/modules/services/misc/zookeeper.nix +++ b/nixos/modules/services/misc/zookeeper.nix @@ -148,9 +148,11 @@ in { }; users.users.zookeeper = { - uid = config.ids.uids.zookeeper; + isSystemUser = true; + group = "zookeeper"; description = "Zookeeper daemon user"; home = cfg.dataDir; }; + users.groups.zookeeper = {}; }; } diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix index 9213748d3c9a..502afce5233b 100644 --- a/nixos/modules/services/monitoring/graphite.nix +++ b/nixos/modules/services/monitoring/graphite.nix @@ -561,6 +561,7 @@ in { ) { users.users.graphite = { uid = config.ids.uids.graphite; + group = "graphite"; description = "Graphite daemon user"; home = dataDir; }; diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 561ce3eec625..e76979fa6d17 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -258,6 +258,7 @@ in { users.users = optionalAttrs (cfg.user == defaultUser) { ${defaultUser} = { + group = defaultUser; isSystemUser = true; }; }; diff --git a/nixos/modules/services/monitoring/tuptime.nix b/nixos/modules/services/monitoring/tuptime.nix index 17c5c1f56eaf..de80282559ae 100644 --- a/nixos/modules/services/monitoring/tuptime.nix +++ b/nixos/modules/services/monitoring/tuptime.nix @@ -36,6 +36,7 @@ in { groups._tuptime.members = [ "_tuptime" ]; users._tuptime = { isSystemUser = true; + group = "_tuptime"; description = "tuptime database owner"; }; }; diff --git a/nixos/modules/services/network-filesystems/orangefs/server.nix b/nixos/modules/services/network-filesystems/orangefs/server.nix index 8eb754fe6110..8c55ccf5ffb0 100644 --- a/nixos/modules/services/network-filesystems/orangefs/server.nix +++ b/nixos/modules/services/network-filesystems/orangefs/server.nix @@ -193,7 +193,10 @@ in { environment.systemPackages = [ pkgs.orangefs ]; # orangefs daemon will run as user - users.users.orangefs.isSystemUser = true; |