diff options
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2103.xml | 7 | ||||
-rw-r--r-- | nixos/modules/config/update-users-groups.pl | 3 | ||||
-rw-r--r-- | nixos/modules/config/users-groups.nix | 6 |
3 files changed, 11 insertions, 5 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 2b0144a69c22..7c6356770a5f 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -431,6 +431,13 @@ been dropped from upstream releases. </para> </listitem> + <listitem> + <para> + <xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>. + Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. + The option's description was incorrect regarding ownership management and has been simplified greatly. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index fd3affae899c..758237152932 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -209,10 +209,11 @@ foreach my $u (@{$spec->{users}}) { } } - # Create a home directory. + # Ensure home directory incl. ownership and permissions. if ($u->{createHome}) { make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home}; chown $u->{uid}, $u->{gid}, $u->{home}; + chmod 0700, $u->{home}; } if (defined $u->{passwordFile}) { diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 72285fe631da..a95763380986 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -198,10 +198,8 @@ let type = types.bool; default = false; description = '' - If true, the home directory will be created automatically. If this - option is true and the home directory already exists but is not - owned by the user, directory owner and group will be changed to - match the user. + Whether to create the home directory and ensure ownership as well as + permissions to match the user. ''; }; |