summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nixos/doc/manual/from_md/release-notes/rl-2111.section.xml27
-rw-r--r--nixos/doc/manual/release-notes/rl-2111.section.md19
-rw-r--r--nixos/modules/config/users-groups.nix12
-rw-r--r--nixos/modules/misc/ids.nix42
-rw-r--r--nixos/modules/security/rtkit.nix5
-rw-r--r--nixos/modules/services/backup/borgbackup.nix1
-rw-r--r--nixos/modules/services/databases/influxdb.nix1
-rw-r--r--nixos/modules/services/databases/memcached.nix2
-rw-r--r--nixos/modules/services/databases/mongodb.nix4
-rw-r--r--nixos/modules/services/databases/neo4j.nix4
-rw-r--r--nixos/modules/services/databases/redis.nix1
-rw-r--r--nixos/modules/services/games/minecraft-server.nix4
-rw-r--r--nixos/modules/services/logging/graylog.nix4
-rw-r--r--nixos/modules/services/misc/airsonic.nix2
-rw-r--r--nixos/modules/services/misc/apache-kafka.nix4
-rw-r--r--nixos/modules/services/misc/docker-registry.nix2
-rw-r--r--nixos/modules/services/misc/etcd.nix4
-rw-r--r--nixos/modules/services/misc/nix-ssh-serve.nix4
-rw-r--r--nixos/modules/services/misc/zookeeper.nix4
-rw-r--r--nixos/modules/services/monitoring/graphite.nix1
-rw-r--r--nixos/modules/services/monitoring/netdata.nix1
-rw-r--r--nixos/modules/services/monitoring/tuptime.nix1
-rw-r--r--nixos/modules/services/network-filesystems/orangefs/server.nix5
-rw-r--r--nixos/modules/services/networking/bind.nix4
-rw-r--r--nixos/modules/services/networking/consul.nix4
-rw-r--r--nixos/modules/services/networking/coturn.nix1
-rw-r--r--nixos/modules/services/networking/dhcpd.nix4
-rw-r--r--nixos/modules/services/networking/dnsmasq.nix4
-rw-r--r--nixos/modules/services/networking/git-daemon.nix1
-rw-r--r--nixos/modules/services/networking/iodine.nix1
-rw-r--r--nixos/modules/services/networking/morty.nix2
-rw-r--r--nixos/modules/services/networking/ncdns.nix2
-rw-r--r--nixos/modules/services/networking/networkmanager.nix1
-rw-r--r--nixos/modules/services/networking/ngircd.nix5
-rw-r--r--nixos/modules/services/networking/pleroma.nix2
-rw-r--r--nixos/modules/services/networking/radicale.nix7
-rw-r--r--nixos/modules/services/networking/radvd.nix5
-rw-r--r--nixos/modules/services/networking/smokeping.nix5
-rw-r--r--nixos/modules/services/networking/ssh/sshd.nix5
-rw-r--r--nixos/modules/services/networking/tinydns.nix6
-rw-r--r--nixos/modules/services/scheduling/atd.nix4
-rw-r--r--nixos/modules/services/search/kibana.nix4
-rw-r--r--nixos/modules/services/security/hockeypuck.nix2
-rw-r--r--nixos/modules/services/torrent/magnetico.nix2
-rw-r--r--nixos/modules/services/torrent/peerflix.nix6
-rw-r--r--nixos/modules/services/web-apps/node-red.nix1
-rw-r--r--nixos/modules/system/boot/systemd.nix15
-rw-r--r--nixos/modules/virtualisation/lxd.nix2
-rw-r--r--nixos/tests/unbound.nix11
-rw-r--r--pkgs/applications/audio/bschaffl/default.nix4
-rw-r--r--pkgs/applications/graphics/lightburn/default.nix4
-rw-r--r--pkgs/applications/networking/browsers/firefox/common.nix17
-rw-r--r--pkgs/applications/networking/cluster/argocd/default.nix8
-rw-r--r--pkgs/applications/networking/instant-messengers/slack/default.nix6
-rw-r--r--pkgs/applications/version-management/git-and-tools/git-cliff/default.nix6
-rw-r--r--pkgs/applications/version-management/git-and-tools/gitui/default.nix6
-rw-r--r--pkgs/build-support/fetchzip/default.nix1
-rw-r--r--pkgs/desktops/xfce/core/thunar/default.nix4
-rw-r--r--pkgs/development/interpreters/trealla/default.nix4
-rw-r--r--pkgs/development/libraries/alembic/default.nix4
-rw-r--r--pkgs/development/libraries/gbenchmark/default.nix4
-rw-r--r--pkgs/development/libraries/libvirt/default.nix4
-rw-r--r--pkgs/development/python-modules/awkward/default.nix4
-rw-r--r--pkgs/development/python-modules/deezer-py/default.nix4
-rw-r--r--pkgs/development/python-modules/dpath/default.nix4
-rw-r--r--pkgs/development/python-modules/launchpadlib/default.nix4
-rw-r--r--pkgs/development/python-modules/lazr-restfulclient/default.nix4
-rw-r--r--pkgs/development/tools/analysis/tfsec/default.nix4
-rw-r--r--pkgs/development/tools/build-managers/bazel/buildtools/default.nix6
-rw-r--r--pkgs/development/tools/esbuild/default.nix6
-rw-r--r--pkgs/development/tools/misc/arcanist/default.nix22
-rw-r--r--pkgs/development/web/flyctl/default.nix6
-rw-r--r--pkgs/games/quakespasm/vulkan.nix4
-rw-r--r--pkgs/misc/emulators/melonDS/default.nix25
-rw-r--r--pkgs/os-specific/darwin/trash/trash.diff2
-rw-r--r--pkgs/os-specific/linux/firmware/system76-firmware/default.nix6
-rw-r--r--pkgs/servers/misc/navidrome/default.nix20
-rw-r--r--pkgs/servers/search/meilisearch/default.nix5
-rw-r--r--pkgs/shells/dash/0001-fix-dirent64-et-al-on-darwin.patch41
-rw-r--r--pkgs/shells/dash/default.nix30
-rw-r--r--pkgs/tools/backup/rsnapshot/default.nix4
-rw-r--r--pkgs/tools/filesystems/s3backer/default.nix4
-rw-r--r--pkgs/tools/misc/opentsdb/default.nix13
-rw-r--r--pkgs/tools/networking/jwhois/default.nix5
-rw-r--r--pkgs/tools/package-management/rpm/default.nix10
-rw-r--r--pkgs/tools/system/rsyslog/default.nix4
-rw-r--r--pkgs/tools/text/xml/basex/default.nix2
-rw-r--r--pkgs/top-level/all-packages.nix1
88 files changed, 381 insertions, 191 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
index 6eaba9111a2b..a150e6af7178 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@@ -369,6 +369,33 @@ Superuser created successfully.
</listitem>
<listitem>
<para>
+ <link xlink:href="options.html#opt-users.users._name_.group">users.users.&lt;name&gt;.group</link>
+ no longer defaults to <literal>nogroup</literal>, which was
+ insecure. Out-of-tree modules are likely to require
+ adaptation: instead of
+ </para>
+ <programlisting language="bash">
+{
+ users.users.foo = {
+ isSystemUser = true;
+ };
+}
+</programlisting>
+ <para>
+ also create a group for your user:
+ </para>
+ <programlisting language="bash">
+{
+ users.users.foo = {
+ isSystemUser = true;
+ group = &quot;foo&quot;;
+ };
+ users.groups.foo = {};
+}
+</programlisting>
+ </listitem>
+ <listitem>
+ <para>
<literal>services.geoip-updater</literal> was broken and has
been replaced by
<link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>.
diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md
index b77bd30ea17c..56ef6320ac01 100644
--- a/nixos/doc/manual/release-notes/rl-2111.section.md
+++ b/nixos/doc/manual/release-notes/rl-2111.section.md
@@ -136,6 +136,25 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
- The `erigon` ethereum node has moved it's database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)).
+- [users.users.&lt;name&gt;.group](options.html#opt-users.users._name_.group) no longer defaults to `nogroup`, which was insecure. Out-of-tree modules are likely to require adaptation: instead of
+ ```nix
+ {
+ users.users.foo = {
+ isSystemUser = true;
+ };
+ }
+ ```
+ also create a group for your user:
+ ```nix
+ {
+ users.users.foo = {
+ isSystemUser = true;
+ group = "foo";
+ };
+ users.groups.foo = {};
+ }
+ ```
+
- `services.geoip-updater` was broken and has been replaced by [services.geoipupdate](options.html#opt-services.geoipupdate.enable).
- PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index d88162558e66..8e2db9107a11 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -123,7 +123,7 @@ let
group = mkOption {
type = types.str;
apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;
- default = "nogroup";
+ default = "";
description = "The user's primary group.";
};
@@ -640,6 +640,16 @@ in {
Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
'';
}
+ {
+ assertion = user.group != "";
+ message = ''
+ users.users.${user.name}.group is unset. This used to default to
+ nogroup, but this is unsafe. For example you can create a group
+ for this user with:
+ users.users.${user.name}.group = "${user.name}";
+ users.groups.${user.name} = {};
+ '';
+ }
]
));
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 02ae1390ce80..30cd8615acf8 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -83,14 +83,14 @@ in
#fourstore = 42; # dropped in 20.03
#fourstorehttp = 43; # dropped in 20.03
virtuoso = 44;
- rtkit = 45;
+ #rtkit = 45; # dynamically allocated 2021-09-03
dovecot2 = 46;
dovenull2 = 47;
prayer = 49;
mpd = 50;
clamav = 51;
fprot = 52;
- bind = 53;
+ # bind = 53; #dynamically allocated as of 2021-09-03
wwwrun = 54;
#adm = 55; # unused
spamd = 56;
@@ -134,13 +134,13 @@ in
firebird = 95;
#keys = 96; # unused
#haproxy = 97; # dynamically allocated as of 2020-03-11
- mongodb = 98;
+ #mongodb = 98; #dynamically allocated as of 2021-09-03
#openldap = 99; # dynamically allocated as of PR#94610
#users = 100; # unused
cgminer = 101;
munin = 102;
logcheck = 103;
- nix-ssh = 104;
+ #nix-ssh = 104; #dynamically allocated as of 2021-09-03
dictd = 105;
couchdb = 106;
#searx = 107; # dynamically allocated as of 2020-10-27
@@ -149,9 +149,9 @@ in
systemd-journal-gateway = 110;
#notbit = 111; # unused
aerospike = 111;
- ngircd = 112;
+ #ngircd = 112; #dynamically allocated as of 2021-09-03
#btsync = 113; # unused
- minecraft = 114;
+ #minecraft = 114; #dynamically allocated as of 2021-09-03
vault = 115;
rippled = 116;
murmur = 117;
@@ -169,19 +169,19 @@ in
mopidy = 130;
#docker = 131; # unused
gdm = 132;
- dhcpd = 133;
+ #dhcpd = 133; # dynamically allocated as of 2021-09-03
siproxd = 134;
mlmmj = 135;
- neo4j = 136;
+ #neo4j = 136;# dynamically allocated as of 2021-09-03
riemann = 137;
riemanndash = 138;
- radvd = 139;
- zookeeper = 140;
- dnsmasq = 141;
+ #radvd = 139;# dynamically allocated as of 2021-09-03
+ #zookeeper = 140;# dynamically allocated as of 2021-09-03
+ #dnsmasq = 141;# dynamically allocated as of 2021-09-03
#uhub = 142; # unused
yandexdisk = 143;
mxisd = 144; # was once collectd
- consul = 145;
+ #consul = 145;# dynamically allocated as of 2021-09-03
mailpile = 146;
redmine = 147;
#seeks = 148; # removed 2020-06-21
@@ -192,7 +192,7 @@ in
systemd-resolve = 153;
systemd-timesync = 154;
liquidsoap = 155;
- etcd = 156;
+ #etcd = 156;# dynamically allocated as of 2021-09-03
hbase = 158;
opentsdb = 159;
scollector = 160;
@@ -204,7 +204,7 @@ in
tox-bootstrapd = 166;
cadvisor = 167;
nylon = 168;
- apache-kafka = 169;
+ #apache-kafka = 169;# dynamically allocated as of 2021-09-03
#panamax = 170; # unused
exim = 172;
#fleet = 173; # unused
@@ -241,7 +241,7 @@ in
gateone = 207;
namecoin = 208;
#lxd = 210; # unused
- kibana = 211;
+ #kibana = 211;# dynamically allocated as of 2021-09-03
xtreemfs = 212;
calibre-server = 213;
heapster = 214;
@@ -264,7 +264,7 @@ in
avahi-autoipd = 231;
nntp-proxy = 232;
mjpg-streamer = 233;
- radicale = 234;
+ #radicale = 234;# dynamically allocated as of 2021-09-03
hydra-queue-runner = 235;
hydra-www = 236;
syncthing = 237;
@@ -272,14 +272,14 @@ in
taskd = 240;
# factorio = 241; # DynamicUser = true
# emby = 242; # unusued, removed 2019-05-01
- graylog = 243;
+ #graylog = 243;# dynamically allocated as of 2021-09-03
sniproxy = 244;
nzbget = 245;
mosquitto = 246;
toxvpn = 247;
# squeezelite = 248; # DynamicUser = true
turnserver = 249;
- smokeping = 250;
+ #smokeping = 250;# dynamically allocated as of 2021-09-03
gocd-agent = 251;
gocd-server = 252;
terraria = 253;
@@ -554,7 +554,7 @@ in
#shout = 206; #unused
gateone = 207;
namecoin = 208;
- lxd = 210; # unused
+ #lxd = 210; # unused
#kibana = 211;
xtreemfs = 212;
calibre-server = 213;
@@ -573,7 +573,7 @@ in
cfdyndns = 227;
pdnsd = 229;
octoprint = 230;
- radicale = 234;
+ #radicale = 234;# dynamically allocated as of 2021-09-03