summaryrefslogtreecommitdiffstats
path: root/nixos/modules/programs/shadow.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/programs/shadow.nix')
-rw-r--r--nixos/modules/programs/shadow.nix239
1 files changed, 129 insertions, 110 deletions
diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix
index f09bfaa5393d..ef5bad69e934 100644
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -4,7 +4,18 @@ let
cfg = config.security.loginDefs;
in
{
- options = with lib.types; {
+ options = {
+
+ security.shadow.enable = lib.mkEnableOption "" // {
+ default = true;
+ description = ''
+ Enable the shadow authentication suite, which provides critical programs such as su, login, passwd.
+
+ Note: This is currently experimental. Only disable this if you're
+ confident that you can recover your system if it breaks.
+ '';
+ };
+
security.loginDefs = {
package = lib.mkPackageOption pkgs "shadow" { };
@@ -12,7 +23,7 @@ in
description = ''
Use chfn SUID to allow non-root users to change their account GECOS information.
'';
- type = nullOr str;
+ type = lib.types.nullOr lib.types.str;
default = null;
};
@@ -22,7 +33,7 @@ in
the site-specific configuration for the shadow password suite.
See login.defs(5) man page for available options.
'';
- type = submodule {
+ type = lib.types.submodule {
freeformType = (pkgs.formats.keyValue { }).type;
/* There are three different sources for user/group id ranges, each of which gets
used by different programs:
@@ -37,62 +48,62 @@ in
DEFAULT_HOME = lib.mkOption {
description = "Indicate if login is allowed if we can't cd to the home directory.";
default = "yes";
- type = enum [ "yes" "no" ];
+ type = lib.types.enum [ "yes" "no" ];
};
ENCRYPT_METHOD = lib.mkOption {
description = "This defines the system default encryption algorithm for encrypting passwords.";
# The default crypt() method, keep in sync with the PAM default
default = "YESCRYPT";
- type = enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"];
+ type = lib.types.enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"];
};
SYS_UID_MIN = lib.mkOption {
description = "Range of user IDs used for the creation of system users by useradd or newusers.";
default = 400;
- type = int;
+ type = lib.types.int;
};
SYS_UID_MAX = lib.mkOption {
description = "Range of user IDs used for the creation of system users by useradd or newusers.";
default = 999;
- type = int;
+ type = lib.types.int;
};
UID_MIN = lib.mkOption {
description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
default = 1000;
- type = int;
+ type = lib.types.int;
};
UID_MAX = lib.mkOption {
description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
default = 29999;
- type = int;
+ type = lib.types.int;
};
SYS_GID_MIN = lib.mkOption {
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
default = 400;
- type = int;
+ type = lib.types.int;
};
SYS_GID_MAX = lib.mkOption {
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
default = 999;
- type = int;
+ type = lib.types.int;
};
GID_MIN = lib.mkOption {
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
default = 1000;
- type = int;
+ type = lib.types.int;
};
GID_MAX = lib.mkOption {
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
default = 29999;
- type = int;
+ type = lib.types.int;
};
TTYGROUP = lib.mkOption {
@@ -100,7 +111,7 @@ in
The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM'';
default = "tty";
- type = str;
+ type = lib.types.str;
};
TTYPERM = lib.mkOption {
@@ -108,14 +119,14 @@ in
The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM'';
default = "0620";
- type = str;
+ type = lib.types.str;
};
# Ensure privacy for newly created home directories.
UMASK = lib.mkOption {
description = "The file mode creation mask is initialized to this value.";
default = "077";
- type = str;
+ type = lib.types.str;
};
};
};
@@ -132,107 +143,115 @@ in
used outside the store (in particular in /etc/passwd).
'';
example = lib.literalExpression "pkgs.zsh";
- type = either path shellPackage;
+ type = lib.types.either lib.types.path lib.types.shellPackage;
};
};
###### implementation
- config = {
- assertions = [
- {
- assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
- message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX";
- }
- {
- assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX;
- message = "UID_MIN must be less than or equal to UID_MAX";
- }
- {
- assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX;
- message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX";
- }
- {
- assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX;
- message = "GID_MIN must be less than or equal to GID_MAX";
- }
- ];
-
- security.loginDefs.settings.CHFN_RESTRICT =
- lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
-
- environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
- ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
- ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
-
- environment.etc =
- # Create custom toKeyValue generator
- # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification
- let
- toKeyValue = lib.generators.toKeyValue {
- mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
- };
- in
- {
- # /etc/login.defs: global configuration for pwdutils.
- # You cannot login without it!
- "login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
-
- # /etc/default/useradd: configuration for useradd.
- "default/useradd".source = pkgs.writeText "useradd" ''
- GROUP=100
- HOME=/home
- SHELL=${utils.toShellPath config.users.defaultUserShell}
- '';
- };
+ config = lib.mkMerge [
+ {
+ assertions = [
+ {
+ assertion = config.security.shadow.enable || config.services.greetd.enable;
+ message = "You must enable at least one VT login method, either security.shadow.enable or services.greetd.enable";
+ }
+ ];
+ }
+ (lib.mkIf config.security.shadow.enable {
+ assertions = [
+ {
+ assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
+ message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX";
+ }
+ {
+ assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX;
+ message = "UID_MIN must be less than or equal to UID_MAX";
+ }
+ {
+ assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX;
+ message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX";
+ }
+ {
+ assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX;
+ message = "GID_MIN must be less than or equal to GID_MAX";
+ }
+ ];
- security.pam.services = {
- chsh = { rootOK = true; };
- chfn = { rootOK = true; };
- su = {
- rootOK = true;
- forwardXAuth = true;
- logFailures = true;
- };
- passwd = { };
- # Note: useradd, groupadd etc. aren't setuid root, so it
- # doesn't really matter what the PAM config says as long as it
- # lets root in.
- useradd.rootOK = true;
- usermod.rootOK = true;
- userdel.rootOK = true;
- groupadd.rootOK = true;
- groupmod.rootOK = true;
- groupmems.rootOK = true;
- groupdel.rootOK = true;
- login = {
- startSession = true;
- allowNullPassword = true;
- showMotd = true;
- updateWtmp = true;
- };
- chpasswd = { rootOK = true; };
- };
+ security.loginDefs.settings.CHFN_RESTRICT = lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
+
+ environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
+ ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
+ ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
+
+ environment.etc =
+ # Create custom toKeyValue generator
+ # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification
+ let
+ toKeyValue = lib.generators.toKeyValue {
+ mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
+ };
+ in {
+ # /etc/login.defs: global configuration for pwdutils.
+ # You cannot login without it!
+ "login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
+
+ # /etc/default/useradd: configuration for useradd.
+ "default/useradd".source = pkgs.writeText "useradd" ''
+ GROUP=100
+ HOME=/home
+ SHELL=${utils.toShellPath config.users.defaultUserShell}
+ '';
+ };
- security.wrappers =
- let
- mkSetuidRoot = source: {
- setuid = true;
- owner = "root";
- group = "root";
- inherit source;
+ security.pam.services = {
+ chsh.rootOK = true;
+ chfn.rootOK = true;
+ su = {
+ rootOK = true;
+ forwardXAuth = true;
+ logFailures = true;
};
- in
- {
- su = mkSetuidRoot "${cfg.package.su}/bin/su";
- sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
- newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
- newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
- newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
- }
- // lib.optionalAttrs config.users.mutableUsers {
- chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
- passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
+ passwd = { };
+ # Note: useradd, groupadd etc. aren't setuid root, so it
+ # doesn't really matter what the PAM config says as long as it
+ # lets root in.
+ useradd.rootOK = true;
+ usermod.rootOK = true;
+ userdel.rootOK = true;
+ groupadd.rootOK = true;
+ groupmod.rootOK = true;
+ groupmems.rootOK = true;
+ groupdel.rootOK = true;
+ login = {
+ startSession = true;
+ allowNullPassword = true;
+ showMotd = true;
+ updateWtmp = true;
+ };
+ chpasswd.rootOK = true;
};
- };
+
+ security.wrappers =
+ let
+ mkSetuidRoot = source: {
+ setuid = true;
+ owner = "root";
+ group = "root";
+ inherit source;
+ };
+ in
+ {
+ su = mkSetuidRoot "${cfg.package.su}/bin/su";
+ sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
+ newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
+ newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
+ newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
+ }
+ // lib.optionalAttrs config.users.mutableUsers {
+ chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
+ passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
+ };
+ })
+ ];
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 20:49:57 +0000