nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}

As the only consequence of isSystemUser is that if the uid is null then it's allocated below 500, if a user has uid = something below 500 then we don't require isSystemUser to be set. Motivation: https://github.com/NixOS/nixpkgs/issues/112647
2021-03-07 14:54:00 +01:00 · 2021-03-07 14:54:00 +01:00 · 7a87973b4c
parent 311ceed827
commit 7a87973b4c
23 changed files with 80 additions and 32 deletions
--- a/nixos/doc/manual/development/settings-options.xml
+++ b/nixos/doc/manual/development/settings-options.xml
@ -167,7 +167,7 @@ in {
    # We know that the `user` attribute exists because we set a default value
    # for it above, allowing us to use it without worries here
-    users.users.${cfg.settings.user} = {};
+    users.users.${cfg.settings.user} = { isSystemUser = true; };
    # ...
  };
--- a/nixos/doc/manual/release-notes/rl-2105.xml
+++ b/nixos/doc/manual/release-notes/rl-2105.xml
@ -839,6 +839,13 @@ environment.systemPackages = [
     The option's description was incorrect regarding ownership management and has been simplified greatly.
    </para>
   </listitem>
   <listitem>
    <para>
      When defining a new user, one of <xref linkend="opt-users.users._name_.isNormalUser" /> and <xref linkend="opt-users.users._name_.isSystemUser" /> is now required.
      This is to prevent accidentally giving a UID above 1000 to system users, which could have unexpected consequences, like running user activation scripts for system users.
      Note that users defined with an explicit UID below 500 are exempted from this check, as <xref linkend="opt-users.users._name_.isSystemUser" /> has no effect for those.
    </para>
   </listitem>
   <listitem>
     <para>
       The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default.
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -306,6 +306,7 @@ in {
        description = "PulseAudio system service user";
        home = stateDir;
        createHome = true;
        isSystemUser = true;
      };
      users.groups.pulse.gid = gid;
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -92,6 +92,8 @@ let
          the user's UID is allocated in the range for system users
          (below 500) or in the range for normal users (starting at
          1000).
          Exactly one of <literal>isNormalUser</literal> and
          <literal>isSystemUser</literal> must be true.
        '';
      };
@ -107,6 +109,8 @@ let
          <option>useDefaultShell</option> to <literal>true</literal>,
          and <option>isSystemUser</option> to
          <literal>false</literal>.
          Exactly one of <literal>isNormalUser</literal> and
          <literal>isSystemUser</literal> must be true.
        '';
      };
@ -521,6 +525,7 @@ in {
      };
      nobody = {
        uid = ids.uids.nobody;
        isSystemUser = true;
        description = "Unprivileged account (don't use!)";
        group = "nogroup";
      };
@ -608,17 +613,28 @@ in {
          Neither the root account nor any wheel user has a password or SSH authorized key.
          You must set one to prevent being locked out of your system.'';
      }
-    ] ++ flip mapAttrsToList cfg.users (name: user:
+    ] ++ flatten (flip mapAttrsToList cfg.users (name: user:
-      {
+      [
        {
        assertion = (user.hashedPassword != null)
-                    -> (builtins.match ".*:.*" user.hashedPassword == null);
+        -> (builtins.match ".*:.*" user.hashedPassword == null);
        message = ''
-          The password hash of user "${user.name}" contains a ":" character.
+            The password hash of user "${user.name}" contains a ":" character.
-          This is invalid and would break the login system because the fields
+            This is invalid and would break the login system because the fields
-          of /etc/shadow (file where hashes are stored) are colon-separated.
+            of /etc/shadow (file where hashes are stored) are colon-separated.
-          Please check the value of option `users.users."${user.name}".hashedPassword`.'';
+            Please check the value of option `users.users."${user.name}".hashedPassword`.'';
-      }
+          }
-    );
+          {
            assertion = let
              xor = a: b: a && !b || b && !a;
              isEffectivelySystemUser = user.isSystemUser || (user.uid != null && user.uid < 500);
            in xor isEffectivelySystemUser user.isNormalUser;
            message = ''
              Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
            '';
          }
        ]
    ));
    warnings =
      builtins.filter (x: x != null) (
--- a/nixos/modules/services/backup/borgbackup.nix
+++ b/nixos/modules/services/backup/borgbackup.nix
@ -169,6 +169,7 @@ let
        (map (mkAuthorizedKey cfg false) cfg.authorizedKeys
        ++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly);
      useDefaultShell = true;
      isSystemUser = true;
    };
    groups.${cfg.group} = { };
  };
--- a/nixos/modules/services/databases/pgmanage.nix
+++ b/nixos/modules/services/databases/pgmanage.nix
@ -197,6 +197,7 @@ in {
        group = pgmanage;
        home  = cfg.sqlRoot;
        createHome = true;
        isSystemUser = true;
      };
      groups.${pgmanage} = {
        name = pgmanage;
--- a/nixos/modules/services/misc/bazarr.nix
+++ b/nixos/modules/services/misc/bazarr.nix
@ -64,6 +64,7 @@ in
    users.users = mkIf (cfg.user == "bazarr") {
      bazarr = {
        isSystemUser = true;
        group = cfg.group;
        home = "/var/lib/${config.systemd.services.bazarr.serviceConfig.StateDirectory}";
      };
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -21,6 +21,7 @@ let
         calls in `libstore/build.cc', don't add any supplementary group
         here except "nixbld".  */
      uid = builtins.add config.ids.uids.nixbld nr;
      isSystemUser = true;
      group = "nixbld";
      extraGroups = [ "nixbld" ];
    };
--- a/nixos/modules/services/monitoring/tuptime.nix
+++ b/nixos/modules/services/monitoring/tuptime.nix
@ -34,7 +34,10 @@ in {
    users = {
      groups._tuptime.members = [ "_tuptime" ];
-      users._tuptime.description = "tuptime database owner";
+      users._tuptime = {
        isSystemUser = true;
        description = "tuptime database owner";
      };
    };
    systemd = {
--- a/nixos/modules/services/networking/bird.nix
+++ b/nixos/modules/services/networking/bird.nix
@ -73,6 +73,7 @@ let
          users.${variant} = {
            description = "BIRD Internet Routing Daemon user";
            group = variant;
            isSystemUser = true;
          };
          groups.${variant} = {};
        };
--- a/nixos/modules/services/networking/ncdns.nix
+++ b/nixos/modules/services/networking/ncdns.nix
@ -243,8 +243,10 @@ in
        xlog.journal = true;
    };
-    users.users.ncdns =
+    users.users.ncdns = {
-      { description = "ncdns daemon user"; };
+      isSystemUser = true;
      description = "ncdns daemon user";
    };
    systemd.services.ncdns = {
      description = "ncdns daemon";
--- a/nixos/modules/services/networking/pixiecore.nix
+++ b/nixos/modules/services/networking/pixiecore.nix
@ -93,6 +93,7 @@ in
    users.users.pixiecore = {
      description = "Pixiecore daemon user";
      group = "pixiecore";
      isSystemUser = true;
    };
    networking.firewall = mkIf cfg.openFirewall {
--- a/nixos/modules/services/networking/pleroma.nix
+++ b/nixos/modules/services/networking/pleroma.nix
@ -75,6 +75,7 @@ in {
        description = "Pleroma user";
        home = cfg.stateDir;
        extraGroups = [ cfg.group ];
        isSystemUser = true;
      };
      groups."${cfg.group}" = {};
    };
--- a/nixos/modules/services/security/privacyidea.nix
+++ b/nixos/modules/services/security/privacyidea.nix
@ -264,6 +264,7 @@ in
      users.users.privacyidea = mkIf (cfg.user == "privacyidea") {
        group = cfg.group;
        isSystemUser = true;
      };
      users.groups.privacyidea = mkIf (cfg.group == "privacyidea") {};
@ -294,6 +295,7 @@ in
      users.users.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") {
        group = cfg.ldap-proxy.group;
        isSystemUser = true;
      };
      users.groups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {};
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -607,6 +607,7 @@ in {
        home = "${cfg.home}";
        group = "nextcloud";
        createHome = true;
        isSystemUser = true;
      };
      users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ];
--- a/nixos/tests/mysql/mariadb-galera-mariabackup.nix
+++ b/nixos/tests/mysql/mariadb-galera-mariabackup.nix
@ -31,7 +31,7 @@ in {
        firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
        firewall.allowedUDPPorts = [ 4567 ];
      };
-      users.users.testuser = { };
+      users.users.testuser = { isSystemUser = true; };
      systemd.services.mysql = with pkgs; {
        path = [ mysqlenv-common mysqlenv-mariabackup ];
      };
@ -89,7 +89,7 @@ in {
        firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
        firewall.allowedUDPPorts = [ 4567 ];
      };
-      users.users.testuser = { };
+      users.users.testuser = { isSystemUser = true; };
      systemd.services.mysql = with pkgs; {
        path = [ mysqlenv-common mysqlenv-mariabackup ];
      };
@ -136,7 +136,7 @@ in {
        firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
        firewall.allowedUDPPorts = [ 4567 ];
      };
-      users.users.testuser = { };
+      users.users.testuser = { isSystemUser = true; };
      systemd.services.mysql = with pkgs; {
        path = [ mysqlenv-common mysqlenv-mariabackup ];
      };
--- a/nixos/tests/mysql/mariadb-galera-rsync.nix
+++ b/nixos/tests/mysql/mariadb-galera-rsync.nix
@ -31,7 +31,7 @@ in {
        firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
        firewall.allowedUDPPorts = [ 4567 ];
      };
-      users.users.testuser = { };
+      users.users.testuser = { isSystemUser = true; };
      systemd.services.mysql = with pkgs; {
        path = [ mysqlenv-common mysqlenv-rsync ];
      };
@ -84,7 +84,7 @@ in {
        firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
        firewall.allowedUDPPorts = [ 4567 ];
      };
-      users.users.testuser = { };
+      users.users.testuser = { isSystemUser = true; };
      systemd.services.mysql = with pkgs; {
        path = [ mysqlenv-common mysqlenv-rsync ];
      };
@ -130,7 +130,7 @@ in {
        firewall.allowedTCPPorts = [ 3306 4444 4567 4568 ];
        firewall.allowedUDPPorts = [ 4567 ];
      };
-      users.users.testuser = { };
+      users.users.testuser = { isSystemUser = true; };
      systemd.services.mysql = with pkgs; {
        path = [ mysqlenv-common mysqlenv-rsync ];
      };
--- a/nixos/tests/mysql/mysql.nix
+++ b/nixos/tests/mysql/mysql.nix
@ -9,8 +9,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
      { pkgs, ... }:
      {
-        users.users.testuser = { };
+        users.users.testuser = { isSystemUser = true; };
-        users.users.testuser2 = { };
+        users.users.testuser2 = { isSystemUser = true; };
        services.mysql.enable = true;
        services.mysql.initialDatabases = [
          { name = "testdb3"; schema = ./testdb.sql; }
@ -44,8 +44,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
        # Kernel panic - not syncing: Out of memory: compulsory panic_on_oom is enabled
        virtualisation.memorySize = 1024;
-        users.users.testuser = { };
+        users.users.testuser = { isSystemUser = true; };
-        users.users.testuser2 = { };
+        users.users.testuser2 = { isSystemUser = true; };
        services.mysql.enable = true;
        services.mysql.initialDatabases = [
          { name = "testdb3"; schema = ./testdb.sql; }
@ -75,8 +75,8 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
      { pkgs, ... }:
      {
-        users.users.testuser = { };
+        users.users.testuser = { isSystemUser = true; };
-        users.users.testuser2 = { };
+        users.users.testuser2 = { isSystemUser = true; };
        services.mysql.enable = true;
        services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
          ALTER USER root@localhost IDENTIFIED WITH unix_socket;
--- a/nixos/tests/redis.nix
+++ b/nixos/tests/redis.nix
@ -22,11 +22,10 @@ in
        users.users."member" = {
          createHome = false;
          description = "A member of the redis group";
          isNormalUser = true;
          extraGroups = [
            "redis"
          ];
          group = "users";
          shell = "/bin/sh";
        };
      };
  };
--- a/nixos/tests/rspamd.nix
+++ b/nixos/tests/rspamd.nix
@ -274,7 +274,10 @@ in
        I find cows to be evil don't you?
      '';
-      users.users.tester.password = "test";
+      users.users.tester = {
        isNormalUser = true;
        password = "test";
      };
      services.postfix = {
        enable = true;
        destination = ["example.com"];
--- a/nixos/tests/shadow.nix
+++ b/nixos/tests/shadow.nix
@ -13,14 +13,17 @@ in import ./make-test-python.nix ({ pkgs, ... }: {
    users = {
      mutableUsers = true;
      users.emma = {
        isNormalUser = true;
        password = password1;
        shell = pkgs.bash;
      };
      users.layla = {
        isNormalUser = true;
        password = password2;
        shell = pkgs.shadow;
      };
      users.ash = {
        isNormalUser = true;
        password = password4;
        shell = pkgs.bash;
      };
--- a/nixos/tests/systemd-confinement.nix
+++ b/nixos/tests/systemd-confinement.nix
@ -150,6 +150,7 @@ import ./make-test-python.nix {
    config.users.groups.chroot-testgroup = {};
    config.users.users.chroot-testuser = {
      isSystemUser = true;
      description = "Chroot Test User";
      group = "chroot-testgroup";
    };
--- a/nixos/tests/unbound.nix
+++ b/nixos/tests/unbound.nix
@ -132,12 +132,15 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
        users.users = {
          # user that is permitted to access the unix socket
-          someuser.extraGroups = [
+          someuser = {
-            config.users.users.unbound.group
+            isSystemUser = true;
-          ];
+            extraGroups = [
              config.users.users.unbound.group
            ];
          };
          # user that is not permitted to access the unix socket
-          unauthorizeduser = {};
+          unauthorizeduser = { isSystemUser = true; };
        };
        environment.etc = {