b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

* Use the shadow' package instead of pwdutils', `pam_login' and

Browse source 
`su'.
* The `usermod' from `shadow' allows setting a supplementary group
  equal to the user's primary group, so the special hack for the
  `nixbld' group is no longer needed.
* Removed /etc/default/passwd since it's not used by the new passwd.
  The hash is configured in pam_unix.
* Move some values for `security.setuidPrograms' and
  `security.pam.services' to the appropriate modules.

svn path=/nixos/trunk/; revision=22107
This commit is contained in:
Eelco Dolstra 2010-06-02 21:10:48 +00:00
parent 876954d15d
commit c089738bdc
12 changed files with 71 additions and 90 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
modules/config/system-path.nix
View file

@ -44,12 +44,10 @@ let
pkgs.pciutils
pkgs.perl
pkgs.procps
pkgs.pwdutils
pkgs.reiserfsprogs
pkgs.rsync
pkgs.seccure
pkgs.strace
pkgs.su
pkgs.sysklogd
pkgs.sysvtools
pkgs.time

25
modules/config/users-groups.nix
View file

@ -173,16 +173,16 @@ in
if ! curEnt=$(getent passwd "$name"); then
useradd --system \
"$name" \
--comment "$description" \
''${uid:+--uid $uid} \
--gid "$group" \
--groups "$extraGroups" \
--home "$home" \
--shell "$shell" \
''${createHome:+--create-home}
''${createHome:+--create-home} \
"$name"
if test "''${password:0:1}" = 'X'; then
echo "''${password:1}" | ${pkgs.pwdutils}/bin/passwd --stdin "$name"
echo "''${password:1}" | ${pkgs.shadow}/bin/passwd --stdin "$name"
fi
else
#echo "updating user $name..."
@ -196,22 +196,13 @@ in
# unnecessary warnings about logged in users.
if test "$prevHome" = "$home"; then unset home; fi
usermod \
"$name" \
--comment "$description" \
''${uid:+--uid $uid} \
--gid "$group" \
--groups "$extraGroups" \
''${home:+--home "$home"} \
--shell "$shell"
fi
if test "$group" = nixbld; then
# As a special hack, add users that have nixbld as the
# primary group to the /etc/group entry for the nixbld
# group. `nix-store' currently expects this in order
# to get the UIDs of all the build users by doing a
# getprnam("nixbld") call.
groupmod "$group" -A "$name"
--shell "$shell" \
"$name"
fi
done
@ -227,14 +218,14 @@ in
if ! curEnt=$(getent group "$name"); then
groupadd --system \
"$name" \
''${gid:+--gid $gid}
''${gid:+--gid $gid} \
"$name"
else
#echo "updating group $name..."
oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS"
prevGid=$3
if test -n "$gid" -a "$prevGid" != "$gid"; then
groupmod "$name" --gid $gid
groupmod --gid $gid "$name"
fi
fi
done <<EndOfGroupList

8
modules/programs/pwdutils/login.defs
View file

@ -1,12 +1,12 @@
DEFAULT_HOME yes
SYSTEM_UID_MIN 100
SYSTEM_UID_MAX 499
SYS_UID_MIN 100
SYS_UID_MAX 499
UID_MIN 1000
UID_MAX 29999
SYSTEM_GID_MIN 100
SYSTEM_GID_MAX 499
SYS_GID_MIN 100
SYS_GID_MAX 499
GID_MIN 1000
GID_MAX 29999

15
modules/programs/pwdutils/passwd.conf
View file

@ -1,15 +0,0 @@
# Define default crypt hash
# CRYPT={des,md5,blowfish}
CRYPT=des
# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=@filesCipher@
# sometimes we need to specify special options for
# a hash (variable is prepended by the name of the
# crypt hash).
BLOWFISH_CRYPT_FILES=10
# For NIS, we should always use DES:
CRYPT_YP=des

82
modules/programs/pwdutils/pwdutils.nix
View file

@ -4,6 +4,12 @@
let
in
{
###### interface
options = {
users.defaultUserShell = pkgs.lib.mkOption {
@ -19,39 +25,53 @@ let
};
in
###### implementation
{
require = [options];
config = {
environment.etc =
[ { # /etc/login.defs: global configuration for pwdutils. You
# cannot login without it!
source = ./login.defs;
target = "login.defs";
}
environment.systemPackages = [ pkgs.shadow ];
{ # /etc/default/passwd: configuration for passwd and friends
# (e.g., hash algorithm for /etc/passwd).
source = pkgs.substituteAll {
src = ./passwd.conf;
# This depends on pam_unix2 being built with libxcrypt or libc's libcrypt.
# Only in the first case it will understand 'blowfish'. And pam_unix2
# is not built with libxcrypt at the time of writing (it did not build)
filesCipher = if (pkgs.stdenv.system == "armv5tel-linux") then
"des" else "blowfish";
};
target = "default/passwd";
}
environment.etc =
[ { # /etc/login.defs: global configuration for pwdutils. You
# cannot login without it!
source = ./login.defs;
target = "login.defs";
}
{ # /etc/default/useradd: configuration for useradd.
source = pkgs.writeText "useradd"
''
GROUP=100
HOME=/home
SHELL=${config.users.defaultUserShell}
'';
target = "default/useradd";
}
];
{ # /etc/default/useradd: configuration for useradd.
source = pkgs.writeText "useradd"
''
GROUP=100
HOME=/home
SHELL=${config.users.defaultUserShell}
'';
target = "default/useradd";
}
];
security.pam.services =
[ { name = "chsh"; rootOK = true; }
{ name = "chfn"; rootOK = true; }
{ name = "su"; rootOK = true; forwardXAuth = true; }
{ name = "passwd"; }
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
{ name = "useradd"; rootOK = true; }
{ name = "usermod"; rootOK = true; }
{ name = "userdel"; rootOK = true; }
{ name = "groupadd"; rootOK = true; }
{ name = "groupmod"; rootOK = true; }
{ name = "groupmems"; rootOK = true; }
{ name = "groupdel"; rootOK = true; }
{ name = "login"; ownDevices = true; allowNullPassword = true;
limits = config.security.pam.loginLimits;
}
];
security.setuidPrograms = [ "passwd" "chfn" "su" ];
};
}

13
modules/security/pam.nix
View file

@ -199,22 +199,9 @@ in
{ name = "ejabberd"; }
{ name = "ftp"; }
{ name = "lshd"; }
{ name = "passwd"; }
{ name = "samba"; }
{ name = "sshd"; }
{ name = "xlock"; }
{ name = "chsh"; rootOK = true; }
{ name = "chfn"; rootOK = true; }
{ name = "su"; rootOK = true; forwardXAuth = true; }
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
{ name = "useradd"; rootOK = true; }
# Used by groupadd etc.
{ name = "shadow"; rootOK = true; }
{ name = "login"; ownDevices = true; allowNullPassword = true;
limits = config.security.pam.loginLimits;
}
];
};

4
modules/security/setuid-wrappers.nix
View file

@ -74,9 +74,7 @@ in
config = {
security.setuidPrograms =
[ "passwd" "chfn" "su" "crontab" "ping" "ping6"
"fusermount" "wodim" "cdrdao" "growisofs"
];
[ "crontab" "fusermount" "wodim" "cdrdao" "growisofs" ];
system.activationScripts.setuid =
let

4
modules/services/misc/nix-daemon.nix
View file

@ -12,10 +12,10 @@ let
/* For consistency with the setgid(2), setuid(2), and setgroups(2)
calls in `libstore/build.cc', don't add any supplementary group
here. */
here except "nixbld". */
uid = builtins.add config.ids.uids.nixbld nr;
group = "nixbld";
extraGroups = [];
extraGroups = [ "nixbld" ];
};
in

2
modules/services/ttys/mingetty.nix
View file

@ -57,7 +57,7 @@ with pkgs.lib;
startOn = "started udev";
exec = "${pkgs.mingetty}/sbin/mingetty --loginprog=${pkgs.pam_login}/bin/login --noclear ${tty}";
exec = "${pkgs.mingetty}/sbin/mingetty --loginprog=${pkgs.shadow}/bin/login --noclear ${tty}";
}) config.services.mingetty.ttys);

2
modules/system/activation/activation-script.nix
View file

@ -28,7 +28,7 @@ let
let path = [
pkgs.coreutils pkgs.gnugrep pkgs.findutils
pkgs.glibc # needed for getent
pkgs.pwdutils
pkgs.shadow
pkgs.nettools # needed for hostname
]; in noDepEntry ''
export PATH=/empty

2
modules/system/upstart-events/shutdown.nix
View file

@ -54,7 +54,7 @@ with pkgs.lib;
echo ""
echo "<<< Maintenance shell >>>"
echo ""
${pkgs.pam_login}/bin/login root
${pkgs.shadow}/bin/login root
initctl emit -n startup
exit 0
fi

2
modules/tasks/network-interfaces.nix
View file

@ -142,6 +142,8 @@ in
pkgs.wirelesstools
pkgs.rfkill
];
security.setuidPrograms = [ "ping" "ping6" ];
jobs.networkInterfaces =
{ name = "network-interfaces";