Before: `users.users.user1.group = "group-not-defined-anywhere-else"`
would result in user1 having the primary group `nogroup`, assigned at
activation time and only with a (easy to miss) warning from the
activation script. This behaviour is a security issue becase no files
should be owned by `nogroup` and it allows for unrelated users (and
services) to accidentally have access to files they shouldn't have.
After: The configuration above results in this eval error:
- The following users have a primary group that is undefined: user1
Hint: Add this to your NixOS config:
users.groups.group-not-defined-anywhere-else = {};
This mitigates CVE-2023-4911, crucially without a mass-rebuild.
We drop insecure environment variables explicitly, including
glibc-specific ones, since musl doesn't do this by default.
Change-Id: I591a817e6d4575243937d9ccab51c23a96bed6f9
A further bug to our strange multi-user.target depending on
network-online.target issue is that systemd recently changed the
behaviour of systemd-networkd-wait-online to no longer consider the
absence of interfaces with RequiredForOnline to be sufficient to be
online: https://github.com/systemd/systemd/pull/27825
On the advice of the systemd developers
(https://github.com/systemd/systemd/issues/29388), this commit changes
the configuration of systemd-networkd-wait-online to pass --any by
default, and lets the default DHCP interfaces be RequiredForOnline
as they would be by default if the option is omitted.
It is plausible that systemd-networkd-wait-online may still fail if
there are no interfaces at all. However, that probably cannot be
avoided.
Otherwise, in non-interactive contexts (e.g. systemd units), this
entry (the default) won't be in the list. Only the profile relative
ones would be, since they were already using session variables. This
is clearly not the correct behavior.
All the locate versions we have support LOCATE_PATH, so just use that
instead of adding indirections all over the place AND forcing people
to rebuild their locate implementation if they want the path changed.
Allow the user to disable overriding the fileSystems option with
virtualisation.fileSystems by setting
`virtualisation.fileSystems = lib.mkForce { };`.
With this change you can use the qemu-vm module to boot from an external
image that was not produced by the qemu-vm module itself. The user can
now re-use the modularly set fileSystems option instead of having to
reproduce it in virtualisation.fileSystems.
Gonic accesses external services (e.g. Listenbrainz or last.FM) for
scrobbling, but it was previously not allowed to read
`/etc/resolv.conf`.
This had the effect that, unless a local resolver was configured on
the system, any connection attempt would fail due to DNS resolution
being unavailable.
* `sort (<)` also works for strings (TIL!), so no need for comparing
length and whether all keys from `cfg.settings` exist in `cfg.order`
(slightly less overhead).
* Don't build another piece of JSON (`orderedSections`), simply use
`cfg.settings`/`cfg.order` with `__structuredAttrs` to ensure a
properly ordered TOML.
This also has the upside of not having to do quote hackery.
* Also, a freeform submodule isn't strictly needed because we don't have
any special options defined, so replacing that with
`attrsOf format.type`.
Co-authored-by: Silvan Mosberger <github@infinisil.com>
