From 1529641b5228265e80aca63f84890c2840b53d50 Mon Sep 17 00:00:00 2001 From: Alexander Ried Date: Wed, 1 Jun 2016 13:02:26 +0200 Subject: [PATCH] accountsservice: add support for mutableUsers = false Add code to accountsservice that returns an error if the environment variable NIXOS_USERS_PURE is set. This variable is set from the nixos accountsservice module if mutableUsers = false --- .../services/desktops/accountsservice.nix | 8 ++ ...ble-methods-that-change-files-in-etc.patch | 130 ++++++++++++++++++ .../libraries/accountsservice/default.nix | 1 + 3 files changed, 139 insertions(+) create mode 100644 pkgs/development/libraries/accountsservice/Disable-methods-that-change-files-in-etc.patch diff --git a/nixos/modules/services/desktops/accountsservice.nix b/nixos/modules/services/desktops/accountsservice.nix index c28c2729576..2a7450669ea 100644 --- a/nixos/modules/services/desktops/accountsservice.nix +++ b/nixos/modules/services/desktops/accountsservice.nix @@ -35,6 +35,14 @@ with lib; services.dbus.packages = [ pkgs.accountsservice ]; systemd.packages = [ pkgs.accountsservice ]; + + systemd.services.accounts-daemon= { + + wantedBy = [ "graphical.target" ]; + + } // (mkIf (!config.users.mutableUsers) { + environment.NIXOS_USERS_PURE = "true"; + }); }; } diff --git a/pkgs/development/libraries/accountsservice/Disable-methods-that-change-files-in-etc.patch b/pkgs/development/libraries/accountsservice/Disable-methods-that-change-files-in-etc.patch new file mode 100644 index 00000000000..acaccb8c848 --- /dev/null +++ b/pkgs/development/libraries/accountsservice/Disable-methods-that-change-files-in-etc.patch @@ -0,0 +1,130 @@ +From 6f172007452b39bfda5062fc29ea5382671ac16e Mon Sep 17 00:00:00 2001 +From: Alexander Ried +Date: Thu, 26 May 2016 19:54:21 +0200 +Subject: [PATCH] Disable methods that change files in /etc + +Only if environment variable NIXOS_USERS_PURE is set. +--- + src/daemon.c | 10 ++++++++++ + src/user.c | 35 +++++++++++++++++++++++++++++++++++ + 2 files changed, 45 insertions(+) + +diff --git a/src/daemon.c b/src/daemon.c +index e62e124..87459b2 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -931,6 +931,11 @@ daemon_create_user (AccountsAccounts *accounts, + const gchar *real_name, + gint account_type) + { ++ if (getenv("NIXOS_USERS_PURE")) { ++ throw_error (context, ERROR_NOT_SUPPORTED, "Modifying users not supported without users.mutableUsers"); ++ return; ++ } ++ + Daemon *daemon = (Daemon*)accounts; + CreateUserData *data; + +@@ -1138,6 +1143,11 @@ daemon_delete_user (AccountsAccounts *accounts, + gint64 uid, + gboolean remove_files) + { ++ if (getenv("NIXOS_USERS_PURE")) { ++ throw_error (context, ERROR_NOT_SUPPORTED, "Modifying users not supported without users.mutableUsers"); ++ return; ++ } ++ + Daemon *daemon = (Daemon*)accounts; + DeleteUserData *data; + +diff --git a/src/user.c b/src/user.c +index 0fb1a17..dbdebaf 100644 +--- a/src/user.c ++++ b/src/user.c +@@ -904,6 +904,11 @@ user_set_real_name (AccountsUser *auser, + GDBusMethodInvocation *context, + const gchar *real_name) + { ++ if (getenv("NIXOS_USERS_PURE")) { ++ throw_error (context, ERROR_NOT_SUPPORTED, "Modifying users not supported without users.mutableUsers"); ++ return; ++ } ++ + User *user = (User*)auser; + int uid; + const gchar *action_id; +@@ -981,6 +986,11 @@ user_set_user_name (AccountsUser *auser, + GDBusMethodInvocation *context, + const gchar *user_name) + { ++ if (getenv("NIXOS_USERS_PURE")) { ++ throw_error (context, ERROR_NOT_SUPPORTED, "Modifying users not supported without users.mutableUsers"); ++ return; ++ } ++ + User *user = (User*)auser; + daemon_local_check_auth (user->daemon, + user, +@@ -1263,6 +1273,11 @@ user_set_home_directory (AccountsUser *auser, + GDBusMethodInvocation *context, + const gchar *home_dir) + { ++ if (getenv("NIXOS_USERS_PURE")) { ++ throw_error (context, ERROR_NOT_SUPPORTED, "Modifying users not supported without users.mutableUsers"); ++ return; ++ } ++ + User *user = (User*)auser; + daemon_local_check_auth (user->daemon, + user, +@@ -1322,6 +1337,11 @@ user_set_shell (AccountsUser *auser, + GDBusMethodInvocation *context, + const gchar *shell) + { ++ if (getenv("NIXOS_USERS_PURE")) { ++ throw_error (context, ERROR_NOT_SUPPORTED, "Modifying users not supported without users.mutableUsers"); ++ return; ++ } ++ + User *user = (User*)auser; + daemon_local_check_auth (user->daemon, + user, +@@ -1602,6 +1622,11 @@ user_set_locked (AccountsUser *auser, + GDBusMethodInvocation *context, + gboolean locked) + { ++ if (getenv("NIXOS_USERS_PURE")) { ++ throw_error (context, ERROR_NOT_SUPPORTED, "Modifying users not supported without users.mutableUsers"); ++ return; ++ } ++ + User *user = (User*)auser; + daemon_local_check_auth (user->daemon, + user, +@@ -1814,6 +1839,11 @@ user_set_password_mode (AccountsUser *auser, + GDBusMethodInvocation *context, + gint mode) + { ++ if (getenv("NIXOS_USERS_PURE")) { ++ throw_error (context, ERROR_NOT_SUPPORTED, "Modifying users not supported without users.mutableUsers"); ++ return; ++ } ++ + User *user = (User*)auser; + const gchar *action_id; + +@@ -1905,6 +1935,11 @@ user_set_password (AccountsUser *auser, + const gchar *password, + const gchar *hint) + { ++ if (getenv("NIXOS_USERS_PURE")) { ++ throw_error (context, ERROR_NOT_SUPPORTED, "Modifying users not supported without users.mutableUsers"); ++ return; ++ } ++ + User *user = (User*)auser; + gchar **data; + +-- +2.9.3 + diff --git a/pkgs/development/libraries/accountsservice/default.nix b/pkgs/development/libraries/accountsservice/default.nix index 4e19c880dd4..9b8f1048b13 100644 --- a/pkgs/development/libraries/accountsservice/default.nix +++ b/pkgs/development/libraries/accountsservice/default.nix @@ -23,6 +23,7 @@ stdenv.mkDerivation rec { patches = [ ./no-create-dirs.patch ./Add-nixbld-to-user-blacklist.patch + ./Disable-methods-that-change-files-in-etc.patch ]; preFixup = ''