public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/users: Increase maximum system uid/gid from 499 to 999

Browse Source 
This enlarges the system uid/gid range 6-fold, from 100 to 600 ids. This
is a preventative measure against running out of dynamically allocated
ids for NixOS services with isSystemUser, which should become the
preferred way of allocating uids for non-real users.
This commit is contained in:
Silvan Mosberger 2019-07-31 23:19:49 +02:00
parent 6c8aed6391
commit 23d920c8f0
No known key found for this signature in database
GPG Key ID: 9424360B4B85C9E7
3 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/config/update-users-groups.pl
View File

@ -56,12 +56,12 @@ sub allocGid {
$gidsUsed{$prevGid} = 1; $gidsUsed{$prevGid} = 1;
return $prevGid; return $prevGid;
} }
return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) }); return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 999, 0, sub { my ($gid) = @_; getgrgid($gid) });
} }
sub allocUid { sub allocUid {
my ($name, $isSystemUser) = @_; my ($name, $isSystemUser) = @_;
my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1); my ($min, $max, $up) = $isSystemUser ? (400, 999, 0) : (1000, 29999, 1);
my $prevUid = $uidMap->{$name}; my $prevUid = $uidMap->{$name};
if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) { if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
print STDERR "reviving user '$name' with UID $prevUid\n"; print STDERR "reviving user '$name' with UID $prevUid\n";

14
nixos/modules/programs/shadow.nix
View File

@ -6,17 +6,27 @@ with lib;
let let
/*
There are three different sources for user/group id ranges, each of which gets
used by different programs:
- The login.defs file, used by the useradd, groupadd and newusers commands
- The update-users-groups.pl file, used by NixOS in the activation phase to
decide on which ids to use for declaratively defined users without a static
id
- Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used
by systemd for features like ConditionUser=@system and systemd-sysusers
*/
loginDefs = loginDefs =
'' ''
DEFAULT_HOME yes DEFAULT_HOME yes
SYS_UID_MIN 400 SYS_UID_MIN 400
SYS_UID_MAX 499 SYS_UID_MAX 999
UID_MIN 1000 UID_MIN 1000
UID_MAX 29999 UID_MAX 29999
SYS_GID_MIN 400 SYS_GID_MIN 400
SYS_GID_MAX 499 SYS_GID_MAX 999
GID_MIN 1000 GID_MIN 1000
GID_MAX 29999 GID_MAX 29999

14
pkgs/os-specific/linux/systemd/default.nix
View File

@ -84,8 +84,18 @@ stdenv.mkDerivation {
"-Dldconfig=false" "-Dldconfig=false"
"-Dsmack=true" "-Dsmack=true"
"-Db_pie=true" "-Db_pie=true"
"-Dsystem-uid-max=499" #TODO: debug why awking around in /etc/login.defs doesn't work /*
"-Dsystem-gid-max=499" As of now, systemd doesn't allow runtime configuration of these values. So
the settings in /etc/login.defs have no effect on it. Many people think this
should be supported however, see
- https://github.com/systemd/systemd/issues/3855
- https://github.com/systemd/systemd/issues/4850
- https://github.com/systemd/systemd/issues/9769
- https://github.com/systemd/systemd/issues/9843
- https://github.com/systemd/systemd/issues/10184
*/
"-Dsystem-uid-max=999"
"-Dsystem-gid-max=999"
# "-Dtime-epoch=1" # "-Dtime-epoch=1"
(if !stdenv.hostPlatform.isEfi then "-Dgnu-efi=false" else "-Dgnu-efi=true") (if !stdenv.hostPlatform.isEfi then "-Dgnu-efi=false" else "-Dgnu-efi=true")