From 3e7f4280df57ce69879bee643b10a6c8e8d1d4c4 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Sat, 16 Dec 2006 21:48:12 +0000
Subject: [PATCH] * activate-configuration.sh: make sure that we're running on
 a NixOS   installation to prevent horrible accidents. * Add the kernel
 parameters to isolinux.cfg. * Use useradd/groupadd to create users/groups;
 use Glibc's getent to   check for existence. * Create the root account
 properly.

svn path=/nixos/trunk/; revision=7357
---
 boot/boot-stage-2-init.sh                |  2 +
 configuration/activate-configuration.sh  | 52 ++++++++++++------------
 configuration/etc.nix                    |  7 ++--
 configuration/etc/pam.d/login            |  2 +-
 configuration/etc/pam.d/shadow           |  6 +++
 configuration/switch-to-configuration.sh |  5 +++
 configuration/system.nix                 |  7 +++-
 helpers/isolinux.cfg                     |  6 ---
 installer/nixos-installer.sh             |  5 +++
 instances/rescue-cd.nix                  | 16 +++++++-
 upstart-jobs/udev.nix                    |  4 +-
 11 files changed, 70 insertions(+), 42 deletions(-)
 create mode 100644 configuration/etc/pam.d/shadow
 delete mode 100644 helpers/isolinux.cfg

diff --git a/boot/boot-stage-2-init.sh b/boot/boot-stage-2-init.sh
index 71d3fcc10b5..a29b874c032 100644
--- a/boot/boot-stage-2-init.sh
+++ b/boot/boot-stage-2-init.sh
@@ -69,6 +69,7 @@ mount -t tmpfs -o "mode=0755" none /dev
 needWritableDir /tmp 01777
 needWritableDir /var 0755
 needWritableDir /nix/var 0755
+needWritableDir /root 0700
 
 
 # Miscellaneous boot time cleanup.
@@ -77,6 +78,7 @@ rm -rf /var/run
 
 # Create the minimal device nodes needed before we run udev.
 mknod -m 0666 /dev/null c 1 3
+mknod -m 0644 /dev/urandom c 1 9 # needed for passwd
 
 
 # Run the script that performs all configuration activation that does
diff --git a/configuration/activate-configuration.sh b/configuration/activate-configuration.sh
index a6971c9f7fc..ca2f6963d76 100644
--- a/configuration/activate-configuration.sh
+++ b/configuration/activate-configuration.sh
@@ -1,7 +1,7 @@
 #! @shell@
 
 export PATH=/empty
-for i in @path@; do PATH=$PATH:$i/bin; done
+for i in @path@; do PATH=$PATH:$i/bin:$i/sbin; done
 
 
 # Set up the statically computed bits of /etc.
@@ -35,41 +35,42 @@ chmod 664 /var/run/utmp
 mkdir -m 0755 -p /var/log
 
 
-# Enable a password-less root login.
-source @accounts@
-
+# If there is no password file yet, create a root account with an
+# empty password.
 if ! test -e /etc/passwd; then
-    if test -n "@readOnlyRoot@"; then
-        rootHome=/
-    else
-        rootHome=/home/root
-        mkdir -p $rootHome
-    fi
-    createUser root '' 0 0 'System administrator' $rootHome/var/empty @shell@
-fi
-
-if ! test -e /etc/group; then
-    echo "root:*:0" > /etc/group
+    rootHome=/root
+    touch /etc/passwd; chmod 0755 /etc/passwd
+    touch /etc/group; chmod 0755 /etc/passwd
+    touch /etc/shadow; chmod 0700 /etc/passwd
+    # Can't use useradd, since it complain that it doesn't know us
+    # (bootstrap problem!). 
+    echo "root:x:0:0:System administrator:$rootHome:@shell@" >> /etc/passwd
+    echo "root::::::::" >> /etc/shadow
+    groupadd -g 0 root
+    echo | passwd --stdin root
 fi
 
 
 # Set up Nix accounts.
 if test -z "@readOnlyRoot@"; then
 
+    if ! getent group nixbld > /dev/null; then
+        groupadd -g 30000 nixbld
+    fi
+
+    if ! getent group nogroup > /dev/null; then
+        groupadd -g 65534 nogroup
+    fi
+
     for i in $(seq 1 10); do
         account=nixbld$i
-        if ! userExists $account; then
-            createUser $account x \
-                $((i + 30000)) 30000 \
-                'Nix build user' /var/empty /noshell
+        if ! getent passwd $account > /dev/null; then
+            useradd -u $((i + 30000)) -g nogroup -G nixbld \
+                -d /var/empty -s /noshell \
+                -c "Nix build user $i" $account
         fi
-        accounts="$accounts${accounts:+,}$account"
     done
 
-    if ! grep -q "^nixbld:" /etc/group; then
-        echo "nixbld:*:30000:$accounts" >> /etc/group
-    fi
-
     mkdir -p /nix/etc/nix
     cat > /nix/etc/nix/nix.conf <<EOF
 build-users-group = nixbld
@@ -108,9 +109,6 @@ mkdir -m 0755 -p /nix/var/nix/temproots
 
 ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
 
-chown root.nixbld /nix/store
-chmod 1775 /nix/store
-
 
 # Make a few setuid programs work.
 wrapperDir=@wrapperDir@
diff --git a/configuration/etc.nix b/configuration/etc.nix
index c65cafe33e4..be3bcf7b980 100644
--- a/configuration/etc.nix
+++ b/configuration/etc.nix
@@ -66,10 +66,11 @@ import ../helpers/make-etc.nix {
     )
     [
       "login"
-      "sshd"
-      "passwd"
-      "useradd"
       "other"
+      "passwd"
+      "shadow"
+      "sshd"
+      "useradd"
     ]
   );
 }
\ No newline at end of file
diff --git a/configuration/etc/pam.d/login b/configuration/etc/pam.d/login
index d3463aab5ae..83c1bcd2f34 100644
--- a/configuration/etc/pam.d/login
+++ b/configuration/etc/pam.d/login
@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so
+auth     required       @pam_unix2@/lib/security/pam_unix2.so nullok
 account  required       @pam_unix2@/lib/security/pam_unix2.so
 password required       @pam_unix2@/lib/security/pam_unix2.so nullok
 session  required       @pam_unix2@/lib/security/pam_unix2.so
diff --git a/configuration/etc/pam.d/shadow b/configuration/etc/pam.d/shadow
new file mode 100644
index 00000000000..0148f1fea27
--- /dev/null
+++ b/configuration/etc/pam.d/shadow
@@ -0,0 +1,6 @@
+# Used by groupadd etc.
+auth     sufficient     pam_rootok.so
+auth     required       pam_permit.so
+account  required       pam_permit.so
+password required       pam_permit.so
+session  required       pam_deny.so
diff --git a/configuration/switch-to-configuration.sh b/configuration/switch-to-configuration.sh
index 8c03311a7c5..faf592834d9 100644
--- a/configuration/switch-to-configuration.sh
+++ b/configuration/switch-to-configuration.sh
@@ -5,6 +5,11 @@ export PATH=/empty
 for i in @path@; do PATH=$PATH:$i/bin; done
 action="$1"
 
+if ! test -e /etc/NIXOS; then
+    echo "This is not a NixOS installation (/etc/NIXOS) is missing!"
+    exit 1
+fi
+
 if test -z "$action"; then
     cat <<EOF
 Usage: $0 [switch|boot|test]
diff --git a/configuration/system.nix b/configuration/system.nix
index dad9fe4d3a3..a78708e8e4a 100644
--- a/configuration/system.nix
+++ b/configuration/system.nix
@@ -174,9 +174,12 @@ rec {
     readOnlyRoot = config.get ["boot" "readOnlyRoot"];
     hostName = config.get ["networking" "hostname"];
     wrapperDir = setuidWrapper.wrapperDir;
-    accounts = ../helpers/accounts.sh;
 
-    path = [pkgs.coreutils pkgs.gnugrep pkgs.findutils];
+    path = [
+      pkgs.coreutils pkgs.gnugrep pkgs.findutils
+      pkgs.glibc # needed for getent
+      pkgs.pwdutils
+    ];
 
     # We don't want to put all of `startPath' and `path' in $PATH, since
     # then we get an embarrassingly long $PATH.  So use the user
diff --git a/helpers/isolinux.cfg b/helpers/isolinux.cfg
deleted file mode 100644
index ff19e84c098..00000000000
--- a/helpers/isolinux.cfg
+++ /dev/null
@@ -1,6 +0,0 @@
-default linux
-prompt 1
-timeout 60
-label linux
-  kernel vmlinuz
-  append initrd=initrd selinux=0 apm=on acpi=on
diff --git a/installer/nixos-installer.sh b/installer/nixos-installer.sh
index f356462369e..6b6878f987e 100644
--- a/installer/nixos-installer.sh
+++ b/installer/nixos-installer.sh
@@ -128,6 +128,11 @@ chroot $mountPoint @nix@/bin/nix-env \
 echo "$targetDevice / somefs rw 0 0" > $mountPoint/etc/mtab
 
 
+# Mark the target as a NixOS installation, otherwise
+# switch-to-configuration will chicken out.
+touch $mountPoint/etc/NIXOS
+
+
 # Switch to the new system configuration.  This will install Grub with
 # a menu default pointing at the kernel/initrd/etc of the new
 # configuration.
diff --git a/instances/rescue-cd.nix b/instances/rescue-cd.nix
index 9d89380c768..8e201762b74 100644
--- a/instances/rescue-cd.nix
+++ b/instances/rescue-cd.nix
@@ -32,7 +32,7 @@ rec {
   cdMountPoints = pkgs.runCommand "mount-points" {} "
     ensureDir $out
     cd $out
-    mkdir proc sys tmp etc dev var mnt nix nix/var
+    mkdir proc sys tmp etc dev var mnt nix nix/var root
     touch $out/${configuration.boot.rootLabel}
   ";
 
@@ -64,6 +64,18 @@ rec {
   };
 
 
+  # The configuration file for isolinux.
+  isolinuxCfg = pkgs.writeText "isolinux.cfg" "
+    default linux
+    prompt 1
+    timeout 60
+    label linux
+      kernel vmlinuz
+      append initrd=initrd ${toString (system.config.get ["boot" "kernelParams"])}
+  ";
+    
+
+
   # Create an ISO image containing the isolinux boot loader, the
   # kernel, the initrd produced above, and the closure of the stage 2
   # init.
@@ -75,7 +87,7 @@ rec {
       { source = pkgs.syslinux + "/lib/syslinux/isolinux.bin";
         target = "isolinux/isolinux.bin";
       }
-      { source = ../helpers/isolinux.cfg;
+      { source = isolinuxCfg;
         target = "isolinux/isolinux.cfg";
       }
       { source = pkgs.kernel + "/vmlinuz";
diff --git a/upstart-jobs/udev.nix b/upstart-jobs/udev.nix
index 892004c5d27..0da100f7a1b 100644
--- a/upstart-jobs/udev.nix
+++ b/upstart-jobs/udev.nix
@@ -32,7 +32,9 @@ start script
     # Kill udev, let Upstart restart and monitor it.  (This is nasty,
     # but we have to run udevtrigger first.  Maybe we can use
     # Upstart's `binary' keyword, but it isn't implemented yet.)
-    ${procps}/bin/pkill -u root '^udevd$'
+    if ${procps}/bin/pkill -u root '^udevd$'; then
+        echo \"couldn't stop udevd\"
+    fi
 end script
 
 respawn ${udev}/sbin/udevd