* activate-configuration.sh: make sure that we're running on a NixOS

installation to prevent horrible accidents. * Add the kernel parameters to isolinux.cfg. * Use useradd/groupadd to create users/groups; use Glibc's getent to check for existence. * Create the root account properly. svn path=/nixos/trunk/; revision=7357
2006-12-16 21:48:12 +00:00 · 2006-12-16 21:48:12 +00:00 · 3e7f4280df
commit 3e7f4280df
parent 8f21b0119c
11 changed files with 70 additions and 42 deletions
--- a/boot/boot-stage-2-init.sh
+++ b/boot/boot-stage-2-init.sh
@ -69,6 +69,7 @@ mount -t tmpfs -o "mode=0755" none /dev
 needWritableDir /tmp 01777
 needWritableDir /var 0755
 needWritableDir /nix/var 0755
 needWritableDir /root 0700
 # Miscellaneous boot time cleanup.
@ -77,6 +78,7 @@ rm -rf /var/run
 # Create the minimal device nodes needed before we run udev.
 mknod -m 0666 /dev/null c 1 3
 mknod -m 0644 /dev/urandom c 1 9 # needed for passwd
 # Run the script that performs all configuration activation that does
--- a/configuration/activate-configuration.sh
+++ b/configuration/activate-configuration.sh
@ -1,7 +1,7 @@
 #! @shell@
 export PATH=/empty
-for i in @path@; do PATH=$PATH:$i/bin; done
+for i in @path@; do PATH=$PATH:$i/bin:$i/sbin; done
 # Set up the statically computed bits of /etc.
@ -35,41 +35,42 @@ chmod 664 /var/run/utmp
 mkdir -m 0755 -p /var/log
-# Enable a password-less root login.
+# If there is no password file yet, create a root account with an
-source @accounts@
+# empty password.
 if ! test -e /etc/passwd; then
-    if test -n "@readOnlyRoot@"; then
+    rootHome=/root
-        rootHome=/
+    touch /etc/passwd; chmod 0755 /etc/passwd
-    else
+    touch /etc/group; chmod 0755 /etc/passwd
-        rootHome=/home/root
+    touch /etc/shadow; chmod 0700 /etc/passwd
-        mkdir -p $rootHome
+    # Can't use useradd, since it complain that it doesn't know us
-    fi
+    # (bootstrap problem!). 
-    createUser root '' 0 0 'System administrator' $rootHome/var/empty @shell@
+    echo "root:x:0:0:System administrator:$rootHome:@shell@" >> /etc/passwd
-fi
+    echo "root::::::::" >> /etc/shadow
-
+    groupadd -g 0 root
-if ! test -e /etc/group; then
+    echo | passwd --stdin root
    echo "root:*:0" > /etc/group
 fi
 # Set up Nix accounts.
 if test -z "@readOnlyRoot@"; then
    if ! getent group nixbld > /dev/null; then
        groupadd -g 30000 nixbld
    fi
    if ! getent group nogroup > /dev/null; then
        groupadd -g 65534 nogroup
    fi
    for i in $(seq 1 10); do
        account=nixbld$i
-        if ! userExists $account; then
+        if ! getent passwd $account > /dev/null; then
-            createUser $account x \
+            useradd -u $((i + 30000)) -g nogroup -G nixbld \
-                $((i + 30000)) 30000 \
+                -d /var/empty -s /noshell \
-                'Nix build user' /var/empty /noshell
+                -c "Nix build user $i" $account
        fi
        accounts="$accounts${accounts:+,}$account"
    done
    if ! grep -q "^nixbld:" /etc/group; then
        echo "nixbld:*:30000:$accounts" >> /etc/group
    fi
    mkdir -p /nix/etc/nix
    cat > /nix/etc/nix/nix.conf <<EOF
 build-users-group = nixbld
@ -108,9 +109,6 @@ mkdir -m 0755 -p /nix/var/nix/temproots
 ln -sf /nix/var/nix/profiles /nix/var/nix/gcroots/
 chown root.nixbld /nix/store
 chmod 1775 /nix/store
 # Make a few setuid programs work.
 wrapperDir=@wrapperDir@
--- a/configuration/etc.nix
+++ b/configuration/etc.nix
@ -66,10 +66,11 @@ import ../helpers/make-etc.nix {
    )
    [
      "login"
      "sshd"
      "passwd"
      "useradd"
      "other"
      "passwd"
      "shadow"
      "sshd"
      "useradd"
    ]
  );
 }
--- a/configuration/etc/pam.d/login
+++ b/configuration/etc/pam.d/login
@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so
+auth     required       @pam_unix2@/lib/security/pam_unix2.so nullok
 account  required       @pam_unix2@/lib/security/pam_unix2.so
 password required       @pam_unix2@/lib/security/pam_unix2.so nullok
 session  required       @pam_unix2@/lib/security/pam_unix2.so
--- a/configuration/etc/pam.d/shadow
+++ b/configuration/etc/pam.d/shadow
@ -0,0 +1,6 @@
 # Used by groupadd etc.
 auth     sufficient     pam_rootok.so
 auth     required       pam_permit.so
 account  required       pam_permit.so
 password required       pam_permit.so
 session  required       pam_deny.so
--- a/configuration/switch-to-configuration.sh
+++ b/configuration/switch-to-configuration.sh
@ -5,6 +5,11 @@ export PATH=/empty
 for i in @path@; do PATH=$PATH:$i/bin; done
 action="$1"
 if ! test -e /etc/NIXOS; then
    echo "This is not a NixOS installation (/etc/NIXOS) is missing!"
    exit 1
 fi
 if test -z "$action"; then
    cat <<EOF
 Usage: $0 [switch|boot|test]
--- a/configuration/system.nix
+++ b/configuration/system.nix
@ -174,9 +174,12 @@ rec {
    readOnlyRoot = config.get ["boot" "readOnlyRoot"];
    hostName = config.get ["networking" "hostname"];
    wrapperDir = setuidWrapper.wrapperDir;
    accounts = ../helpers/accounts.sh;
-    path = [pkgs.coreutils pkgs.gnugrep pkgs.findutils];
+    path = [
      pkgs.coreutils pkgs.gnugrep pkgs.findutils
      pkgs.glibc # needed for getent
      pkgs.pwdutils
    ];
    # We don't want to put all of `startPath' and `path' in $PATH, since
    # then we get an embarrassingly long $PATH.  So use the user
--- a/helpers/isolinux.cfg
+++ b/helpers/isolinux.cfg
@ -1,6 +0,0 @@
 default linux
 prompt 1
 timeout 60
 label linux
  kernel vmlinuz
  append initrd=initrd selinux=0 apm=on acpi=on
--- a/installer/nixos-installer.sh
+++ b/installer/nixos-installer.sh
@ -128,6 +128,11 @@ chroot $mountPoint @nix@/bin/nix-env \
 echo "$targetDevice / somefs rw 0 0" > $mountPoint/etc/mtab
 # Mark the target as a NixOS installation, otherwise
 # switch-to-configuration will chicken out.
 touch $mountPoint/etc/NIXOS
 # Switch to the new system configuration.  This will install Grub with
 # a menu default pointing at the kernel/initrd/etc of the new
 # configuration.
--- a/instances/rescue-cd.nix
+++ b/instances/rescue-cd.nix
@ -32,7 +32,7 @@ rec {
  cdMountPoints = pkgs.runCommand "mount-points" {} "
    ensureDir $out
    cd $out
-    mkdir proc sys tmp etc dev var mnt nix nix/var
+    mkdir proc sys tmp etc dev var mnt nix nix/var root
    touch $out/${configuration.boot.rootLabel}
  ";
@ -64,6 +64,18 @@ rec {
  };
  # The configuration file for isolinux.
  isolinuxCfg = pkgs.writeText "isolinux.cfg" "
    default linux
    prompt 1
    timeout 60
    label linux
      kernel vmlinuz
      append initrd=initrd ${toString (system.config.get ["boot" "kernelParams"])}
  ";
  # Create an ISO image containing the isolinux boot loader, the
  # kernel, the initrd produced above, and the closure of the stage 2
  # init.
@ -75,7 +87,7 @@ rec {
      { source = pkgs.syslinux + "/lib/syslinux/isolinux.bin";
        target = "isolinux/isolinux.bin";
      }
-      { source = ../helpers/isolinux.cfg;
+      { source = isolinuxCfg;
        target = "isolinux/isolinux.cfg";
      }
      { source = pkgs.kernel + "/vmlinuz";
--- a/upstart-jobs/udev.nix
+++ b/upstart-jobs/udev.nix
@ -32,7 +32,9 @@ start script
    # Kill udev, let Upstart restart and monitor it.  (This is nasty,
    # but we have to run udevtrigger first.  Maybe we can use
    # Upstart's `binary' keyword, but it isn't implemented yet.)
-    ${procps}/bin/pkill -u root '^udevd$'
+    if ${procps}/bin/pkill -u root '^udevd$'; then
        echo \"couldn't stop udevd\"
    fi
 end script
 respawn ${udev}/sbin/udevd