From 540c673364ecef13bd0b810d8d7b0dde901bbf78 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 28 May 2010 14:59:34 +0000 Subject: [PATCH] * Enable the `chfn' program. Note that by default non-root users are still not permitted to change their account information, as specified in login.defs. svn path=/nixos/trunk/; revision=22049 --- modules/programs/pwdutils/login.defs | 4 ++++ modules/security/pam.nix | 1 + modules/security/setuid-wrappers.nix | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/programs/pwdutils/login.defs b/modules/programs/pwdutils/login.defs index a310ca5af5a..98610a88ca8 100644 --- a/modules/programs/pwdutils/login.defs +++ b/modules/programs/pwdutils/login.defs @@ -12,3 +12,7 @@ GID_MAX 29999 TTYGROUP tty TTYPERM 0620 + +# Uncomment this to allow non-root users to change their account +#information. This should be made configurable. +#CHFN_RESTRICT frwh diff --git a/modules/security/pam.nix b/modules/security/pam.nix index fd1aae65ac9..0ee7595a5e1 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -204,6 +204,7 @@ in { name = "sshd"; } { name = "xlock"; } { name = "chsh"; rootOK = true; } + { name = "chfn"; rootOK = true; } { name = "su"; rootOK = true; forwardXAuth = true; } # Note: useradd, groupadd etc. aren't setuid root, so it # doesn't really matter what the PAM config says as long as it diff --git a/modules/security/setuid-wrappers.nix b/modules/security/setuid-wrappers.nix index 510c99b2f58..aa85ee20dc9 100644 --- a/modules/security/setuid-wrappers.nix +++ b/modules/security/setuid-wrappers.nix @@ -74,7 +74,7 @@ in config = { security.setuidPrograms = - [ "passwd" "su" "crontab" "ping" "ping6" + [ "passwd" "chfn" "su" "crontab" "ping" "ping6" "fusermount" "wodim" "cdrdao" "growisofs" ];