nixos: remove the grsecurity GID

This GID was used to exempt users from Grsecurity's `/proc` restrictions; we now prefer to rely on `security.hideProcessInformation`, which uses the `proc` group for this purpose. That leaves no use for the grsecurity GID. More generally, having only a single GID to, presumably, serve as the default for all of grsecurity's GID based exemption/resriction schemes would be problematic in any event, so if we decide to enable those grsecurity features in the future, more specific GIDs should be added.
2016-06-09 20:29:11 +02:00 · 2016-06-09 20:29:11 +02:00 · a53452f3e1
parent 0677cc61c8
commit a53452f3e1
2 changed files with 0 additions and 4 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -468,7 +468,6 @@ in {
        home = "/root";
        shell = mkDefault cfg.defaultUserShell;
        group = "root";
-        extraGroups = [ "grsecurity" ];
        initialHashedPassword = mkDefault config.security.initialRootPassword;
      };
      nobody = {
@ -497,7 +496,6 @@ in {
      nixbld.gid = ids.gids.nixbld;
      utmp.gid = ids.gids.utmp;
      adm.gid = ids.gids.adm;
-      grsecurity.gid = ids.gids.grsecurity;
      input.gid = ids.gids.input;
    };

--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -147,7 +147,6 @@
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
-      #grsecurity = 121; # unused
      hydra = 122;
      spiped = 123;
      teamspeak = 124;
@ -396,7 +395,6 @@
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
-      grsecurity = 121;
      hydra = 122;
      spiped = 123;
      teamspeak = 124;