public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Use the shadow' package instead of pwdutils', `pam_login' and

Browse Source 
`su'.
* The `usermod' from `shadow' allows setting a supplementary group
  equal to the user's primary group, so the special hack for the
  `nixbld' group is no longer needed.
* Removed /etc/default/passwd since it's not used by the new passwd.
  The hash is configured in pam_unix.
* Move some values for `security.setuidPrograms' and
  `security.pam.services' to the appropriate modules.

svn path=/nixos/trunk/; revision=22107
This commit is contained in:
Eelco Dolstra
2010-06-02 21:10:48 +00:00
parent 876954d15d
commit c089738bdc
12 changed files with 71 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/programs/pwdutils/login.defs
View File

@@ -1,12 +1,12 @@
DEFAULT_HOME yes
SYSTEM_UID_MIN 100
SYSTEM_UID_MAX 499
SYS_UID_MIN 100
SYS_UID_MAX 499
UID_MIN 1000
UID_MAX 29999
SYSTEM_GID_MIN 100
SYSTEM_GID_MAX 499
SYS_GID_MIN 100
SYS_GID_MAX 499
GID_MIN 1000
GID_MAX 29999

15
modules/programs/pwdutils/passwd.conf
View File

@@ -1,15 +0,0 @@
# Define default crypt hash
# CRYPT={des,md5,blowfish}
CRYPT=des
# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=@filesCipher@
# sometimes we need to specify special options for
# a hash (variable is prepended by the name of the
# crypt hash).
BLOWFISH_CRYPT_FILES=10
# For NIS, we should always use DES:
CRYPT_YP=des

82
modules/programs/pwdutils/pwdutils.nix
View File

@@ -4,6 +4,12 @@
let
in
{
###### interface
options = {
users.defaultUserShell = pkgs.lib.mkOption {
@@ -19,39 +25,53 @@ let
};
in
###### implementation
{
require = [options];
config = {
environment.etc =
[ { # /etc/login.defs: global configuration for pwdutils. You
# cannot login without it!
source = ./login.defs;
target = "login.defs";
}
environment.systemPackages = [ pkgs.shadow ];
{ # /etc/default/passwd: configuration for passwd and friends
# (e.g., hash algorithm for /etc/passwd).
source = pkgs.substituteAll {
src = ./passwd.conf;
# This depends on pam_unix2 being built with libxcrypt or libc's libcrypt.
# Only in the first case it will understand 'blowfish'. And pam_unix2
# is not built with libxcrypt at the time of writing (it did not build)
filesCipher = if (pkgs.stdenv.system == "armv5tel-linux") then
"des" else "blowfish";
};
target = "default/passwd";
}
environment.etc =
[ { # /etc/login.defs: global configuration for pwdutils. You
# cannot login without it!
source = ./login.defs;
target = "login.defs";
}
{ # /etc/default/useradd: configuration for useradd.
source = pkgs.writeText "useradd"
''
GROUP=100
HOME=/home
SHELL=${config.users.defaultUserShell}
'';
target = "default/useradd";
}
];
{ # /etc/default/useradd: configuration for useradd.
source = pkgs.writeText "useradd"
''
GROUP=100
HOME=/home
SHELL=${config.users.defaultUserShell}
'';
target = "default/useradd";
}
];
security.pam.services =
[ { name = "chsh"; rootOK = true; }
{ name = "chfn"; rootOK = true; }
{ name = "su"; rootOK = true; forwardXAuth = true; }
{ name = "passwd"; }
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
{ name = "useradd"; rootOK = true; }
{ name = "usermod"; rootOK = true; }
{ name = "userdel"; rootOK = true; }
{ name = "groupadd"; rootOK = true; }
{ name = "groupmod"; rootOK = true; }
{ name = "groupmems"; rootOK = true; }
{ name = "groupdel"; rootOK = true; }
{ name = "login"; ownDevices = true; allowNullPassword = true;
limits = config.security.pam.loginLimits;
}
];
security.setuidPrograms = [ "passwd" "chfn" "su" ];
};
}