public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Use the shadow' package instead of pwdutils', `pam_login' and

Browse Source 
`su'.
* The `usermod' from `shadow' allows setting a supplementary group
  equal to the user's primary group, so the special hack for the
  `nixbld' group is no longer needed.
* Removed /etc/default/passwd since it's not used by the new passwd.
  The hash is configured in pam_unix.
* Move some values for `security.setuidPrograms' and
  `security.pam.services' to the appropriate modules.

svn path=/nixos/trunk/; revision=22107
This commit is contained in:
Eelco Dolstra 2010-06-02 21:10:48 +00:00
parent 876954d15d
commit c089738bdc
12 changed files with 71 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/config/system-path.nix
View File

@ -44,12 +44,10 @@ let
pkgs.pciutils pkgs.pciutils
pkgs.perl pkgs.perl
pkgs.procps pkgs.procps
pkgs.pwdutils
pkgs.reiserfsprogs pkgs.reiserfsprogs
pkgs.rsync pkgs.rsync
pkgs.seccure pkgs.seccure
pkgs.strace pkgs.strace
pkgs.su
pkgs.sysklogd pkgs.sysklogd
pkgs.sysvtools pkgs.sysvtools
pkgs.time pkgs.time

25
modules/config/users-groups.nix
View File

@ -173,16 +173,16 @@ in
if ! curEnt=$(getent passwd "$name"); then if ! curEnt=$(getent passwd "$name"); then
useradd --system \ useradd --system \
"$name" \
--comment "$description" \ --comment "$description" \
''${uid:+--uid $uid} \ ''${uid:+--uid $uid} \
--gid "$group" \ --gid "$group" \
--groups "$extraGroups" \ --groups "$extraGroups" \
--home "$home" \ --home "$home" \
--shell "$shell" \ --shell "$shell" \
''${createHome:+--create-home} ''${createHome:+--create-home} \
"$name"
if test "''${password:0:1}" = 'X'; then if test "''${password:0:1}" = 'X'; then
echo "''${password:1}" | ${pkgs.pwdutils}/bin/passwd --stdin "$name" echo "''${password:1}" | ${pkgs.shadow}/bin/passwd --stdin "$name"
fi fi
else else
#echo "updating user $name..." #echo "updating user $name..."
@ -196,22 +196,13 @@ in
# unnecessary warnings about logged in users. # unnecessary warnings about logged in users.
if test "$prevHome" = "$home"; then unset home; fi if test "$prevHome" = "$home"; then unset home; fi
usermod \ usermod \
"$name" \
--comment "$description" \ --comment "$description" \
''${uid:+--uid $uid} \ ''${uid:+--uid $uid} \
--gid "$group" \ --gid "$group" \
--groups "$extraGroups" \ --groups "$extraGroups" \
''${home:+--home "$home"} \ ''${home:+--home "$home"} \
--shell "$shell" --shell "$shell" \
fi "$name"
if test "$group" = nixbld; then
# As a special hack, add users that have nixbld as the
# primary group to the /etc/group entry for the nixbld
# group. `nix-store' currently expects this in order
# to get the UIDs of all the build users by doing a
# getprnam("nixbld") call.
groupmod "$group" -A "$name"
fi fi
done done
@ -227,14 +218,14 @@ in
if ! curEnt=$(getent group "$name"); then if ! curEnt=$(getent group "$name"); then
groupadd --system \ groupadd --system \
"$name" \ ''${gid:+--gid $gid} \
''${gid:+--gid $gid} "$name"
else else
#echo "updating group $name..." #echo "updating group $name..."
oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS" oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS"
prevGid=$3 prevGid=$3
if test -n "$gid" -a "$prevGid" != "$gid"; then if test -n "$gid" -a "$prevGid" != "$gid"; then
groupmod "$name" --gid $gid groupmod --gid $gid "$name"
fi fi
fi fi
done <<EndOfGroupList done <<EndOfGroupList

8
modules/programs/pwdutils/login.defs
View File

@ -1,12 +1,12 @@
DEFAULT_HOME yes DEFAULT_HOME yes
SYSTEM_UID_MIN 100 SYS_UID_MIN 100
SYSTEM_UID_MAX 499 SYS_UID_MAX 499
UID_MIN 1000 UID_MIN 1000
UID_MAX 29999 UID_MAX 29999
SYSTEM_GID_MIN 100 SYS_GID_MIN 100
SYSTEM_GID_MAX 499 SYS_GID_MAX 499
GID_MIN 1000 GID_MIN 1000
GID_MAX 29999 GID_MAX 29999

15
modules/programs/pwdutils/passwd.conf
View File

@ -1,15 +0,0 @@
# Define default crypt hash
# CRYPT={des,md5,blowfish}
CRYPT=des
# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=@filesCipher@
# sometimes we need to specify special options for
# a hash (variable is prepended by the name of the
# crypt hash).
BLOWFISH_CRYPT_FILES=10
# For NIS, we should always use DES:
CRYPT_YP=des

52
modules/programs/pwdutils/pwdutils.nix
View File

@ -4,6 +4,12 @@
let let
in
{
###### interface
options = { options = {
users.defaultUserShell = pkgs.lib.mkOption { users.defaultUserShell = pkgs.lib.mkOption {
@ -19,10 +25,12 @@ let
}; };
in
{ ###### implementation
require = [options];
config = {
environment.systemPackages = [ pkgs.shadow ];
environment.etc = environment.etc =
[ { # /etc/login.defs: global configuration for pwdutils. You [ { # /etc/login.defs: global configuration for pwdutils. You
@ -31,19 +39,6 @@ in
target = "login.defs"; target = "login.defs";
} }
{ # /etc/default/passwd: configuration for passwd and friends
# (e.g., hash algorithm for /etc/passwd).
source = pkgs.substituteAll {
src = ./passwd.conf;
# This depends on pam_unix2 being built with libxcrypt or libc's libcrypt.
# Only in the first case it will understand 'blowfish'. And pam_unix2
# is not built with libxcrypt at the time of writing (it did not build)
filesCipher = if (pkgs.stdenv.system == "armv5tel-linux") then
"des" else "blowfish";
};
target = "default/passwd";
}
{ # /etc/default/useradd: configuration for useradd. { # /etc/default/useradd: configuration for useradd.
source = pkgs.writeText "useradd" source = pkgs.writeText "useradd"
'' ''
@ -54,4 +49,29 @@ in
target = "default/useradd"; target = "default/useradd";
} }
]; ];
security.pam.services =
[ { name = "chsh"; rootOK = true; }
{ name = "chfn"; rootOK = true; }
{ name = "su"; rootOK = true; forwardXAuth = true; }
{ name = "passwd"; }
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
{ name = "useradd"; rootOK = true; }
{ name = "usermod"; rootOK = true; }
{ name = "userdel"; rootOK = true; }
{ name = "groupadd"; rootOK = true; }
{ name = "groupmod"; rootOK = true; }
{ name = "groupmems"; rootOK = true; }
{ name = "groupdel"; rootOK = true; }
{ name = "login"; ownDevices = true; allowNullPassword = true;
limits = config.security.pam.loginLimits;
}
];
security.setuidPrograms = [ "passwd" "chfn" "su" ];
};
} }

13
modules/security/pam.nix
View File

@ -199,22 +199,9 @@ in
{ name = "ejabberd"; } { name = "ejabberd"; }
{ name = "ftp"; } { name = "ftp"; }
{ name = "lshd"; } { name = "lshd"; }
{ name = "passwd"; }
{ name = "samba"; } { name = "samba"; }
{ name = "sshd"; } { name = "sshd"; }
{ name = "xlock"; } { name = "xlock"; }
{ name = "chsh"; rootOK = true; }
{ name = "chfn"; rootOK = true; }
{ name = "su"; rootOK = true; forwardXAuth = true; }
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
{ name = "useradd"; rootOK = true; }
# Used by groupadd etc.
{ name = "shadow"; rootOK = true; }
{ name = "login"; ownDevices = true; allowNullPassword = true;
limits = config.security.pam.loginLimits;
}
]; ];
}; };

4
modules/security/setuid-wrappers.nix
View File

@ -74,9 +74,7 @@ in
config = { config = {
security.setuidPrograms = security.setuidPrograms =
[ "passwd" "chfn" "su" "crontab" "ping" "ping6" [ "crontab" "fusermount" "wodim" "cdrdao" "growisofs" ];
"fusermount" "wodim" "cdrdao" "growisofs"
];
system.activationScripts.setuid = system.activationScripts.setuid =
let let

4
modules/services/misc/nix-daemon.nix
View File

@ -12,10 +12,10 @@ let
/* For consistency with the setgid(2), setuid(2), and setgroups(2) /* For consistency with the setgid(2), setuid(2), and setgroups(2)
calls in `libstore/build.cc', don't add any supplementary group calls in `libstore/build.cc', don't add any supplementary group
here. */ here except "nixbld". */
uid = builtins.add config.ids.uids.nixbld nr; uid = builtins.add config.ids.uids.nixbld nr;
group = "nixbld"; group = "nixbld";
extraGroups = []; extraGroups = [ "nixbld" ];
}; };
in in

2
modules/services/ttys/mingetty.nix
View File

@ -57,7 +57,7 @@ with pkgs.lib;
startOn = "started udev"; startOn = "started udev";
exec = "${pkgs.mingetty}/sbin/mingetty --loginprog=${pkgs.pam_login}/bin/login --noclear ${tty}"; exec = "${pkgs.mingetty}/sbin/mingetty --loginprog=${pkgs.shadow}/bin/login --noclear ${tty}";
}) config.services.mingetty.ttys); }) config.services.mingetty.ttys);

2
modules/system/activation/activation-script.nix
View File

@ -28,7 +28,7 @@ let
let path = [ let path = [
pkgs.coreutils pkgs.gnugrep pkgs.findutils pkgs.coreutils pkgs.gnugrep pkgs.findutils
pkgs.glibc # needed for getent pkgs.glibc # needed for getent
pkgs.pwdutils pkgs.shadow
pkgs.nettools # needed for hostname pkgs.nettools # needed for hostname
]; in noDepEntry '' ]; in noDepEntry ''
export PATH=/empty export PATH=/empty

2
modules/system/upstart-events/shutdown.nix
View File

@ -54,7 +54,7 @@ with pkgs.lib;
echo "" echo ""
echo "<<< Maintenance shell >>>" echo "<<< Maintenance shell >>>"
echo "" echo ""
${pkgs.pam_login}/bin/login root ${pkgs.shadow}/bin/login root
initctl emit -n startup initctl emit -n startup
exit 0 exit 0
fi fi

2
modules/tasks/network-interfaces.nix
View File

@ -143,6 +143,8 @@ in
pkgs.rfkill pkgs.rfkill
]; ];
security.setuidPrograms = [ "ping" "ping6" ];
jobs.networkInterfaces = jobs.networkInterfaces =
{ name = "network-interfaces"; { name = "network-interfaces";