pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / programs / shadow.nix
at 23.11-pre 4.0 kB view raw
1# Configuration for the pwdutils suite of tools: passwd, useradd, etc. 2 3{ config, lib, utils, pkgs, ... }: 4 5with lib; 6 7let 8 9 /* 10 There are three different sources for user/group id ranges, each of which gets 11 used by different programs: 12 - The login.defs file, used by the useradd, groupadd and newusers commands 13 - The update-users-groups.pl file, used by NixOS in the activation phase to 14 decide on which ids to use for declaratively defined users without a static 15 id 16 - Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used 17 by systemd for features like ConditionUser=@system and systemd-sysusers 18 */ 19 loginDefs = 20 '' 21 DEFAULT_HOME yes 22 23 SYS_UID_MIN 400 24 SYS_UID_MAX 999 25 UID_MIN 1000 26 UID_MAX 29999 27 28 SYS_GID_MIN 400 29 SYS_GID_MAX 999 30 GID_MIN 1000 31 GID_MAX 29999 32 33 TTYGROUP tty 34 TTYPERM 0620 35 36 # Ensure privacy for newly created home directories. 37 UMASK 077 38 39 # Uncomment this and install chfn SUID to allow non-root 40 # users to change their account GECOS information. 41 # This should be made configurable. 42 #CHFN_RESTRICT frwh 43 44 # The default crypt() method, keep in sync with the PAM default 45 ENCRYPT_METHOD YESCRYPT 46 ''; 47 48 mkSetuidRoot = source: 49 { setuid = true; 50 owner = "root"; 51 group = "root"; 52 inherit source; 53 }; 54 55in 56 57{ 58 59 ###### interface 60 61 options = { 62 63 users.defaultUserShell = lib.mkOption { 64 description = lib.mdDoc '' 65 This option defines the default shell assigned to user 66 accounts. This can be either a full system path or a shell package. 67 68 This must not be a store path, since the path is 69 used outside the store (in particular in /etc/passwd). 70 ''; 71 example = literalExpression "pkgs.zsh"; 72 type = types.either types.path types.shellPackage; 73 }; 74 75 }; 76 77 78 ###### implementation 79 80 config = { 81 82 environment.systemPackages = 83 lib.optional config.users.mutableUsers pkgs.shadow ++ 84 lib.optional (types.shellPackage.check config.users.defaultUserShell) 85 config.users.defaultUserShell; 86 87 environment.etc = 88 { # /etc/login.defs: global configuration for pwdutils. You 89 # cannot login without it! 90 "login.defs".source = pkgs.writeText "login.defs" loginDefs; 91 92 # /etc/default/useradd: configuration for useradd. 93 "default/useradd".source = pkgs.writeText "useradd" 94 '' 95 GROUP=100 96 HOME=/home 97 SHELL=${utils.toShellPath config.users.defaultUserShell} 98 ''; 99 }; 100 101 security.pam.services = 102 { chsh = { rootOK = true; }; 103 chfn = { rootOK = true; }; 104 su = { rootOK = true; forwardXAuth = true; logFailures = true; }; 105 passwd = {}; 106 # Note: useradd, groupadd etc. aren't setuid root, so it 107 # doesn't really matter what the PAM config says as long as it 108 # lets root in. 109 useradd = { rootOK = true; }; 110 usermod = { rootOK = true; }; 111 userdel = { rootOK = true; }; 112 groupadd = { rootOK = true; }; 113 groupmod = { rootOK = true; }; 114 groupmems = { rootOK = true; }; 115 groupdel = { rootOK = true; }; 116 login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; }; 117 chpasswd = { rootOK = true; }; 118 }; 119 120 security.wrappers = { 121 su = mkSetuidRoot "${pkgs.shadow.su}/bin/su"; 122 sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg"; 123 newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp"; 124 newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap"; 125 newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap"; 126 } // lib.optionalAttrs config.users.mutableUsers { 127 chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh"; 128 passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd"; 129 }; 130 }; 131}