pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / programs / shadow.nix
at 24.11-pre 8.5 kB view raw
1# Configuration for the pwdutils suite of tools: passwd, useradd, etc. 2{ config, lib, utils, pkgs, ... }: 3let 4 cfg = config.security.loginDefs; 5in 6{ 7 options = with lib.types; { 8 security.loginDefs = { 9 package = lib.mkPackageOption pkgs "shadow" { }; 10 11 chfnRestrict = lib.mkOption { 12 description = '' 13 Use chfn SUID to allow non-root users to change their account GECOS information. 14 ''; 15 type = nullOr str; 16 default = null; 17 }; 18 19 settings = lib.mkOption { 20 description = '' 21 Config options for the /etc/login.defs file, that defines 22 the site-specific configuration for the shadow password suite. 23 See login.defs(5) man page for available options. 24 ''; 25 type = submodule { 26 freeformType = (pkgs.formats.keyValue { }).type; 27 /* There are three different sources for user/group id ranges, each of which gets 28 used by different programs: 29 - The login.defs file, used by the useradd, groupadd and newusers commands 30 - The update-users-groups.pl file, used by NixOS in the activation phase to 31 decide on which ids to use for declaratively defined users without a static 32 id 33 - Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used 34 by systemd for features like ConditionUser=@system and systemd-sysusers 35 */ 36 options = { 37 DEFAULT_HOME = lib.mkOption { 38 description = "Indicate if login is allowed if we can't cd to the home directory."; 39 default = "yes"; 40 type = enum [ "yes" "no" ]; 41 }; 42 43 ENCRYPT_METHOD = lib.mkOption { 44 description = "This defines the system default encryption algorithm for encrypting passwords."; 45 # The default crypt() method, keep in sync with the PAM default 46 default = "YESCRYPT"; 47 type = enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"]; 48 }; 49 50 SYS_UID_MIN = lib.mkOption { 51 description = "Range of user IDs used for the creation of system users by useradd or newusers."; 52 default = 400; 53 type = int; 54 }; 55 56 SYS_UID_MAX = lib.mkOption { 57 description = "Range of user IDs used for the creation of system users by useradd or newusers."; 58 default = 999; 59 type = int; 60 }; 61 62 UID_MIN = lib.mkOption { 63 description = "Range of user IDs used for the creation of regular users by useradd or newusers."; 64 default = 1000; 65 type = int; 66 }; 67 68 UID_MAX = lib.mkOption { 69 description = "Range of user IDs used for the creation of regular users by useradd or newusers."; 70 default = 29999; 71 type = int; 72 }; 73 74 SYS_GID_MIN = lib.mkOption { 75 description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; 76 default = 400; 77 type = int; 78 }; 79 80 SYS_GID_MAX = lib.mkOption { 81 description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; 82 default = 999; 83 type = int; 84 }; 85 86 GID_MIN = lib.mkOption { 87 description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; 88 default = 1000; 89 type = int; 90 }; 91 92 GID_MAX = lib.mkOption { 93 description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; 94 default = 29999; 95 type = int; 96 }; 97 98 TTYGROUP = lib.mkOption { 99 description = '' 100 The terminal permissions: the login tty will be owned by the TTYGROUP group, 101 and the permissions will be set to TTYPERM''; 102 default = "tty"; 103 type = str; 104 }; 105 106 TTYPERM = lib.mkOption { 107 description = '' 108 The terminal permissions: the login tty will be owned by the TTYGROUP group, 109 and the permissions will be set to TTYPERM''; 110 default = "0620"; 111 type = str; 112 }; 113 114 # Ensure privacy for newly created home directories. 115 UMASK = lib.mkOption { 116 description = "The file mode creation mask is initialized to this value."; 117 default = "077"; 118 type = str; 119 }; 120 }; 121 }; 122 default = { }; 123 }; 124 }; 125 126 users.defaultUserShell = lib.mkOption { 127 description = '' 128 This option defines the default shell assigned to user 129 accounts. This can be either a full system path or a shell package. 130 131 This must not be a store path, since the path is 132 used outside the store (in particular in /etc/passwd). 133 ''; 134 example = lib.literalExpression "pkgs.zsh"; 135 type = either path shellPackage; 136 }; 137 }; 138 139 ###### implementation 140 141 config = { 142 assertions = [ 143 { 144 assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX; 145 message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX"; 146 } 147 { 148 assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX; 149 message = "UID_MIN must be less than or equal to UID_MAX"; 150 } 151 { 152 assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX; 153 message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX"; 154 } 155 { 156 assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX; 157 message = "GID_MIN must be less than or equal to GID_MAX"; 158 } 159 ]; 160 161 security.loginDefs.settings.CHFN_RESTRICT = 162 lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict; 163 164 environment.systemPackages = lib.optional config.users.mutableUsers cfg.package 165 ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell 166 ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux; 167 168 environment.etc = 169 # Create custom toKeyValue generator 170 # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification 171 let 172 toKeyValue = lib.generators.toKeyValue { 173 mkKeyValue = lib.generators.mkKeyValueDefault { } " "; 174 }; 175 in 176 { 177 # /etc/login.defs: global configuration for pwdutils. 178 # You cannot login without it! 179 "login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings); 180 181 # /etc/default/useradd: configuration for useradd. 182 "default/useradd".source = pkgs.writeText "useradd" '' 183 GROUP=100 184 HOME=/home 185 SHELL=${utils.toShellPath config.users.defaultUserShell} 186 ''; 187 }; 188 189 security.pam.services = { 190 chsh = { rootOK = true; }; 191 chfn = { rootOK = true; }; 192 su = { 193 rootOK = true; 194 forwardXAuth = true; 195 logFailures = true; 196 }; 197 passwd = { }; 198 # Note: useradd, groupadd etc. aren't setuid root, so it 199 # doesn't really matter what the PAM config says as long as it 200 # lets root in. 201 useradd.rootOK = true; 202 usermod.rootOK = true; 203 userdel.rootOK = true; 204 groupadd.rootOK = true; 205 groupmod.rootOK = true; 206 groupmems.rootOK = true; 207 groupdel.rootOK = true; 208 login = { 209 startSession = true; 210 allowNullPassword = true; 211 showMotd = true; 212 updateWtmp = true; 213 }; 214 chpasswd = { rootOK = true; }; 215 }; 216 217 security.wrappers = 218 let 219 mkSetuidRoot = source: { 220 setuid = true; 221 owner = "root"; 222 group = "root"; 223 inherit source; 224 }; 225 in 226 { 227 su = mkSetuidRoot "${cfg.package.su}/bin/su"; 228 sg = mkSetuidRoot "${cfg.package.out}/bin/sg"; 229 newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp"; 230 newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap"; 231 newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap"; 232 } 233 // lib.optionalAttrs config.users.mutableUsers { 234 chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh"; 235 passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd"; 236 }; 237 }; 238}