pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / programs / shadow.nix
at 25.11-pre 9.7 kB view raw
1# Configuration for the pwdutils suite of tools: passwd, useradd, etc. 2{ 3 config, 4 lib, 5 utils, 6 pkgs, 7 ... 8}: 9let 10 cfg = config.security.loginDefs; 11in 12{ 13 options = { 14 15 security.shadow.enable = lib.mkEnableOption "" // { 16 default = true; 17 description = '' 18 Enable the shadow authentication suite, which provides critical programs such as su, login, passwd. 19 20 Note: This is currently experimental. Only disable this if you're 21 confident that you can recover your system if it breaks. 22 ''; 23 }; 24 25 security.loginDefs = { 26 package = lib.mkPackageOption pkgs "shadow" { }; 27 28 chfnRestrict = lib.mkOption { 29 description = '' 30 Use chfn SUID to allow non-root users to change their account GECOS information. 31 ''; 32 type = lib.types.nullOr lib.types.str; 33 default = null; 34 }; 35 36 settings = lib.mkOption { 37 description = '' 38 Config options for the /etc/login.defs file, that defines 39 the site-specific configuration for the shadow password suite. 40 See {manpage}`login.defs(5)` man page for available options. 41 ''; 42 type = lib.types.submodule { 43 freeformType = (pkgs.formats.keyValue { }).type; 44 /* 45 There are three different sources for user/group id ranges, each of which gets 46 used by different programs: 47 - The login.defs file, used by the useradd, groupadd and newusers commands 48 - The update-users-groups.pl file, used by NixOS in the activation phase to 49 decide on which ids to use for declaratively defined users without a static 50 id 51 - Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used 52 by systemd for features like ConditionUser=@system and systemd-sysusers 53 */ 54 options = { 55 DEFAULT_HOME = lib.mkOption { 56 description = "Indicate if login is allowed if we can't cd to the home directory."; 57 default = "yes"; 58 type = lib.types.enum [ 59 "yes" 60 "no" 61 ]; 62 }; 63 64 ENCRYPT_METHOD = lib.mkOption { 65 description = "This defines the system default encryption algorithm for encrypting passwords."; 66 # The default crypt() method, keep in sync with the PAM default 67 default = "YESCRYPT"; 68 type = lib.types.enum [ 69 "YESCRYPT" 70 "SHA512" 71 "SHA256" 72 "MD5" 73 "DES" 74 ]; 75 }; 76 77 SYS_UID_MIN = lib.mkOption { 78 description = "Range of user IDs used for the creation of system users by useradd or newusers."; 79 default = 400; 80 type = lib.types.int; 81 }; 82 83 SYS_UID_MAX = lib.mkOption { 84 description = "Range of user IDs used for the creation of system users by useradd or newusers."; 85 default = 999; 86 type = lib.types.int; 87 }; 88 89 UID_MIN = lib.mkOption { 90 description = "Range of user IDs used for the creation of regular users by useradd or newusers."; 91 default = 1000; 92 type = lib.types.int; 93 }; 94 95 UID_MAX = lib.mkOption { 96 description = "Range of user IDs used for the creation of regular users by useradd or newusers."; 97 default = 29999; 98 type = lib.types.int; 99 }; 100 101 SYS_GID_MIN = lib.mkOption { 102 description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; 103 default = 400; 104 type = lib.types.int; 105 }; 106 107 SYS_GID_MAX = lib.mkOption { 108 description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; 109 default = 999; 110 type = lib.types.int; 111 }; 112 113 GID_MIN = lib.mkOption { 114 description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; 115 default = 1000; 116 type = lib.types.int; 117 }; 118 119 GID_MAX = lib.mkOption { 120 description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; 121 default = 29999; 122 type = lib.types.int; 123 }; 124 125 TTYGROUP = lib.mkOption { 126 description = '' 127 The terminal permissions: the login tty will be owned by the TTYGROUP group, 128 and the permissions will be set to TTYPERM''; 129 default = "tty"; 130 type = lib.types.str; 131 }; 132 133 TTYPERM = lib.mkOption { 134 description = '' 135 The terminal permissions: the login tty will be owned by the TTYGROUP group, 136 and the permissions will be set to TTYPERM''; 137 default = "0620"; 138 type = lib.types.str; 139 }; 140 141 # Ensure privacy for newly created home directories. 142 UMASK = lib.mkOption { 143 description = "The file mode creation mask is initialized to this value."; 144 default = "077"; 145 type = lib.types.str; 146 }; 147 }; 148 }; 149 default = { }; 150 }; 151 }; 152 153 users.defaultUserShell = lib.mkOption { 154 description = '' 155 This option defines the default shell assigned to user 156 accounts. This can be either a full system path or a shell package. 157 158 This must not be a store path, since the path is 159 used outside the store (in particular in /etc/passwd). 160 ''; 161 example = lib.literalExpression "pkgs.zsh"; 162 type = lib.types.either lib.types.path lib.types.shellPackage; 163 }; 164 }; 165 166 ###### implementation 167 168 config = lib.mkMerge [ 169 { 170 assertions = [ 171 { 172 assertion = config.security.shadow.enable || config.services.greetd.enable; 173 message = "You must enable at least one VT login method, either security.shadow.enable or services.greetd.enable"; 174 } 175 ]; 176 } 177 (lib.mkIf config.security.shadow.enable { 178 assertions = [ 179 { 180 assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX; 181 message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX"; 182 } 183 { 184 assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX; 185 message = "UID_MIN must be less than or equal to UID_MAX"; 186 } 187 { 188 assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX; 189 message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX"; 190 } 191 { 192 assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX; 193 message = "GID_MIN must be less than or equal to GID_MAX"; 194 } 195 ]; 196 197 security.loginDefs.settings.CHFN_RESTRICT = lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict; 198 199 environment.systemPackages = 200 lib.optional config.users.mutableUsers cfg.package 201 ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell 202 ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux; 203 204 environment.etc = 205 # Create custom toKeyValue generator 206 # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification 207 let 208 toKeyValue = lib.generators.toKeyValue { 209 mkKeyValue = lib.generators.mkKeyValueDefault { } " "; 210 }; 211 in 212 { 213 # /etc/login.defs: global configuration for pwdutils. 214 # You cannot login without it! 215 "login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings); 216 217 # /etc/default/useradd: configuration for useradd. 218 "default/useradd".source = pkgs.writeText "useradd" '' 219 GROUP=100 220 HOME=/home 221 SHELL=${utils.toShellPath config.users.defaultUserShell} 222 ''; 223 }; 224 225 security.pam.services = { 226 chsh.rootOK = true; 227 chfn.rootOK = true; 228 su = { 229 rootOK = true; 230 forwardXAuth = true; 231 logFailures = true; 232 }; 233 passwd = { }; 234 # Note: useradd, groupadd etc. aren't setuid root, so it 235 # doesn't really matter what the PAM config says as long as it 236 # lets root in. 237 useradd.rootOK = true; 238 usermod.rootOK = true; 239 userdel.rootOK = true; 240 groupadd.rootOK = true; 241 groupmod.rootOK = true; 242 groupmems.rootOK = true; 243 groupdel.rootOK = true; 244 login = { 245 startSession = true; 246 allowNullPassword = true; 247 showMotd = true; 248 updateWtmp = true; 249 }; 250 chpasswd.rootOK = true; 251 }; 252 253 security.wrappers = 254 let 255 mkSetuidRoot = source: { 256 setuid = true; 257 owner = "root"; 258 group = "root"; 259 inherit source; 260 }; 261 in 262 { 263 su = mkSetuidRoot "${cfg.package.su}/bin/su"; 264 sg = mkSetuidRoot "${cfg.package.out}/bin/sg"; 265 newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp"; 266 newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap"; 267 newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap"; 268 } 269 // lib.optionalAttrs config.users.mutableUsers { 270 chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh"; 271 passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd"; 272 }; 273 }) 274 ]; 275}