pyrox.dev / nixpkgs
lol
fork atom

nixos/pam: convert rules to attrs, add order field

Makes it possible to override properties of a rule by name. Introduces
an 'order' field that can be overridden to change the sequence of rules.

For now, the order value for each built-in rule is derived from its
place in the hardcoded list of rules.

Majiir Paktu 077cdcc7 e86487e5

options
unified split
Changed files
+43 -7
nixos
modules
security
pam.nix
+43 -7
nixos/modules/security/pam.nix 
···

       
11

       
 

       
    # These options are experimental and subject to breaking changes without notice.


     

       
12

       
 

       
    description = lib.mdDoc ''


     

       
13

       
 

       
      PAM `${type}` rules for this service.


     

       

       

       
     

       

       

       
     

       
14

       
 

       
    '';


     

       
15

       
-

       
    type = types.listOf (types.submodule ({ config, ... }: {


     

       
16

       
 

       
      options = {


     

       
17

       
 

       
        name = mkOption {


     

       
18

       
 

       
          type = types.str;


     

       
19

       
 

       
          description = lib.mdDoc ''


     

       
20

       
 

       
            Name of this rule.


     

       
21

       
 

       
          '';


     

       

       

       
     

       

       

       
     

       
22

       
 

       
        };


     

       
23

       
 

       
        enable = mkOption {


     

       
24

       
 

       
          type = types.bool;


     
···

       
27

       
 

       
            Whether this rule is added to the PAM service config file.


     

       
28

       
 

       
          '';


     

       
29

       
 

       
        };


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
30

       
 

       
        control = mkOption {


     

       
31

       
 

       
          type = types.str;


     

       
32

       
 

       
          description = lib.mdDoc ''


     
···

       
60

       
 

       
        };


     

       
61

       
 

       
      };


     

       
62

       
 

       
      config = {


     

       

       

       
     

       
63

       
 

       
        # Formats an attrset of settings as args for use as `module-arguments`.


     

       
64

       
 

       
        args = concatLists (flip mapAttrsToList config.settings (name: value:


     

       
65

       
 

       
          if isBool value


     
···

       
557

       
 

       
      limits = mkDefault config.security.pam.loginLimits;


     

       
558

       
 

       



     

       
559

       
 

       
      text = let


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
560

       
 

       
        # Formats a string for use in `module-arguments`. See `man pam.conf`.


     

       
561

       
 

       
        formatModuleArgument = token:


     

       
562

       
 

       
          if hasInfix " " token


     

       
563

       
 

       
          then "[${replaceStrings ["]"] ["\\]"] token}]"


     

       
564

       
 

       
          else token;


     

       
565

       
 

       
        formatRules = type: pipe cfg.rules.${type} [


     

       

       

       
     

       
566

       
 

       
          (filter (rule: rule.enable))


     

       

       

       
     

       

       

       
     

       
567

       
 

       
          (map (rule: concatStringsSep " " (


     

       
568

       
 

       
            [ type rule.control rule.modulePath ]


     

       
569

       
 

       
            ++ map formatModuleArgument rule.args


     
···

       
587

       
 

       
      # !!! TODO: move the LDAP stuff to the LDAP module, and the


     

       
588

       
 

       
      # Samba stuff to the Samba module.  This requires that the PAM


     

       
589

       
 

       
      # module provides the right hooks.


     

       
590

       
-

       
      rules = {


     

       
591

       
-

       
        account = [


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
592

       
 

       
          { name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; }


     

       
593

       
 

       
          { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {


     

       
594

       
 

       
            config_file = "/etc/security/pam_mysql.conf";


     
···

       
607

       
 

       
          { name = "unix"; control = "required"; modulePath = "pam_unix.so"; }


     

       
608

       
 

       
        ];


     

       
609

       
 

       



     

       
610

       
-

       
        auth = [


     

       
611

       
 

       
          { name = "oslogin_login"; enable = cfg.googleOsLoginAuthentication; control = "[success=done perm_denied=die default=ignore]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so"; }


     

       
612

       
 

       
          { name = "rootok"; enable = cfg.rootOK; control = "sufficient"; modulePath = "pam_rootok.so"; }


     

       
613

       
 

       
          { name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "pam_wheel.so"; settings = {


     
···

       
730

       
 

       
            use_first_pass = true;


     

       
731

       
 

       
          }; }


     

       
732

       
 

       
          { name = "deny"; control = "required"; modulePath = "pam_deny.so"; }


     

       
733

       
-

       
        ];


     

       
734

       
 

       



     

       
735

       
-

       
        password = [


     

       
736

       
 

       
          { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }


     

       
737

       
 

       
          { name = "unix"; control = "sufficient"; modulePath = "pam_unix.so"; settings = {


     

       
738

       
 

       
            nullok = true;


     
···

       
758

       
 

       
          }; }


     

       
759

       
 

       
        ];


     

       
760

       
 

       



     

       
761

       
-

       
        session = [


     

       
762

       
 

       
          { name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "pam_env.so"; settings = {


     

       
763

       
 

       
            conffile = "/etc/pam/environment";


     

       
764

       
 

       
            readenv = 0;


     
···

       
11

       
 

       
    # These options are experimental and subject to breaking changes without notice.


     

       
12

       
 

       
    description = lib.mdDoc ''


     

       
13

       
 

       
      PAM `${type}` rules for this service.


     

       
14

       
+

       



     

       
15

       
+

       
      Attribute keys are the name of each rule.


     

       
16

       
 

       
    '';


     

       
17

       
+

       
    type = types.attrsOf (types.submodule ({ name, config, ... }: {


     

       
18

       
 

       
      options = {


     

       
19

       
 

       
        name = mkOption {


     

       
20

       
 

       
          type = types.str;


     

       
21

       
 

       
          description = lib.mdDoc ''


     

       
22

       
 

       
            Name of this rule.


     

       
23

       
 

       
          '';


     

       
24

       
+

       
          internal = true;


     

       
25

       
+

       
          readOnly = true;


     

       
26

       
 

       
        };


     

       
27

       
 

       
        enable = mkOption {


     

       
28

       
 

       
          type = types.bool;


     
···

       
31

       
 

       
            Whether this rule is added to the PAM service config file.


     

       
32

       
 

       
          '';


     

       
33

       
 

       
        };


     

       
34

       
+

       
        order = mkOption {


     

       
35

       
+

       
          type = types.int;


     

       
36

       
+

       
          description = lib.mdDoc ''


     

       
37

       
+

       
            Order of this rule in the service file. Rules are arranged in ascending order of this value.


     

       
38

       
+

       



     

       
39

       
+

       
            ::: {.warning}


     

       
40

       
+

       
            The `order` values for the built-in rules are subject to change. If you assign a constant value to this option, a system update could silently reorder your rule. You could be locked out of your system, or your system could be left wide open. When using this option, set it to a relative offset from another rule's `order` value:


     

       
41

       
+

       



     

       
42

       
+

       
            ```nix


     

       
43

       
+

       
            {


     

       
44

       
+

       
              security.pam.services.login.rules.auth.foo.order =


     

       
45

       
+

       
                config.security.pam.services.login.rules.auth.unix.order + 10;


     

       
46

       
+

       
            }


     

       
47

       
+

       
            ```


     

       
48

       
+

       
            :::


     

       
49

       
+

       
          '';


     

       
50

       
+

       
        };


     

       
51

       
 

       
        control = mkOption {


     

       
52

       
 

       
          type = types.str;


     

       
53

       
 

       
          description = lib.mdDoc ''


     
···

       
81

       
 

       
        };


     

       
82

       
 

       
      };


     

       
83

       
 

       
      config = {


     

       
84

       
+

       
        inherit name;


     

       
85

       
 

       
        # Formats an attrset of settings as args for use as `module-arguments`.


     

       
86

       
 

       
        args = concatLists (flip mapAttrsToList config.settings (name: value:


     

       
87

       
 

       
          if isBool value


     
···

       
579

       
 

       
      limits = mkDefault config.security.pam.loginLimits;


     

       
580

       
 

       



     

       
581

       
 

       
      text = let


     

       
582

       
+

       
        ensureUniqueOrder = type: rules:


     

       
583

       
+

       
          let


     

       
584

       
+

       
            checkPair = a: b: assert assertMsg (a.order != b.order) "security.pam.services.${name}.rules.${type}: rules '${a.name}' and '${b.name}' cannot have the same order value (${toString a.order})"; b;


     

       
585

       
+

       
            checked = zipListsWith checkPair rules (drop 1 rules);


     

       
586

       
+

       
          in take 1 rules ++ checked;


     

       
587

       
 

       
        # Formats a string for use in `module-arguments`. See `man pam.conf`.


     

       
588

       
 

       
        formatModuleArgument = token:


     

       
589

       
 

       
          if hasInfix " " token


     

       
590

       
 

       
          then "[${replaceStrings ["]"] ["\\]"] token}]"


     

       
591

       
 

       
          else token;


     

       
592

       
 

       
        formatRules = type: pipe cfg.rules.${type} [


     

       
593

       
+

       
          attrValues


     

       
594

       
 

       
          (filter (rule: rule.enable))


     

       
595

       
+

       
          (sort (a: b: a.order < b.order))


     

       
596

       
+

       
          (ensureUniqueOrder type)


     

       
597

       
 

       
          (map (rule: concatStringsSep " " (


     

       
598

       
 

       
            [ type rule.control rule.modulePath ]


     

       
599

       
 

       
            ++ map formatModuleArgument rule.args


     
···

       
617

       
 

       
      # !!! TODO: move the LDAP stuff to the LDAP module, and the


     

       
618

       
 

       
      # Samba stuff to the Samba module.  This requires that the PAM


     

       
619

       
 

       
      # module provides the right hooks.


     

       
620

       
+

       
      rules = let


     

       
621

       
+

       
        autoOrderRules = flip pipe [


     

       
622

       
+

       
          (imap1 (index: rule: rule // { order = mkDefault (10000 + index * 100); } ))


     

       
623

       
+

       
          (map (rule: nameValuePair rule.name (removeAttrs rule [ "name" ])))


     

       
624

       
+

       
          listToAttrs


     

       
625

       
+

       
        ];


     

       
626

       
+

       
      in {


     

       
627

       
+

       
        account = autoOrderRules [


     

       
628

       
 

       
          { name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; }


     

       
629

       
 

       
          { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {


     

       
630

       
 

       
            config_file = "/etc/security/pam_mysql.conf";


     
···

       
643

       
 

       
          { name = "unix"; control = "required"; modulePath = "pam_unix.so"; }


     

       
644

       
 

       
        ];


     

       
645

       
 

       



     

       
646

       
+

       
        auth = autoOrderRules ([


     

       
647

       
 

       
          { name = "oslogin_login"; enable = cfg.googleOsLoginAuthentication; control = "[success=done perm_denied=die default=ignore]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so"; }


     

       
648

       
 

       
          { name = "rootok"; enable = cfg.rootOK; control = "sufficient"; modulePath = "pam_rootok.so"; }


     

       
649

       
 

       
          { name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "pam_wheel.so"; settings = {


     
···

       
766

       
 

       
            use_first_pass = true;


     

       
767

       
 

       
          }; }


     

       
768

       
 

       
          { name = "deny"; control = "required"; modulePath = "pam_deny.so"; }


     

       
769

       
+

       
        ]);


     

       
770

       
 

       



     

       
771

       
+

       
        password = autoOrderRules [


     

       
772

       
 

       
          { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }


     

       
773

       
 

       
          { name = "unix"; control = "sufficient"; modulePath = "pam_unix.so"; settings = {


     

       
774

       
 

       
            nullok = true;


     
···

       
794

       
 

       
          }; }


     

       
795

       
 

       
        ];


     

       
796

       
 

       



     

       
797

       
+

       
        session = autoOrderRules [


     

       
798

       
 

       
          { name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "pam_env.so"; settings = {


     

       
799

       
 

       
            conffile = "/etc/pam/environment";


     

       
800

       
 

       
            readenv = 0;