pyrox.dev / nixpkgs
lol
fork atom

nixos/users-groups: don't default users.users.<name>.group to nogroup

this is unsafe, as many distinct services may be running as the same
nogroup group.

Guillaume Girol 0f15a8f4 8a2ec31e

options
unified split
Changed files
+11 -1
nixos
modules
config
users-groups.nix
+11 -1
nixos/modules/config/users-groups.nix 
···

       
123

       
123

       
 

       
      group = mkOption {


     

       
124

       
124

       
 

       
        type = types.str;


     

       
125

       
125

       
 

       
        apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;


     

       
126

       

       
-

       
        default = "nogroup";


     

       

       
126

       
+

       
        default = "";


     

       
127

       
127

       
 

       
        description = "The user's primary group.";


     

       
128

       
128

       
 

       
      };


     

       
129

       
129

       
 

       



     
···

       
636

       
636

       
 

       
            in xor isEffectivelySystemUser user.isNormalUser;


     

       
637

       
637

       
 

       
            message = ''


     

       
638

       
638

       
 

       
              Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.


     

       

       
639

       
+

       
            '';


     

       

       
640

       
+

       
          }


     

       

       
641

       
+

       
          {


     

       

       
642

       
+

       
            assertion = user.group != "";


     

       

       
643

       
+

       
            message = ''


     

       

       
644

       
+

       
              users.users.${user.name}.group is unset. This used to default to


     

       

       
645

       
+

       
              nogroup, but this is unsafe. For example you can create a group


     

       

       
646

       
+

       
              for this user with:


     

       

       
647

       
+

       
              users.users.${user.name}.group = "${user.name}";


     

       

       
648

       
+

       
              users.groups.${user.name} = {};


     

       
639

       
649

       
 

       
            '';


     

       
640

       
650

       
 

       
          }


     

       
641

       
651

       
 

       
        ]