commit bfa0bff64474a528eb06a7f9e0a9f53f1b41af45 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixos/update-users-groups: let hashedPassword take precedence over initialHashedPassword

Without this change, users that have both `initialHashedPassword` and
`hashedPassword` set will have `initialHashedPassword` take precedence,
but only for the first time `/etc/passwd` is generated. After that,
`hashedPassword` takes precedence. This is surprising behavior as it
would generally be expected for `hashedPassword` to win if both are set.

This wouldn't be a noticeable problem (and an assert could just be made
instead) if the users-groups module did not default the
`root.intialHashedPassword` value to `!`, to prevent login by default.
That means that users who set `root.hashedPassword` and use an ephemeral
rootfs (i.e. `/etc/passwd` is created every boot) are not able to log in
to the root account by default, unless they switch to a new generation
during the same boot (i.e. `/etc/passwd` already exists and
`hashedPassword` is used instead of `initialHashedPassword`) or they set
`root.initialHashedPassword = null` (which is unintuitive and seems
redundant).

Lily Foster 3 years ago bfa0bff6 2b268bac

options

unified split

Changed files

+6 -4

nixos

modules

config

update-users-groups.pl

+6 -4

nixos/modules/config/update-users-groups.pl

···

       215
       215
        
           } else {

     

       216
       216
        
               $u->{uid} = allocUid($name, $u->{isSystemUser}) if !defined $u->{uid};

     

       217
       217
        
       

     

       218
       218
       -
               if (defined $u->{initialPassword}) {

     

       219
       219
       -
                   $u->{hashedPassword} = hashPassword($u->{initialPassword});

     

       220
       220
       -
               } elsif (defined $u->{initialHashedPassword}) {

     

       221
       221
       -
                   $u->{hashedPassword} = $u->{initialHashedPassword};

     

       218
       218
       +
               if (!defined $u->{hashedPassword}) {

     

       219
       219
       +
                   if (defined $u->{initialPassword}) {

     

       220
       220
       +
                       $u->{hashedPassword} = hashPassword($u->{initialPassword});

     

       221
       221
       +
                   } elsif (defined $u->{initialHashedPassword}) {

     

       222
       222
       +
                       $u->{hashedPassword} = $u->{initialHashedPassword};

     

       223
       223
       +
                   }

     

       222
       224
        
               }

     

       223
       225
        
           }

     

       224
       226