movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 14:10:33 +03:00
Code Activity

Merge pull request #328926 from nikstur/sysusers-only-for-sysusers

Browse source 
Sysusers only for sysusers
This commit is contained in:
nikstur 2024-07-22 20:55:58 +02:00 committed by GitHub
commit be0df72dfa
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 170 additions and 151 deletions
Download patch file Download diff file Expand all files Collapse all files

213
nixos/modules/system/boot/systemd/sysusers.nix
View file

@ -5,6 +5,8 @@ let
cfg = config.systemd.sysusers;
userCfg = config.users;
systemUsers = lib.filterAttrs (_username: opts: !opts.isNormalUser) userCfg.users;
sysusersConfig = pkgs.writeTextDir "00-nixos.conf" ''
# Type Name ID GECOS Home directory Shell
@ -16,7 +18,7 @@ let
in
''u ${username} ${uid}:${opts.group} "${opts.description}" ${opts.home} ${utils.toShellPath opts.shell}''
)
userCfg.users)
systemUsers)
}
# Groups
@ -30,32 +32,12 @@ let
}
'';
staticSysusersCredentials = pkgs.runCommand "static-sysusers-credentials" { } ''
mkdir $out; cd $out
${lib.concatLines (
(lib.mapAttrsToList
(username: opts: "echo -n '${opts.initialHashedPassword}' > 'passwd.hashed-password.${username}'")
(lib.filterAttrs (_username: opts: opts.initialHashedPassword != null) userCfg.users))
++
(lib.mapAttrsToList
(username: opts: "echo -n '${opts.initialPassword}' > 'passwd.plaintext-password.${username}'")
(lib.filterAttrs (_username: opts: opts.initialPassword != null) userCfg.users))
++
(lib.mapAttrsToList
(username: opts: "cat '${opts.hashedPasswordFile}' > 'passwd.hashed-password.${username}'")
(lib.filterAttrs (_username: opts: opts.hashedPasswordFile != null) userCfg.users))
)
}
'';
staticSysusers = pkgs.runCommand "static-sysusers"
{
nativeBuildInputs = [ pkgs.systemd ];
} ''
mkdir $out
export CREDENTIALS_DIRECTORY=${staticSysusersCredentials}
systemd-sysusers --root $out ${sysusersConfig}/00-nixos.conf
'';
immutableEtc = config.system.etc.overlay.enable && !config.system.etc.overlay.mutable;
# The location of the password files when using an immutable /etc.
immutablePasswordFilesLocation = "/var/lib/nixos/etc";
passwordFilesLocation = if immutableEtc then immutablePasswordFilesLocation else "/etc";
# The filenames created by systemd-sysusers.
passwordFiles = [ "passwd" "group" "shadow" "gshadow" ];
in
@ -90,95 +72,114 @@ in
assertion = config.users.mutableUsers -> config.system.etc.overlay.enable;
message = "config.users.mutableUsers requires config.system.etc.overlay.enable.";
}
];
systemd = lib.mkMerge [
({
# Create home directories, do not create /var/empty even if that's a user's
# home.
tmpfiles.settings.home-directories = lib.mapAttrs'
(username: opts: lib.nameValuePair opts.home {
d = {
mode = opts.homeMode;
user = username;
group = opts.group;
};
})
(lib.filterAttrs (_username: opts: opts.home != "/var/empty") userCfg.users);
# Create uid/gid marker files for those without an explicit id
tmpfiles.settings.nixos-uid = lib.mapAttrs'
(username: opts: lib.nameValuePair "/var/lib/nixos/uid/${username}" {
f = {
user = username;
};
})
(lib.filterAttrs (_username: opts: opts.uid == null) userCfg.users);
tmpfiles.settings.nixos-gid = lib.mapAttrs'
(groupname: opts: lib.nameValuePair "/var/lib/nixos/gid/${groupname}" {
f = {
group = groupname;
};
})
(lib.filterAttrs (_groupname: opts: opts.gid == null) userCfg.groups);
] ++ (lib.mapAttrsToList
(_username: opts: {
assertion = !opts.isNormalUser;
message = "systemd-sysusers doesn't create normal users. You can currently only use it to create system users.";
})
userCfg.users)
++ lib.mapAttrsToList
(username: opts: {
assertion = (opts.password == opts.initialPassword || opts.password == null) &&
(opts.hashedPassword == opts.initialHashedPassword || opts.hashedPassword == null);
message = "${username} uses password or hashedPassword. systemd-sysupdate only supports initial passwords. It'll never update your passwords.";
})
systemUsers;
(lib.mkIf config.users.mutableUsers {
additionalUpstreamSystemUnits = [
"systemd-sysusers.service"
];
systemd = {
services.systemd-sysusers = {
# Enable switch-to-configuration to restart the service.
unitConfig.ConditionNeedsUpdate = [ "" ];
requiredBy = [ "sysinit-reactivation.target" ];
before = [ "sysinit-reactivation.target" ];
restartTriggers = [ "${config.environment.etc."sysusers.d".source}" ];
serviceConfig = {
LoadCredential = lib.mapAttrsToList
(username: opts: "passwd.hashed-password.${username}:${opts.hashedPasswordFile}")
(lib.filterAttrs (_username: opts: opts.hashedPasswordFile != null) userCfg.users);
SetCredential = (lib.mapAttrsToList
(username: opts: "passwd.hashed-password.${username}:${opts.initialHashedPassword}")
(lib.filterAttrs (_username: opts: opts.initialHashedPassword != null) userCfg.users))
++
(lib.mapAttrsToList
(username: opts: "passwd.plaintext-password.${username}:${opts.initialPassword}")
(lib.filterAttrs (_username: opts: opts.initialPassword != null) userCfg.users))
;
# Create home directories, do not create /var/empty even if that's a user's
# home.
tmpfiles.settings.home-directories = lib.mapAttrs'
(username: opts: lib.nameValuePair opts.home {
d = {
mode = opts.homeMode;
user = username;
group = opts.group;
};
})
(lib.filterAttrs (_username: opts: opts.home != "/var/empty") systemUsers);
# Create uid/gid marker files for those without an explicit id
tmpfiles.settings.nixos-uid = lib.mapAttrs'
(username: opts: lib.nameValuePair "/var/lib/nixos/uid/${username}" {
f = {
user = username;
};
})
(lib.filterAttrs (_username: opts: opts.uid == null) systemUsers);
tmpfiles.settings.nixos-gid = lib.mapAttrs'
(groupname: opts: lib.nameValuePair "/var/lib/nixos/gid/${groupname}" {
f = {
group = groupname;
};
})
(lib.filterAttrs (_groupname: opts: opts.gid == null) userCfg.groups);
additionalUpstreamSystemUnits = [
"systemd-sysusers.service"
];
services.systemd-sysusers = {
# Enable switch-to-configuration to restart the service.
unitConfig.ConditionNeedsUpdate = [ "" ];
requiredBy = [ "sysinit-reactivation.target" ];
before = [ "sysinit-reactivation.target" ];
restartTriggers = [ "${config.environment.etc."sysusers.d".source}" ];
serviceConfig = {
# When we have an immutable /etc we cannot write the files directly
# to /etc so we write it to a different directory and symlink them
# into /etc.
#
# We need to explicitly list the config file, otherwise
# systemd-sysusers cannot find it when we also pass another flag.
ExecStart = lib.mkIf immutableEtc
[ "" "${config.systemd.package}/bin/systemd-sysusers --root ${builtins.dirOf immutablePasswordFilesLocation} /etc/sysusers.d/00-nixos.conf" ];
# Make the source files writable before executing sysusers.
ExecStartPre = lib.mkIf (!userCfg.mutableUsers)
(lib.map
(file: "-${pkgs.util-linux}/bin/umount ${passwordFilesLocation}/${file}")
passwordFiles);
# Make the source files read-only after sysusers has finished.
ExecStartPost = lib.mkIf (!userCfg.mutableUsers)
(lib.map
(file: "${pkgs.util-linux}/bin/mount --bind -o ro ${passwordFilesLocation}/${file} ${passwordFilesLocation}/${file}")
passwordFiles);
LoadCredential = lib.mapAttrsToList
(username: opts: "passwd.hashed-password.${username}:${opts.hashedPasswordFile}")
(lib.filterAttrs (_username: opts: opts.hashedPasswordFile != null) systemUsers);
SetCredential = (lib.mapAttrsToList
(username: opts: "passwd.hashed-password.${username}:${opts.initialHashedPassword}")
(lib.filterAttrs (_username: opts: opts.initialHashedPassword != null) systemUsers))
++
(lib.mapAttrsToList
(username: opts: "passwd.plaintext-password.${username}:${opts.initialPassword}")
(lib.filterAttrs (_username: opts: opts.initialPassword != null) systemUsers))
;
};
})
];
};
};
environment.etc = lib.mkMerge [
(lib.mkIf (!userCfg.mutableUsers) {
"passwd" = {
source = "${staticSysusers}/etc/passwd";
mode = "0644";
};
"group" = {
source = "${staticSysusers}/etc/group";
mode = "0644";
};
"shadow" = {
source = "${staticSysusers}/etc/shadow";
mode = "0000";
};
"gshadow" = {
source = "${staticSysusers}/etc/gshadow";
mode = "0000";
};
})
(lib.mkIf userCfg.mutableUsers {
({
"sysusers.d".source = sysusersConfig;
})
];
# Statically create the symlinks to immutablePasswordFilesLocation when
# using an immutable /etc because we will not be able to do it at
# runtime!
(lib.mkIf immutableEtc (lib.listToAttrs (lib.map
(file: lib.nameValuePair file {
source = "${immutablePasswordFilesLocation}/${file}";
mode = "direct-symlink";
})
passwordFiles)))
];
};
meta.maintainers = with lib.maintainers; [ nikstur ];

12
nixos/tests/activation/etc-overlay-immutable.nix
View file

@ -32,6 +32,18 @@
with subtest("direct symlinks point to the target without indirection"):
assert machine.succeed("readlink -n /etc/localtime") == "/etc/zoneinfo/Utc"
with subtest("Correct mode on the source password files"):
assert machine.succeed("stat -c '%a' /var/lib/nixos/etc/passwd") == "644\n"
assert machine.succeed("stat -c '%a' /var/lib/nixos/etc/group") == "644\n"
assert machine.succeed("stat -c '%a' /var/lib/nixos/etc/shadow") == "0\n"
assert machine.succeed("stat -c '%a' /var/lib/nixos/etc/gshadow") == "0\n"
with subtest("Password files are symlinks to /var/lib/nixos/etc"):
assert machine.succeed("readlink -f /etc/passwd") == "/var/lib/nixos/etc/passwd\n"
assert machine.succeed("readlink -f /etc/group") == "/var/lib/nixos/etc/group\n"
assert machine.succeed("readlink -f /etc/shadow") == "/var/lib/nixos/etc/shadow\n"
assert machine.succeed("readlink -f /etc/gshadow") == "/var/lib/nixos/etc/gshadow\n"
with subtest("switching to the same generation"):
machine.succeed("/run/current-system/bin/switch-to-configuration test")

57
nixos/tests/systemd-sysusers-immutable.nix
View file

@ -2,8 +2,8 @@
let
rootPassword = "$y$j9T$p6OI0WN7.rSfZBOijjRdR.$xUOA2MTcB48ac.9Oc5fz8cxwLv1mMqabnn333iOzSA6";
normaloPassword = "$y$j9T$3aiOV/8CADAK22OK2QT3/0$67OKd50Z4qTaZ8c/eRWHLIM.o3ujtC1.n9ysmJfv639";
newNormaloPassword = "mellow";
sysuserPassword = "$y$j9T$3aiOV/8CADAK22OK2QT3/0$67OKd50Z4qTaZ8c/eRWHLIM.o3ujtC1.n9ysmJfv639";
newSysuserPassword = "mellow";
in
{
@ -16,49 +16,48 @@ in
systemd.sysusers.enable = true;
users.mutableUsers = false;
# Override the empty root password set by the test instrumentation
users.users.root.hashedPasswordFile = lib.mkForce null;
users.users.root.initialHashedPassword = rootPassword;
users.users.normalo = {
isNormalUser = true;
initialHashedPassword = normaloPassword;
# Read this password file at runtime from outside the Nix store.
environment.etc."rootpw.secret".text = rootPassword;
# Override the empty root password set by the test instrumentation.
users.users.root.hashedPasswordFile = lib.mkForce "/etc/rootpw.secret";
users.users.sysuser = {
isSystemUser = true;
group = "wheel";
home = "/sysuser";
initialHashedPassword = sysuserPassword;
};
specialisation.new-generation.configuration = {
users.users.new-normalo = {
isNormalUser = true;
initialPassword = newNormaloPassword;
users.users.new-sysuser = {
isSystemUser = true;
group = "wheel";
home = "/new-sysuser";
initialPassword = newSysuserPassword;
};
};
};
testScript = ''
with subtest("Users are not created with systemd-sysusers"):
machine.fail("systemctl status systemd-sysusers.service")
machine.fail("ls /etc/sysusers.d")
with subtest("Correct mode on the password files"):
assert machine.succeed("stat -c '%a' /etc/passwd") == "644\n"
assert machine.succeed("stat -c '%a' /etc/group") == "644\n"
assert machine.succeed("stat -c '%a' /etc/shadow") == "0\n"
assert machine.succeed("stat -c '%a' /etc/gshadow") == "0\n"
with subtest("root user has correct password"):
print(machine.succeed("getent passwd root"))
assert "${rootPassword}" in machine.succeed("getent shadow root"), "root user password is not correct"
with subtest("normalo user is created"):
print(machine.succeed("getent passwd normalo"))
assert machine.succeed("stat -c '%U' /home/normalo") == "normalo\n"
assert "${normaloPassword}" in machine.succeed("getent shadow normalo"), "normalo user password is not correct"
with subtest("sysuser user is created"):
print(machine.succeed("getent passwd sysuser"))
assert machine.succeed("stat -c '%U' /sysuser") == "sysuser\n"
assert "${sysuserPassword}" in machine.succeed("getent shadow sysuser"), "sysuser user password is not correct"
with subtest("Fail to add new user manually"):
machine.fail("useradd manual-sysuser")
machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch")
with subtest("new-normalo user is created after switching to new generation"):
print(machine.succeed("getent passwd new-normalo"))
print(machine.succeed("getent shadow new-normalo"))
assert machine.succeed("stat -c '%U' /home/new-normalo") == "new-normalo\n"
with subtest("new-sysuser user is created after switching to new generation"):
print(machine.succeed("getent passwd new-sysuser"))
assert machine.succeed("stat -c '%U' /new-sysuser") == "new-sysuser\n"
'';
}

39
nixos/tests/systemd-sysusers-mutable.nix
View file

@ -2,8 +2,8 @@
let
rootPassword = "$y$j9T$p6OI0WN7.rSfZBOijjRdR.$xUOA2MTcB48ac.9Oc5fz8cxwLv1mMqabnn333iOzSA6";
normaloPassword = "hello";
newNormaloPassword = "$y$j9T$p6OI0WN7.rSfZBOijjRdR.$xUOA2MTcB48ac.9Oc5fz8cxwLv1mMqabnn333iOzSA6";
sysuserPassword = "hello";
newSysuserPassword = "$y$j9T$p6OI0WN7.rSfZBOijjRdR.$xUOA2MTcB48ac.9Oc5fz8cxwLv1mMqabnn333iOzSA6";
in
{
@ -24,15 +24,19 @@ in
# Override the empty root password set by the test instrumentation
users.users.root.hashedPasswordFile = lib.mkForce null;
users.users.root.initialHashedPassword = rootPassword;
users.users.normalo = {
isNormalUser = true;
initialPassword = normaloPassword;
users.users.sysuser = {
isSystemUser = true;
group = "wheel";
home = "/sysuser";
initialPassword = sysuserPassword;
};
specialisation.new-generation.configuration = {
users.users.new-normalo = {
isNormalUser = true;
initialHashedPassword = newNormaloPassword;
users.users.new-sysuser = {
isSystemUser = true;
group = "wheel";
home = "/new-sysuser";
initialHashedPassword = newSysuserPassword;
};
};
};
@ -43,7 +47,7 @@ in
with subtest("systemd-sysusers.service contains the credentials"):
sysusers_service = machine.succeed("systemctl cat systemd-sysusers.service")
print(sysusers_service)
assert "SetCredential=passwd.plaintext-password.normalo:${normaloPassword}" in sysusers_service
assert "SetCredential=passwd.plaintext-password.sysuser:${sysuserPassword}" in sysusers_service
with subtest("Correct mode on the password files"):
assert machine.succeed("stat -c '%a' /etc/passwd") == "644\n"
@ -55,17 +59,20 @@ in
print(machine.succeed("getent passwd root"))
assert "${rootPassword}" in machine.succeed("getent shadow root"), "root user password is not correct"
with subtest("normalo user is created"):
print(machine.succeed("getent passwd normalo"))
assert machine.succeed("stat -c '%U' /home/normalo") == "normalo\n"
with subtest("sysuser user is created"):
print(machine.succeed("getent passwd sysuser"))
assert machine.succeed("stat -c '%U' /sysuser") == "sysuser\n"
with subtest("Manually add new user"):
machine.succeed("useradd manual-sysuser")
machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch")
with subtest("new-normalo user is created after switching to new generation"):
print(machine.succeed("getent passwd new-normalo"))
assert machine.succeed("stat -c '%U' /home/new-normalo") == "new-normalo\n"
assert "${newNormaloPassword}" in machine.succeed("getent shadow new-normalo"), "new-normalo user password is not correct"
with subtest("new-sysuser user is created after switching to new generation"):
print(machine.succeed("getent passwd new-sysuser"))
assert machine.succeed("stat -c '%U' /new-sysuser") == "new-sysuser\n"
assert "${newSysuserPassword}" in machine.succeed("getent shadow new-sysuser"), "new-sysuser user password is not correct"
'';
}