mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-07-02 22:10:08 +03:00
Merge master into staging-next
This commit is contained in:
github-actions[bot]
GitHub
commit
f51499324c
25 changed files with 581 additions and 45 deletions
|
|
@ -223,10 +223,10 @@ foreach my $u (@{$spec->{users}}) {
|
|||
}
|
||||
|
||||
# Ensure home directory incl. ownership and permissions.
|
||||
if ($u->{createHome}) {
|
||||
make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home} and ! $is_dry;
|
||||
if ($u->{createHome} and !$is_dry) {
|
||||
make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home};
|
||||
chown $u->{uid}, $u->{gid}, $u->{home};
|
||||
chmod 0700, $u->{home};
|
||||
chmod oct($u->{homeMode}), $u->{home};
|
||||
}
|
||||
|
||||
if (defined $u->{passwordFile}) {
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ let
|
|||
services such as SSH, or indirectly via <command>su</command> or
|
||||
<command>sudo</command>). This should only be used for e.g. bootable
|
||||
live systems. Note: this is different from setting an empty password,
|
||||
which ca be achieved using <option>users.users.<name?>.password</option>.
|
||||
which can be achieved using <option>users.users.<name?>.password</option>.
|
||||
|
||||
If set to <literal>null</literal> (default) this user will not
|
||||
be able to log in using a password (i.e. via <command>login</command>
|
||||
|
|
@ -139,6 +139,12 @@ let
|
|||
description = "The user's home directory.";
|
||||
};
|
||||
|
||||
homeMode = mkOption {
|
||||
type = types.strMatching "[0-7]{1,5}";
|
||||
default = "700";
|
||||
description = "The user's home directory mode in numeric format. See chmod(1). The mode is only applied if <option>users.users.<name>.createHome</option> is true.";
|
||||
};
|
||||
|
||||
cryptHomeLuks = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
|
|
@ -319,6 +325,7 @@ let
|
|||
group = mkDefault "users";
|
||||
createHome = mkDefault true;
|
||||
home = mkDefault "/home/${config.name}";
|
||||
homeMode = mkDefault "700";
|
||||
useDefaultShell = mkDefault true;
|
||||
isSystemUser = mkDefault false;
|
||||
})
|
||||
|
|
@ -430,7 +437,7 @@ let
|
|||
inherit (cfg) mutableUsers;
|
||||
users = mapAttrsToList (_: u:
|
||||
{ inherit (u)
|
||||
name uid group description home createHome isSystemUser
|
||||
name uid group description home homeMode createHome isSystemUser
|
||||
password passwordFile hashedPassword
|
||||
autoSubUidGidRange subUidRanges subGidRanges
|
||||
initialPassword initialHashedPassword;
|
||||
|
|
|
|||
|
|
@ -199,6 +199,7 @@ let
|
|||
allow_anonymous = 1;
|
||||
allow_zero_length_clientid = 1;
|
||||
auto_id_prefix = 1;
|
||||
bind_interface = 1;
|
||||
cafile = 1;
|
||||
capath = 1;
|
||||
certfile = 1;
|
||||
|
|
@ -295,7 +296,7 @@ let
|
|||
};
|
||||
|
||||
listenerAsserts = prefix: listener:
|
||||
assertKeysValid prefix freeformListenerKeys listener.settings
|
||||
assertKeysValid "${prefix}.settings" freeformListenerKeys listener.settings
|
||||
++ userAsserts prefix listener.users
|
||||
++ imap0
|
||||
(i: v: authAsserts "${prefix}.authPlugins.${toString i}" v)
|
||||
|
|
@ -397,7 +398,7 @@ let
|
|||
};
|
||||
|
||||
bridgeAsserts = prefix: bridge:
|
||||
assertKeysValid prefix freeformBridgeKeys bridge.settings
|
||||
assertKeysValid "${prefix}.settings" freeformBridgeKeys bridge.settings
|
||||
++ [ {
|
||||
assertion = length bridge.addresses > 0;
|
||||
message = "Bridge ${prefix} needs remote broker addresses";
|
||||
|
|
@ -526,7 +527,7 @@ let
|
|||
|
||||
globalAsserts = prefix: cfg:
|
||||
flatten [
|
||||
(assertKeysValid prefix freeformGlobalKeys cfg.settings)
|
||||
(assertKeysValid "${prefix}.settings" freeformGlobalKeys cfg.settings)
|
||||
(imap0 (n: l: listenerAsserts "${prefix}.listener.${toString n}" l) cfg.listeners)
|
||||
(mapAttrsToList (n: b: bridgeAsserts "${prefix}.bridge.${n}" b) cfg.bridges)
|
||||
];
|
||||
|
|
@ -629,9 +630,10 @@ in
|
|||
]));
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [
|
||||
"AF_UNIX" # for sd_notify() call
|
||||
"AF_UNIX"
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_NETLINK"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
|
|
|
|||
|
|
@ -35,11 +35,11 @@ let
|
|||
"nss-lookup.target"
|
||||
"nss-user-lookup.target"
|
||||
"time-sync.target"
|
||||
] ++ (optionals cfg.package.withCryptsetup [
|
||||
] ++ optionals cfg.package.withCryptsetup [
|
||||
"cryptsetup.target"
|
||||
"cryptsetup-pre.target"
|
||||
"remote-cryptsetup.target"
|
||||
]) ++ [
|
||||
] ++ [
|
||||
"sigpwr.target"
|
||||
"timers.target"
|
||||
"paths.target"
|
||||
|
|
@ -133,20 +133,27 @@ let
|
|||
|
||||
# Slices / containers.
|
||||
"slices.target"
|
||||
] ++ optionals cfg.package.withImportd [
|
||||
"systemd-importd.service"
|
||||
] ++ optionals cfg.package.withMachined [
|
||||
"machine.slice"
|
||||
"machines.target"
|
||||
"systemd-importd.service"
|
||||
"systemd-machined.service"
|
||||
] ++ [
|
||||
"systemd-nspawn@.service"
|
||||
|
||||
# Misc.
|
||||
"systemd-sysctl.service"
|
||||
] ++ optionals cfg.package.withTimedated [
|
||||
"dbus-org.freedesktop.timedate1.service"
|
||||
"dbus-org.freedesktop.locale1.service"
|
||||
"dbus-org.freedesktop.hostname1.service"
|
||||
"systemd-timedated.service"
|
||||
] ++ optionals cfg.package.withLocaled [
|
||||
"dbus-org.freedesktop.locale1.service"
|
||||
"systemd-localed.service"
|
||||
] ++ optionals cfg.package.withHostnamed [
|
||||
"dbus-org.freedesktop.hostname1.service"
|
||||
"systemd-hostnamed.service"
|
||||
] ++ [
|
||||
"systemd-exit.service"
|
||||
"systemd-update-done.service"
|
||||
] ++ cfg.additionalUpstreamSystemUnits;
|
||||
|
|
|
|||
|
|
@ -81,8 +81,11 @@ in
|
|||
"systemd-logind.service"
|
||||
"autovt@.service"
|
||||
"systemd-user-sessions.service"
|
||||
] ++ optionals config.systemd.package.withImportd [
|
||||
"dbus-org.freedesktop.import1.service"
|
||||
] ++ optionals config.systemd.package.withMachined [
|
||||
"dbus-org.freedesktop.machine1.service"
|
||||
] ++ [
|
||||
"dbus-org.freedesktop.login1.service"
|
||||
"user@.service"
|
||||
"user-runtime-dir@.service"
|
||||
|
|
|
|||
|
|
@ -580,6 +580,7 @@ in
|
|||
uptermd = handleTest ./uptermd.nix {};
|
||||
usbguard = handleTest ./usbguard.nix {};
|
||||
user-activation-scripts = handleTest ./user-activation-scripts.nix {};
|
||||
user-home-mode = handleTest ./user-home-mode.nix {};
|
||||
uwsgi = handleTest ./uwsgi.nix {};
|
||||
v2ray = handleTest ./v2ray.nix {};
|
||||
vault = handleTest ./vault.nix {};
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ let
|
|||
port = 1888;
|
||||
tlsPort = 1889;
|
||||
anonPort = 1890;
|
||||
bindTestPort = 1891;
|
||||
password = "VERY_secret";
|
||||
hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";
|
||||
topic = "test/foo";
|
||||
|
|
@ -125,6 +126,10 @@ in {
|
|||
};
|
||||
};
|
||||
}
|
||||
{
|
||||
settings.bind_interface = "eth0";
|
||||
port = bindTestPort;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
@ -134,6 +139,8 @@ in {
|
|||
};
|
||||
|
||||
testScript = ''
|
||||
import json
|
||||
|
||||
def mosquitto_cmd(binary, user, topic, port):
|
||||
return (
|
||||
"mosquitto_{} "
|
||||
|
|
@ -162,6 +169,27 @@ in {
|
|||
start_all()
|
||||
server.wait_for_unit("mosquitto.service")
|
||||
|
||||
with subtest("bind_interface"):
|
||||
addrs = dict()
|
||||
for iface in json.loads(server.succeed("ip -json address show")):
|
||||
for addr in iface['addr_info']:
|
||||
# don't want to deal with multihoming here
|
||||
assert addr['local'] not in addrs
|
||||
addrs[addr['local']] = (iface['ifname'], addr['family'])
|
||||
|
||||
# mosquitto grabs *one* random address per type for bind_interface
|
||||
(has4, has6) = (False, False)
|
||||
for line in server.succeed("ss -HlptnO sport = ${toString bindTestPort}").splitlines():
|
||||
items = line.split()
|
||||
if "mosquitto" not in items[5]: continue
|
||||
listener = items[3].rsplit(':', maxsplit=1)[0].strip('[]')
|
||||
assert listener in addrs
|
||||
assert addrs[listener][0] == "eth0"
|
||||
has4 |= addrs[listener][1] == 'inet'
|
||||
has6 |= addrs[listener][1] == 'inet6'
|
||||
assert has4
|
||||
assert has6
|
||||
|
||||
with subtest("check passwords"):
|
||||
client1.succeed(publish("-m test", "password_store"))
|
||||
client1.succeed(publish("-m test", "password_file"))
|
||||
|
|
|
|||
27
nixos/tests/user-home-mode.nix
Normal file
27
nixos/tests/user-home-mode.nix
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
import ./make-test-python.nix ({ lib, ... }: {
|
||||
name = "user-home-mode";
|
||||
meta = with lib.maintainers; { maintainers = [ fbeffa ]; };
|
||||
|
||||
nodes.machine = {
|
||||
users.users.alice = {
|
||||
initialPassword = "pass1";
|
||||
isNormalUser = true;
|
||||
};
|
||||
users.users.bob = {
|
||||
initialPassword = "pass2";
|
||||
isNormalUser = true;
|
||||
homeMode = "750";
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
machine.wait_for_unit("getty@tty1.service")
|
||||
machine.wait_until_tty_matches(1, "login: ")
|
||||
machine.send_chars("alice\n")
|
||||
machine.wait_until_tty_matches(1, "Password: ")
|
||||
machine.send_chars("pass1\n")
|
||||
machine.succeed('[ "$(stat -c %a /home/alice)" == "700" ]')
|
||||
machine.succeed('[ "$(stat -c %a /home/bob)" == "750" ]')
|
||||
'';
|
||||
})
|
||||
Loading…
Add table
Add a link
Reference in a new issue