From 6e767657951788775451859f1c36d4eb0230581c Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 2 Sep 2015 16:09:05 +0200 Subject: [PATCH] If !cfg.mutableUsers, require a password or SSH authorized key Fixes https://github.com/NixOS/nixpkgs/issues/7308 --- nixos/modules/config/users-groups.nix | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 478f433b431c..776c482bf7f4 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -216,7 +216,7 @@ let exist. If is true, the password can be changed subsequently using the passwd command. Otherwise, it's - equivalent to setting the option. + equivalent to setting the option. ${hashedPasswordDescription} ''; @@ -525,6 +525,27 @@ in { { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique); message = "UIDs and GIDs must be unique!"; } + { # If mutableUsers is false, to prevent users creating a + # configuration that locks them out of the system, ensure that + # there is at least one "privileged" account that has a + # password or an SSH authorized key. Privileged accounts are + # root and users in the wheel group. + assertion = !cfg.mutableUsers -> + any id (mapAttrsToList (name: cfg: + (name == "root" + || cfg.group == "wheel" + || elem "wheel" cfg.extraGroups) + && + ((cfg.hashedPassword != null && cfg.hashedPassword != "!") + || cfg.password != null + || cfg.passwordFile != null + || cfg.openssh.authorizedKeys.keys != [] + || cfg.openssh.authorizedKeys.keyFiles != []) + ) cfg.extraUsers); + message = '' + Neither the root account nor any wheel user has a password or SSH authorized key. + You must set one to prevent being locked out of your system.''; + } ]; };