mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-21 21:09:00 +02:00
If !cfg.mutableUsers, require a password or SSH authorized key
Fixes https://github.com/NixOS/nixpkgs/issues/7308
This commit is contained in:
parent
e70f8c58cc
commit
6e76765795
|
@ -216,7 +216,7 @@ let
|
||||||
exist. If <option>users.mutableUsers</option> is true, the
|
exist. If <option>users.mutableUsers</option> is true, the
|
||||||
password can be changed subsequently using the
|
password can be changed subsequently using the
|
||||||
<command>passwd</command> command. Otherwise, it's
|
<command>passwd</command> command. Otherwise, it's
|
||||||
equivalent to setting the <option>password</option> option.
|
equivalent to setting the <option>hashedPassword</option> option.
|
||||||
|
|
||||||
${hashedPasswordDescription}
|
${hashedPasswordDescription}
|
||||||
'';
|
'';
|
||||||
|
@ -525,6 +525,27 @@ in {
|
||||||
{ assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);
|
{ assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);
|
||||||
message = "UIDs and GIDs must be unique!";
|
message = "UIDs and GIDs must be unique!";
|
||||||
}
|
}
|
||||||
|
{ # If mutableUsers is false, to prevent users creating a
|
||||||
|
# configuration that locks them out of the system, ensure that
|
||||||
|
# there is at least one "privileged" account that has a
|
||||||
|
# password or an SSH authorized key. Privileged accounts are
|
||||||
|
# root and users in the wheel group.
|
||||||
|
assertion = !cfg.mutableUsers ->
|
||||||
|
any id (mapAttrsToList (name: cfg:
|
||||||
|
(name == "root"
|
||||||
|
|| cfg.group == "wheel"
|
||||||
|
|| elem "wheel" cfg.extraGroups)
|
||||||
|
&&
|
||||||
|
((cfg.hashedPassword != null && cfg.hashedPassword != "!")
|
||||||
|
|| cfg.password != null
|
||||||
|
|| cfg.passwordFile != null
|
||||||
|
|| cfg.openssh.authorizedKeys.keys != []
|
||||||
|
|| cfg.openssh.authorizedKeys.keyFiles != [])
|
||||||
|
) cfg.extraUsers);
|
||||||
|
message = ''
|
||||||
|
Neither the root account nor any wheel user has a password or SSH authorized key.
|
||||||
|
You must set one to prevent being locked out of your system.'';
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue