nixos/users-group: Add 'homeMode' option.

This commit is contained in:
Federico Beffa 2022-04-10 21:06:19 +02:00
parent 9bce1fb5ac
commit 9fc01af1cc
4 changed files with 37 additions and 2 deletions

View file

@ -226,7 +226,7 @@ foreach my $u (@{$spec->{users}}) {
if ($u->{createHome}) {
make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home} and ! $is_dry;
chown $u->{uid}, $u->{gid}, $u->{home};
chmod 0700, $u->{home};
chmod oct($u->{homeMode}), $u->{home};
}
if (defined $u->{passwordFile}) {

View file

@ -139,6 +139,12 @@ let
description = "The user's home directory.";
};
homeMode = mkOption {
type = types.strMatching "[0-7]{1,5}";
default = "700";
description = "The user's home directory mode in numeric format. See chmod(1).";
};
cryptHomeLuks = mkOption {
type = with types; nullOr str;
default = null;
@ -319,6 +325,7 @@ let
group = mkDefault "users";
createHome = mkDefault true;
home = mkDefault "/home/${config.name}";
homeMode = mkDefault "700";
useDefaultShell = mkDefault true;
isSystemUser = mkDefault false;
})
@ -430,7 +437,7 @@ let
inherit (cfg) mutableUsers;
users = mapAttrsToList (_: u:
{ inherit (u)
name uid group description home createHome isSystemUser
name uid group description home homeMode createHome isSystemUser
password passwordFile hashedPassword
autoSubUidGidRange subUidRanges subGidRanges
initialPassword initialHashedPassword;

View file

@ -556,6 +556,7 @@ in
upnp = handleTest ./upnp.nix {};
usbguard = handleTest ./usbguard.nix {};
user-activation-scripts = handleTest ./user-activation-scripts.nix {};
user-home-mode = handleTest ./user-home-mode.nix {};
uwsgi = handleTest ./uwsgi.nix {};
v2ray = handleTest ./v2ray.nix {};
vault = handleTest ./vault.nix {};

View file

@ -0,0 +1,27 @@
import ./make-test-python.nix ({ lib, ... }: {
name = "user-home-mode";
meta = with lib.maintainers; { maintainers = [ fbeffa ]; };
nodes.machine = {
users.users.alice = {
initialPassword = "pass1";
isNormalUser = true;
};
users.users.bob = {
initialPassword = "pass2";
isNormalUser = true;
homeMode = "750";
};
};
testScript = ''
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("getty@tty1.service")
machine.wait_until_tty_matches(1, "login: ")
machine.send_chars("alice\n")
machine.wait_until_tty_matches(1, "Password: ")
machine.send_chars("pass1\n")
machine.succeed('[ "$(stat -c %a /home/alice)" == "700" ]')
machine.succeed('[ "$(stat -c %a /home/bob)" == "750" ]')
'';
})