Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: f01f31737120
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: fa0d499dbfa5
Choose a head ref
  • 2 commits
  • 3 files changed
  • 2 contributors

Commits on Dec 16, 2020

  1. nixos/users-groups: createHome: Ensure HOME permissions, fix description 

    configuration.nix(1) states

    users.extraUsers.<name>.createHome
        [...] If [...] the home directory already exists but is not
        owned by the user, directory owner and group will be changed to
        match the user.

i.e. ownership would change only if the user mismatched;  the code
however ignores the owner, it is sufficient to enable `createHome`:

    if ($u->{createHome}) {
        make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
        chown $u->{uid}, $u->{gid}, $u->{home};
    }

Furthermore, permissions are ignored on already existing directories and
therefore may allow others to read private data eventually.

Given that createHome already acts as switch to not only create but
effectively own the home directory, manage permissions in the same
manner to ensure the intended default and cover all primary attributes.

Avoid yet another configuration option to have administrators make a
clear and simple choice between securely managing home directories
and optionally defering management to own code (taking care of custom
location, ownership, mode, extended attributes, etc.).

While here, simplify and thereby fix misleading documentation.
    @klemensn @andir
    klemensn authored and andir committed Dec 16, 2020

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    8833983 View commit details

Commits on Dec 17, 2020

  1. Merge pull request #106995 from andir/ml2pr/PATCH-nixos-users-groups-… 

    …createHome-Ensure-HOME-permissions-fix-description

nixos/users-groups: createHome: Ensure HOME permissions, fix description
    @andir
    andir authored Dec 17, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    fa0d499 View commit details
Showing with 11 additions and 5 deletions.
  1. +7 −0 nixos/doc/manual/release-notes/rl-2103.xml
  2. +2 −1 nixos/modules/config/update-users-groups.pl
  3. +2 −4 nixos/modules/config/users-groups.nix
7 changes: 7 additions & 0 deletions nixos/doc/manual/release-notes/rl-2103.xml
View file
Original file line number Diff line number Diff line change
@@ -431,6 +431,13 @@
been dropped from upstream releases.
</para>
</listitem>
<listitem>
<para>
<xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>.
Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others.
The option's description was incorrect regarding ownership management and has been simplified greatly.
</para>
</listitem>
</itemizedlist>
</section>
</section>
3 changes: 2 additions & 1 deletion nixos/modules/config/update-users-groups.pl
View file
Original file line number Diff line number Diff line change
@@ -209,10 +209,11 @@ sub parseUser {
}
}

# Create a home directory.
# Ensure home directory incl. ownership and permissions.
if ($u->{createHome}) {
make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
chown $u->{uid}, $u->{gid}, $u->{home};
chmod 0700, $u->{home};
}

if (defined $u->{passwordFile}) {
6 changes: 2 additions & 4 deletions nixos/modules/config/users-groups.nix
View file
Original file line number Diff line number Diff line change
@@ -198,10 +198,8 @@ let
type = types.bool;
default = false;
description = ''
If true, the home directory will be created automatically. If this
option is true and the home directory already exists but is not
owned by the user, directory owner and group will be changed to
match the user.
Whether to create the home directory and ensure ownership as well as
permissions to match the user.
'';
};