Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 40272a77a3c4
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: de357d57811b
Choose a head ref
  • 2 commits
  • 3 files changed
  • 2 contributors

Commits on Oct 13, 2019

  1. nixos/users: Increase maximum system uid/gid from 499 to 999 

    This enlarges the system uid/gid range 6-fold, from 100 to 600 ids. This
is a preventative measure against running out of dynamically allocated
ids for NixOS services with isSystemUser, which should become the
preferred way of allocating uids for non-real users.
    @infinisil
    infinisil committed Oct 13, 2019
    Copy the full SHA
    23d920c View commit details

Commits on Oct 27, 2019

  1. Merge pull request #65698 from Infinisil/system-users 

    Increase the system user id range
    @infinisil
    infinisil authored Oct 27, 2019
    1
    Copy the full SHA
    de357d5 View commit details
Showing with 26 additions and 6 deletions.
  1. +2 −2 nixos/modules/config/update-users-groups.pl
  2. +12 −2 nixos/modules/programs/shadow.nix
  3. +12 −2 pkgs/os-specific/linux/systemd/default.nix
4 changes: 2 additions & 2 deletions nixos/modules/config/update-users-groups.pl
View file
Original file line number Diff line number Diff line change
@@ -56,12 +56,12 @@ sub allocGid {
$gidsUsed{$prevGid} = 1;
return $prevGid;
}
return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 999, 0, sub { my ($gid) = @_; getgrgid($gid) });
}

sub allocUid {
my ($name, $isSystemUser) = @_;
my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1);
my ($min, $max, $up) = $isSystemUser ? (400, 999, 0) : (1000, 29999, 1);
my $prevUid = $uidMap->{$name};
if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
print STDERR "reviving user '$name' with UID $prevUid\n";
14 changes: 12 additions & 2 deletions nixos/modules/programs/shadow.nix
View file
Original file line number Diff line number Diff line change
@@ -6,17 +6,27 @@ with lib;

let

/*
There are three different sources for user/group id ranges, each of which gets
used by different programs:
- The login.defs file, used by the useradd, groupadd and newusers commands
- The update-users-groups.pl file, used by NixOS in the activation phase to
decide on which ids to use for declaratively defined users without a static
id
- Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used
by systemd for features like ConditionUser=@system and systemd-sysusers
*/
loginDefs =
''
DEFAULT_HOME yes
SYS_UID_MIN 400
SYS_UID_MAX 499
SYS_UID_MAX 999
UID_MIN 1000
UID_MAX 29999
SYS_GID_MIN 400
SYS_GID_MAX 499
SYS_GID_MAX 999
GID_MIN 1000
GID_MAX 29999
14 changes: 12 additions & 2 deletions pkgs/os-specific/linux/systemd/default.nix
View file
Original file line number Diff line number Diff line change
@@ -84,8 +84,18 @@ stdenv.mkDerivation {
"-Dldconfig=false"
"-Dsmack=true"
"-Db_pie=true"
"-Dsystem-uid-max=499" #TODO: debug why awking around in /etc/login.defs doesn't work
"-Dsystem-gid-max=499"
/*
As of now, systemd doesn't allow runtime configuration of these values. So
the settings in /etc/login.defs have no effect on it. Many people think this
should be supported however, see
- https://github.com/systemd/systemd/issues/3855
- https://github.com/systemd/systemd/issues/4850
- https://github.com/systemd/systemd/issues/9769
- https://github.com/systemd/systemd/issues/9843
- https://github.com/systemd/systemd/issues/10184
*/
"-Dsystem-uid-max=999"
"-Dsystem-gid-max=999"
# "-Dtime-epoch=1"

(if !stdenv.hostPlatform.isEfi then "-Dgnu-efi=false" else "-Dgnu-efi=true")