New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/users-groups: do not check validity of special hashes #91238
Conversation
[ "users" "users" "root" "initialHashedPassword" ] | ||
(cfg: if cfg.security.initialHashedPassword == "!" | ||
then null | ||
else cfg.security.initialHashedPassword)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This means that the change is backwards-compatible with people setting security.initialRootPassword
, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is. Also this option has been hidden since 2014, so the impact should be small.
@@ -588,7 +593,7 @@ in { | |||
|| cfg.group == "wheel" | |||
|| elem "wheel" cfg.extraGroups) | |||
&& | |||
((cfg.hashedPassword != null && cfg.hashedPassword != "!") | |||
(cfg.hashedPassword != null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’m super uncomfortable with this line, somebody else will have to confirm that it’s valid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are two possible cases I can think of:
- using the deprecated
security.initialRootPassword
"!" will be turned into a null, so it's covered - using
users.users.<name>.hashedPassword
or similar, "!" will issue the warning about possibly being locked out.
But yes, it would be better is someone familiar with this module would comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks to me like @edolstra is the only one who touched this code in the past.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, user using users.users.<name>.hashedPassword
that is not a hash will lock themselves out if they miss the warning so the assertion still makes sense. It is even too narrow here – I use *
as a root’s hash and this would not save me. Not sure we can extend it much further without causing false positives, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- We should definitely add an assertion that
hashedPassword
cannot contain:
since that will definitely break the shadowfile as reported in Enforce no ":" in "hashedPassword" (perhaps a check) #12008 - There are other commonly used schemes for
hashedPassword
. Personally, I set it to*
for root, since hash prefixed with!
means the account is locked according toshadow(5)
. Different systems might support special sequences with even wilder semantics like!!
or*NS*
https://unix.stackexchange.com/questions/252016/difference-between-vs-vs-in-etc-shadow
@@ -588,7 +593,7 @@ in { | |||
|| cfg.group == "wheel" | |||
|| elem "wheel" cfg.extraGroups) | |||
&& | |||
((cfg.hashedPassword != null && cfg.hashedPassword != "!") | |||
(cfg.hashedPassword != null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, user using users.users.<name>.hashedPassword
that is not a hash will lock themselves out if they miss the warning so the assertion still makes sense. It is even too narrow here – I use *
as a root’s hash and this would not save me. Not sure we can extend it much further without causing false positives, though.
What is the point of setting the hash to "!" when If these special hashes are common I'll add exceptions, but to me it feel like an implementation detail that shouldn't leak to the NixOS configuration: the options |
I did not know that before reviewing the code. I would expect
Yeah, this it a personal preference. Sometimes I like it when NixOS modules map directly to UNIX concepts and do not add much special logic. Especially, if I was familiar with the config before switching to NixOS. |
I added a check for "!", "!!" and "*" in the assertion and the warning as you requested. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can see, this is fine now
I seem to not understand what this PR is achieving on my system: I'm now getting the intended warning for a |
No, you're not supposed to get that warning and this PR will fix it. The warning is intended to check valid hashes but in the original PR (#83171) I missed the edge cases of "!", "*" and others. |
Confirming that commit 470ce47 triggers a spurious warning, e.g. for |
@nh2 Note that It's not |
This option has been deprecated for a long time because is redundant (users.users.root.initialHashedPassword exists). Moreover, being of type string, it required to handle the special value "!" separately, instead of using just `null`.
This explanation was contained in the description of security.initialRootPassword but got lost when it was deprecated a long ago (f496c3c) and removed.
Motivation for this change
Fixup of PR #83171
Things done
cc @tilpner @erictapen