Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/pam: add pam_nologin.so by default #53989

Closed
wants to merge 1 commit into from
Closed

nixos/pam: add pam_nologin.so by default #53989

wants to merge 1 commit into from

Conversation

bjornfor
Copy link
Contributor

Motivation for this change

Some NixOS services already override the default PAM config and add
pam_nologin.so. This change adds it to the default config, so that it
applies to services like sshd and login too. (It also applies to things
like sudo, which might be surprising, but I'm having a hard time
justifying "forking" the default config for sshd etc. just because of
this.)

pam_nologin.so prevents non-root user login if the file /etc/nologin or
/run/nologin exists. (The file can also contain a message that will be
shown to the user before getting access denied.)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@bjornfor
nixos/pam: add pam_nologin.so by default
5712fda 
Some NixOS services already override the default PAM config and add
pam_nologin.so. This change adds it to the default config, so that it
applies to services like sshd and login too. (It also applies to things
like sudo, which might be surprising, but I'm having a hard time
justifying "forking" the default config for sshd etc. just because of
this.)

pam_nologin.so prevents non-root user login if the file /etc/nologin or
/run/nologin exists. (The file can also contain a message that will be
shown to the user before getting access denied.)
@grahamc
Copy link
Member

grahamc commented Jan 15, 2019

Seems only display managers add it, and there are a lot of use cases which aren't graphical. Do other distros add nologin by default?

@bjornfor
Copy link
Contributor Author

I checked Ubuntu, and the answer is no. pam_nologin.so is neither part of the /etc/pam.d/common-* files, nor is it part of all services. But it is part of /etc/pam.d/{login,ssh,gdm-*,...}. For example, /etc/pam.d/runuser does not even include common-auth.

@bjornfor
Copy link
Contributor Author

I wrote this because I was having trouble merging the default PAM config with small custom config. It appears one can do lib.mkDefault for merging, so I have a local workaround now. But I'm having trouble combining mkBefore with mkDefault, so I'm not confident my workaround is a good one, seeing as pam_nologin should be placed early in the config (not something to submit in a PR).

"man pam_nologin" says "all login methods should be secured by it". I initially thought that meant all PAM services, but apparently there are non-login services. Evidence: I see /etc/pam.d/user{add,del,mod} and Ubuntu doesn't put pam_nologin.so in their common-auth.

I'm a PAM newbie, obviously :-)

@bjornfor bjornfor closed this Jan 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@infinisil infinisil Awaiting requested review from infinisil

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bjornfor @grahamc @GrahamcOfBorg