Review per https://nixos.org/nixpkgs/manual/#sec-reviewing-contributions and top comment in https://raw.githubusercontent.com/NixOS/nixpkgs/master/.github/PULL_REQUEST_TEMPLATE.md .

Reviewed points

• changes are backward compatible
• removed options are declared with mkRemovedOptionModule: none
• changes that are not backward compatible are documented in release notes: none
• module tests succeed on x86_64-linux: mutable-users.nix, misc.nix, see comment below
• options types are appropriate: see suggestion below
• options description is set: see suggestion below
• options example is provided: see suggestion below
• documentation affected by the changes is updated: see comment below

Possible improvements

• There is a possible race condition in the code: According to https://perldoc.perl.org/File/Path.html , the default mode is 0777 minus umask. With the pull request at hand, the home directory is hence first created with liberal access bits, then chmod'ed into an access mode that is likely more restrictive. When using nixos-rebuild switch, a local attacker might use the time window between mkdir and chmod to enter the newly created home directory. I'm not sure if there is a way to exploit this opportunity to cause any real harm. Yet, to be on the safe side, I suggest to re-add the mode argument (with oct($u->{homeMode})) to the make_path command, while retaining the chmod call from this pull request's current version.
• Are only octal numbers allowed for the mode? This should be stated in the option's description. Maybe bad input could be caught with types.strMatching, like 0[0-7]{3}?
• Maybe set an example for the homeMode option, e.g. "0750"?

Comments

• users-groups.nix has no maintainers set. To raise some attention, I'm notifying those who touched similar code in the module recently (per git log and git blame): @zimbatm @edolstra @aszlig
• NixOS documentation might be updated to make this option visible to readers, but I don't consider this option to be that vital to warrant such an update.
• There is no explicit test for user account management, but mutable-users.nix and misc.nix seem to probe some aspects of the users-groups mechanism. Both succeed.
• I tried all combinations of the following with this pull request, with success:
  • Add new users with various home dir mode.
  • Change home dir modes of existing users.
  • Apply changes with mutableUsers=true.
  • Apply changes with mutableUsers=false.
• All tests described here were performed after rebasing the pull request onto current nixos-unstable channel.

For the author, reviewers, and committers: this PR was scanned and appears to add a use of the deprecated types.string, which emits a warning as of #66346. Before merging, please change this to another type, possibly:

• types.str for a single string where merging does not make sense, or cannot work
• types.lines for multi-line configuration or scripts where merging is possible
• types.listOf types.str for a mergeable list of strings

Does anybody actually need this option btw? What would people need this for?

@infinisil: Well, in my case I needed something like this a few times already, but homeMode would not reach far enough for me, because I also needed to set ACLs and permissions for /home itself. For that, I wrote a generic directories module (here is an example of usage in the form of a test) a while ago for nixcloud, not sure however whether it makes sense to contribute to NixOS because that module is fairly complex.

In summary: So, yes, this option is better than having no way to set permissions for the user's home directory.

@aszlig You explained that you need it but not why/what for

@infinisil: Well, it's been a while and I can't remember anymore, but even if I'd need it - there are ways around it by disabling 'createHome` and creating the directory via some other means.

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the
   related code and @ mention them in a comment.
2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
   irc.freenode.net.

I marked this as stale due to inactivity. → More info

Since Daniel hasn't participated in the PR, I will assume that the interest has died and close the PR.