New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
installer: Don't run as root #66338
installer: Don't run as root #66338
Conversation
@@ -17,7 +27,7 @@ with lib; | |||
# Automatically login as root. | |||
displayManager.slim = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I won't ask it of this PR, but slim is long abandoned. We should get off of it sometime :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, I raised this in #66313 (comment) at the very end. Some people had strong opinions though in the past.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we go for slightly more branding and call the "live" user "nixos"?
When adisbladis and I discussed this and he authored the original change |
It sounds like the name then was something with a hyphen, but I can't see what it was. I still like One thing I spotted in that linked PR is the suggestion of |
I think I'll do this 👍 |
@@ -30,15 +30,27 @@ with lib; | |||
Version=1.0 | |||
Type=Application | |||
Name=NixOS Manual | |||
Exec=firefox ${config.system.build.manual.manualHTMLIndex} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just realized that nixos-manual.desktop
generation isn't needed anymore,
as nixos-manual
has a desktop item that will intelligently launch the default browser.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this can be removed?
(Noting for myself, mainly) this will affect sd_image, meaning both that it needs to be tested, and (external) documentation amended as needed. |
bd59a8b was needed so users can use gparted and it will call into They'll need no kind of authentication because of the polkit rule we added. |
912a080
to
58ea6b5
Compare
I remember that I once added the possibility do do root login into the install media via SSH. If the default user is no longer The SSH install workflow would then just be as follows:
So only password login for normal users is required. |
Guess that means you authored
I guess we should document it this way, but I believe we should still permit root login with ssh. |
I've now tested the graphical iso. Things done
Did the procedure to login via ssh for |
@@ -29,13 +29,14 @@ | |||
</para> | |||
|
|||
<para> | |||
You are logged-in automatically as <literal>root</literal>. (The | |||
<literal>root</literal> user account has an empty password.) | |||
You are logged-in automatically as <literal>nixos</literal>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are logged-in automatically as <literal>nixos</literal>. | |
You are logged-in automatically as the <literal>nixos</literal> user. |
@@ -33,6 +33,12 @@ | |||
PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release. | |||
</para> | |||
</listitem> | |||
<listitem> | |||
<para> | |||
The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root. | |
The installer now uses the <literal>nixos</literal> user instead of <literal>root</literal>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I drop "less privileged" because they're not actually less privileged., and saying it is might lead to questions about well how do I do the thing then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't tested it, but I am quite sure it has been tested :) Looks great.
There's many reason why it is and is going to continue to be difficult to do this: 1. All display-managers (excluding slim) default PAM rules disallow root auto login. 2. We can't use wayland 3. We have to use system-wide pulseaudio 4. It could break applications in the session. This happened to dolphin in plasma5 in the past. This is a growing technical debt, let's just use passwordless sudo.
Use wrapGAppsHook as well
This adds the icon theme to XDG_DATA_DIRS. It doesn't appear Plasma5 is properly configured for gtk apps so this works around there being no icon theme installed for it.
3852b0c
to
15f5535
Compare
Just validated that |
Thanks everyone. |
There was some documentation fixes missing in |
It's not needed since NixOS#66338 and should have been done earlier. This is based on a follow-up on NixOS#56167.
It's not needed since NixOS#66338 and should have been done earlier. This is based on a follow-up on NixOS#56167. (cherry picked from commit 4403cd1)
It's not needed since NixOS#66338 and should have been done earlier. This is based on a follow-up on NixOS#56167. (cherry picked from commit 4403cd1)
Motivation for this change
There's many reason why it is and is going to
continue to be difficult to do this:
All display-managers (excluding slim) default PAM rules
disallow root auto login.
We can't use wayland
We have to use system-wide pulseaudio
It could break applications in the session.
This happened to dolphin in plasma5
in the past.
This is a growing technical debt, let's just use
passwordless sudo.
This is a per-requisite to having a GNOME3 iso.
Broken up from #66313
I've supplied all the requested changes to what was raised on this commit.
In particular #66313 (review).
Things done
I've built
iso_minimal
and it auto logs in aslive
when testedin qemu.
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)Notify maintainers
cc @