WIP: mutable user eval test #31034
WIP: mutable user eval test #31034
Conversation
|
Is this still WIP? |
| else | ||
| # Forced commands don't count as being allowed in | ||
| # and no means no | ||
| if (ssh.permitRootLogin == "forced-command" |
There was a problem hiding this comment.
Should be "forced-commands-only"
| then false | ||
| else | ||
| builtins.trace ("Cannot handle openssh.permitRootLogin" | ||
| + " = ${ssh.permitRootLogin} in determining if it" |
There was a problem hiding this comment.
Add quotes around "${ssh.permitRootLogin}"
| message = '' | ||
| No account can log in at the console or over SSH. Please set |
There was a problem hiding this comment.
This line seem to be unfinished
| || cfg.openssh.authorizedKeys.keys != [] | ||
| || cfg.openssh.authorizedKeys.keyFiles != []) | ||
| ) cfg.users); | ||
| (let |
There was a problem hiding this comment.
IIUC, this assertion can not be accurate if security.sudo.configFile is overwritten or security.sudo.extraConfig is set. I see two options:
- print a warning if that's the case and do not check anything;
- still check things, but add an explicit "breakglass" option to disable this assertion.
| @@ -114,6 +114,8 @@ in | |||
|
|
|||
| permitRootLogin = mkOption { | |||
| default = "prohibit-password"; | |||
| # When changing the allowed types, you must also update | |||
There was a problem hiding this comment.
s/the allowed types/the allowed values/
|
Currently this PR performs tests purely based on the state of configuration, without access to actual disk. This means it won't be able to work accurately for #4990 in a corner case if a |
Motivation for this change
Another user got locked out by setting mutableUsers to false... This extends the check, and adds tests for it. Yikes!