From 98102ebd92ab52e198271dce02515023baa7d6d5 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 6 Sep 2016 17:23:27 +0200 Subject: [PATCH] Enable the runuser command from util-linux Fixes #14701. --- nixos/modules/programs/shadow.nix | 1 - nixos/modules/security/pam.nix | 21 ++++++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 878c9cc0cf09..ce4d46e19bf9 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -99,7 +99,6 @@ in groupdel = { rootOK = true; }; login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; }; chpasswd = { rootOK = true; }; - chgpasswd = { rootOK = true; }; }; security.setuidPrograms = [ "su" "chfn" ] diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 77815cd6dcc1..814dd21b53de 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -105,6 +105,16 @@ let ''; }; + setEnvironment = mkOption { + type = types.bool; + default = true; + description = '' + Whether the service should set the environment variables + listed in + using pam_env.so. + ''; + }; + setLoginUid = mkOption { type = types.bool; description = '' @@ -284,7 +294,9 @@ let "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"} # Session management. - session required pam_env.so envfile=${config.system.build.pamEnvironment} + ${optionalString cfg.setEnvironment '' + session required pam_env.so envfile=${config.system.build.pamEnvironment} + ''} session required pam_unix.so ${optionalString cfg.setLoginUid "session ${ @@ -477,6 +489,13 @@ in vlock = {}; xlock = {}; xscreensaver = {}; + + runuser = { rootOK = true; unixAuth = false; setEnvironment = false; }; + + /* FIXME: should runuser -l start a systemd session? Currently + it complains "Cannot create session: Already running in a + session". */ + runuser-l = { rootOK = true; unixAuth = false; }; }; };