mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-09-21 04:28:40 +03:00
PAM/eCryptfs now able to mount ecryptfs'd home directories on login
This commit is contained in:
parent
b452bd40e1
commit
e5d4624420
@ -131,6 +131,7 @@
|
|||||||
notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
|
notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
|
||||||
np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
|
np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
|
||||||
nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
|
nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
|
||||||
|
obadz = "obadz <dav-nixos@odav.org>";
|
||||||
ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
|
ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
|
||||||
offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
|
offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
|
||||||
olcai = "Erik Timan <dev@timan.info>";
|
olcai = "Erik Timan <dev@timan.info>";
|
||||||
|
@ -211,7 +211,9 @@ let
|
|||||||
${optionalString cfg.usbAuth
|
${optionalString cfg.usbAuth
|
||||||
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
|
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
|
||||||
${optionalString cfg.unixAuth
|
${optionalString cfg.unixAuth
|
||||||
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
|
"auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
|
||||||
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
|
||||||
${optionalString cfg.otpwAuth
|
${optionalString cfg.otpwAuth
|
||||||
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
||||||
${optionalString cfg.oathAuth
|
${optionalString cfg.oathAuth
|
||||||
@ -223,9 +225,11 @@ let
|
|||||||
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
||||||
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
||||||
''}
|
''}
|
||||||
auth required pam_deny.so
|
${optionalString (! config.security.pam.enableEcryptfs) "auth required pam_deny.so"}
|
||||||
|
|
||||||
# Password management.
|
# Password management.
|
||||||
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
password requisite pam_unix.so nullok sha512
|
password requisite pam_unix.so nullok sha512
|
||||||
${optionalString config.users.ldap.enable
|
${optionalString config.users.ldap.enable
|
||||||
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
@ -245,6 +249,8 @@ let
|
|||||||
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"}
|
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"}
|
||||||
${optionalString cfg.updateWtmp
|
${optionalString cfg.updateWtmp
|
||||||
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
|
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
|
||||||
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
${optionalString config.users.ldap.enable
|
${optionalString config.users.ldap.enable
|
||||||
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
${optionalString config.krb5.enable
|
${optionalString config.krb5.enable
|
||||||
@ -357,6 +363,13 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.pam.enableEcryptfs = mkOption {
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
Enable eCryptfs PAM module (mounting ecryptfs home directory on login).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
users.motd = mkOption {
|
users.motd = mkOption {
|
||||||
default = null;
|
default = null;
|
||||||
example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
|
example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
|
||||||
@ -377,7 +390,11 @@ in
|
|||||||
++ optional config.users.ldap.enable pam_ldap
|
++ optional config.users.ldap.enable pam_ldap
|
||||||
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
|
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
|
||||||
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
|
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
|
||||||
++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ];
|
++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ]
|
||||||
|
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
|
||||||
|
|
||||||
|
security.setuidPrograms =
|
||||||
|
optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
|
||||||
|
|
||||||
environment.etc =
|
environment.etc =
|
||||||
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
|
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
|
||||||
|
@ -95,15 +95,23 @@ in
|
|||||||
|
|
||||||
auth required pam_succeed_if.so uid >= 1000 quiet
|
auth required pam_succeed_if.so uid >= 1000 quiet
|
||||||
auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
|
auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
|
||||||
auth sufficient pam_unix.so nullok likeauth
|
auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth
|
||||||
auth required pam_deny.so
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
|
||||||
|
|
||||||
|
${optionalString (! config.security.pam.enableEcryptfs)
|
||||||
|
"auth required pam_deny.so"}
|
||||||
|
|
||||||
account sufficient pam_unix.so
|
account sufficient pam_unix.so
|
||||||
|
|
||||||
password requisite pam_unix.so nullok sha512
|
password requisite pam_unix.so nullok sha512
|
||||||
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
|
|
||||||
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
||||||
session required pam_unix.so
|
session required pam_unix.so
|
||||||
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
session required pam_loginuid.so
|
session required pam_loginuid.so
|
||||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||||
session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
|
session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
|
||||||
@ -115,15 +123,22 @@ in
|
|||||||
|
|
||||||
auth required pam_succeed_if.so uid >= 1000 quiet
|
auth required pam_succeed_if.so uid >= 1000 quiet
|
||||||
auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
|
auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
|
||||||
auth sufficient pam_unix.so nullok likeauth
|
auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth
|
||||||
auth required pam_deny.so
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
|
||||||
|
${optionalString (! config.security.pam.enableEcryptfs)
|
||||||
|
"auth required pam_deny.so"}
|
||||||
|
|
||||||
account sufficient pam_unix.so
|
account sufficient pam_unix.so
|
||||||
|
|
||||||
password requisite pam_unix.so nullok sha512
|
password requisite pam_unix.so nullok sha512
|
||||||
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
|
|
||||||
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
||||||
session required pam_unix.so
|
session required pam_unix.so
|
||||||
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
session required pam_loginuid.so
|
session required pam_loginuid.so
|
||||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||||
session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
|
session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
{ stdenv, fetchurl, pkgconfig, perl, keyutils, nss, nspr, python, pam
|
{ stdenv, fetchurl, pkgconfig, perl, utillinux, keyutils, nss, nspr, python, pam
|
||||||
, intltool, makeWrapper, coreutils, gettext, cryptsetup, lvm2, rsync, which }:
|
, intltool, makeWrapper, coreutils, bash, gettext, cryptsetup, lvm2, rsync, which }:
|
||||||
|
|
||||||
stdenv.mkDerivation {
|
stdenv.mkDerivation {
|
||||||
name = "ecryptfs-104";
|
name = "ecryptfs-104";
|
||||||
@ -9,16 +9,33 @@ stdenv.mkDerivation {
|
|||||||
sha256 = "0f3lzpjw97vcdqzzgii03j3knd6pgwn1y0lpaaf46iidaiv0282a";
|
sha256 = "0f3lzpjw97vcdqzzgii03j3knd6pgwn1y0lpaaf46iidaiv0282a";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir;
|
||||||
|
preConfigure = ''
|
||||||
|
FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"
|
||||||
|
for file in $FILES; do
|
||||||
|
substituteInPlace "$file" \
|
||||||
|
--replace /sbin/mount.ecryptfs_private /var/setuid-wrappers/mount.ecryptfs_private \
|
||||||
|
--replace /sbin/umount.ecryptfs_private /var/setuid-wrappers/umount.ecryptfs_private \
|
||||||
|
--replace /sbin/mount.ecryptfs $out/sbin/mount.ecryptfs \
|
||||||
|
--replace /sbin/umount.ecryptfs $out/sbin/umount.ecryptfs \
|
||||||
|
--replace /usr/bin/ecryptfs-rewrite-file $out/bin/ecryptfs-rewrite-file \
|
||||||
|
--replace /usr/bin/ecryptfs-mount-private $out/bin/ecryptfs-mount-private \
|
||||||
|
--replace /usr/bin/ecryptfs-setup-private $out/bin/ecryptfs-setup-private \
|
||||||
|
--replace /sbin/cryptsetup ${cryptsetup}/sbin/cryptsetup \
|
||||||
|
--replace /sbin/dmsetup ${lvm2}/sbin/dmsetup \
|
||||||
|
--replace /bin/mount ${utillinux}/bin/mount \
|
||||||
|
--replace /bin/umount ${utillinux}/bin/umount \
|
||||||
|
--replace /sbin/unix_chkpwd /var/setuid-wrappers/unix_chkpwd \
|
||||||
|
--replace /bin/bash ${bash}/bin/bash
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
|
||||||
buildInputs = [ pkgconfig perl nss nspr python pam intltool makeWrapper ];
|
buildInputs = [ pkgconfig perl nss nspr python pam intltool makeWrapper ];
|
||||||
propagatedBuildInputs = [ coreutils gettext cryptsetup lvm2 rsync keyutils which ];
|
propagatedBuildInputs = [ coreutils gettext cryptsetup lvm2 rsync keyutils which ];
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
FILES="$(grep -r '/bin/sh' $out/bin | sed 's,:.*,,' | uniq)"
|
FILES="$(grep -r '/bin/sh' $out/bin -l)"
|
||||||
for file in $FILES; do
|
for file in $FILES; do
|
||||||
sed -i $file -e "s,\(/sbin/u\?mount.ecryptfs\(_private\)\?\),$out\1," \
|
|
||||||
-e "s,\(/sbin/cryptsetup\),${cryptsetup}\1," \
|
|
||||||
-e "s,\(/sbin/dmsetup\),${lvm2}\1," \
|
|
||||||
-e 's,/sbin/\(unix_chkpwd\),\1,'
|
|
||||||
wrapProgram $file \
|
wrapProgram $file \
|
||||||
--prefix PATH ":" "${coreutils}/bin" \
|
--prefix PATH ":" "${coreutils}/bin" \
|
||||||
--prefix PATH ":" "${gettext}/bin" \
|
--prefix PATH ":" "${gettext}/bin" \
|
||||||
@ -32,6 +49,7 @@ stdenv.mkDerivation {
|
|||||||
meta = with stdenv.lib; {
|
meta = with stdenv.lib; {
|
||||||
description = "Enterprise-class stacked cryptographic filesystem";
|
description = "Enterprise-class stacked cryptographic filesystem";
|
||||||
license = licenses.gpl2Plus;
|
license = licenses.gpl2Plus;
|
||||||
|
maintainers = [ lib.maintainers.obadz ];
|
||||||
platforms = platforms.linux;
|
platforms = platforms.linux;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user