nixpkgs/nixos/modules/security
Florian Klink d180bf3862 security.pam: make pam_unix.so required, not sufficient
Having pam_unix set to "sufficient" means early-succeeding account
management group, as soon as pam_unix.so is succeeding.

This is not sufficient. For example, nixos modules might install nss
modules for user lookup, so pam_unix.so succeeds, and we end the stack
successfully, even though other pam account modules might want to do
more extensive checks.

Other distros seem to set pam_unix.so to 'required', so if there are
other pam modules in that management group, they get a chance to do some
validation too.

For SSSD, @PsyanticY already added a workaround knob in
https://github.com/NixOS/nixpkgs/pull/31969, while stating this should
be the default anyway.

I did some thinking in what could break - after this commit, we require
pam_unix to succeed, means we require `getent passwd $username` to
return something.
This is the case for all local users due to the passwd nss module, and
also the case for all modules installing their nss module to
nsswitch.conf - true for ldap (if not explicitly disabled) and sssd.

I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss
module loaded? Should the pam account module be placed before pam_unix?

We don't drop the `security.pam.services.<name?>.sssdStrictAccess`
option, as it's also used some lines below to tweak error behaviour
inside the pam sssd module itself (by changing it's 'control' field).

This is also required to get admin login for Google OS Login working
(#51566), as their pam_oslogin_admin accounts module takes care of sudo
configuration.
2018-12-21 15:31:07 +01:00
..
wrappers nixos/wrappers: remove outdated upgrade code 2018-10-21 15:12:36 +02:00
acme.nix acme module: fix self-signed cert with openssl 1.1 2018-09-12 13:40:46 +02:00
acme.xml docs: format 2018-09-29 20:51:11 -04:00
apparmor-suid.nix apparmor-suid: don't force glibc 2018-10-30 19:50:47 -05:00
apparmor.nix apparmor: support for lxc profiles 2017-01-10 23:01:03 +01:00
audit.nix nixos: Move uses of stdenv.shell to runtimeShell. 2018-03-01 14:38:53 -05:00
auditd.nix nixos/auditd: break ordering cycle (#27577) 2017-08-01 20:45:01 +01:00
ca.nix cacerts: refactor, add blacklist option 2016-10-09 02:00:18 +02:00
chromium-suid-sandbox.nix nixos/chromium-suid-sandbox: remove reference to grsecurity 2017-09-02 20:35:28 +02:00
dhparams.nix dhparams module: add self as maintainer 2018-10-31 01:05:35 +09:00
duosec.nix duosec: use root uid as sshd uid has been retired (#33597) 2018-03-21 18:46:35 -05:00
hidepid.nix [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
hidepid.xml docs: format 2018-09-29 20:51:11 -04:00
lock-kernel-modules.nix nixos/lock-kernel-modules: add myself to maintainers 2018-10-15 01:33:30 +02:00
misc.nix nixos/security/misc: init 2018-10-15 23:11:37 +02:00
oath.nix [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
pam_mount.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
pam_usb.nix [bot] treewide: remove unused 'inherit' in let blocks 2018-07-20 19:38:19 +00:00
pam.nix security.pam: make pam_unix.so required, not sufficient 2018-12-21 15:31:07 +01:00
polkit.nix nixos/polkit: use tmpfiles to clean old dirs 2018-09-30 11:08:11 -07:00
prey.nix nixos: fix some types 2015-09-18 18:48:50 +00:00
rngd.nix nixos/rngd: do not pass --version flag 2018-11-05 10:41:38 +01:00
rtkit.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
sudo.nix Merge pull request #42834 from Synthetica9/patch-1 2018-07-23 11:29:18 -04:00