New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/update-users-groups: read access to /etc/shadow for group shadow #116644
Conversation
529e021
to
f84a40b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Diff LGTM.
This is also consistent with the Ubuntu docs in the issue linked in the PR that introduced this (https://wiki.debian.org/SystemGroups#Groups_without_an_associated_user): "shadow: /etc/shadow is readable by this group. Some programs that need to be able to access the file are SETGID shadow."
@ofborg test installer.simple |
I tried to reply via email, but apparently it didn't work.. I was just thinking if the permissions should be 0440 instead of 0640. Or is there a reason to have the shadow file writable on NixOS? Also, do you know how to properly set up nginx so that it has access to
Nginx service didn't seem to have access to the shadow file with this config. (I suppose the wrapper is just added to EDIT: Ah, found some discussions about my latter question: https://discourse.nixos.org/t/nginx-pam-access-to-etc-shadow/6218/2 |
I'd modify the nginx service and add FWIW, my Pihole installation has I don't think it really matters, since it's owned by root... root can do whatever it wants with that file even if it's r/o. |
Thanks! If you can find some reasoning on why |
Thanks! I now tried:
instead of
but with
I wonder why it doesn't work.. Any ideas? |
And you restarted the nginx unit afterwards? I've seen services need to be manually restarted despite the service definition changing underneath it. Also try plain old If still no dice, I have no idea :( |
Ok, thanks! Yeah, I did restart the nginx unit manually. But at least setting |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/nginx-pam-access-to-etc-shadow/6218/7 |
Motivation for this change
#98676 set
/etc/shadow
group toshadow
. However, the group wasn't given read-access to the file thus defeating the purpose of the PR. This PR now adds read-access to/etc/shadow
for groupshadow
. This fix was accepted in the following comment: #98676 (comment)cc: @cole-h
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)