-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/users-groups: warn on ambiguous password settings #287506
Conversation
After 4b12800 it took me a while in a test setup to find out why `root` didn't have the password anymore I declared in my config. Because of that I got reminded how the order of preference works for the password options: hashedPassword > password > hashedPasswordFile If the user is new, initialPassword & initialHashedPassword are also relevant. Also, the override is silent in contrast to any other conflicting definition in NixOS. To make this less surprising I decided to warn in such a case - assertions would probably break too much that technically works as intended. Also removed the `initialHashedPassword` for `root`. This would cause a warning whenever you set something in your own config and a `!` is added automatically by `users-groups.pl`. `systemd-sysusers` also seems to implement these precedence rules, so having the warning for that case also seems useful.
c3184f7
to
f695430
Compare
i'm getting this warning now, but unless the behavior of these options has changed over the last 18 months or so i'm very intentionally setting both options: users.users.colin = {
# initial password is empty, in case anything goes wrong.
# if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
initialPassword = "";
hashedPasswordFile = config.sops.secrets.colin-passwd.path;
}; the setup for providing the hashed password file here requires that warning message is a great idea because plenty of people experience exactly the reverse of me here: but is there a way i can silence the warning for my own usecase? |
So I did a small test on one of my VMs. First, I created a user like this: {
users.users.snens = {
password = "abcdefg";
isNormalUser = true;
};
} As expected, the user {
users.users.snens = {
hashedPasswordFile = "/this/path/does/not/exist";
isNormalUser = true;
};
} The activation script warned me about the file not existing, but activation went through. After that the password was still Are you maybe using impermanence and/or mutable users?
I'm not aware of being able to silence the warning in particular. You can forcefully disable all warnings via But that's a good point, maybe it should be possible to acknowledge/silence certain warnings, but this is something that should be fixed at a larger scale. cc @infinisil @roberth for that. |
immutable users: no. impermanence: yes. unfortunately a different one from the nix-community maybe i'll toy with providing an |
I asked specifically for impermanence because it's not possible to persist /etc/shadow & /etc/passwd there. IIRC the impermanence script would need to run before the users-groups activation script, but that's not possible for reasons I forgot. Do you have a similar issue? Because if you actually can save your |
@Ma27 i'm fairly certain /etc/shadow & /etc/passwd are recreated on my system each time it boots. because for the record, { lib, ... }:
let
ignored = [ "some\nwarning\ni don't want to see anymore" ];
in {
options = {
warnings = lib.mkOption {
apply = builtins.filter (w: !(builtins.elem w ignored));
};
};
} |
I tried in #97023, but it had to be reverted. There's also some links to related issues/PRs there. |
Description of changes
After 4b12800 it took me a while in a test setup to find out why
root
didn't have the password anymore I declared in my config.Because of that I got reminded how the order of preference works for the password options:
If the user is new, initialPassword & initialHashedPassword are also relevant. Also, the override is silent in contrast to any other conflicting definition in NixOS.
To make this less surprising I decided to warn in such a case - assertions would probably break too much that technically works as intended.
Also removed the
initialHashedPassword
forroot
. This would cause a warning whenever you set something in your own config and a!
is added automatically byusers-groups.pl
.systemd-sysusers
also seems to implement these precedence rules, so having the warning for that case also seems useful.Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 馃憤 reaction to pull requests you find important.