-
-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: mutable user eval test #31034
WIP: mutable user eval test #31034
Conversation
Is this still WIP? |
else | ||
# Forced commands don't count as being allowed in | ||
# and no means no | ||
if (ssh.permitRootLogin == "forced-command" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be "forced-commands-only"
then false | ||
else | ||
builtins.trace ("Cannot handle openssh.permitRootLogin" | ||
+ " = ${ssh.permitRootLogin} in determining if it" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add quotes around "${ssh.permitRootLogin}"
message = '' | ||
No account can log in at the console or over SSH. Please set |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line seem to be unfinished
|| cfg.openssh.authorizedKeys.keys != [] | ||
|| cfg.openssh.authorizedKeys.keyFiles != []) | ||
) cfg.users); | ||
(let |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, this assertion can not be accurate if security.sudo.configFile
is overwritten or security.sudo.extraConfig
is set. I see two options:
- print a warning if that's the case and do not check anything;
- still check things, but add an explicit "breakglass" option to disable this assertion.
@@ -114,6 +114,8 @@ in | |||
|
|||
permitRootLogin = mkOption { | |||
default = "prohibit-password"; | |||
# When changing the allowed types, you must also update |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/the allowed types/the allowed values/
Currently this PR performs tests purely based on the state of configuration, without access to actual disk. This means it won't be able to work accurately for #4990 in a corner case if a |
Motivation for this change
Another user got locked out by setting mutableUsers to false... This extends the check, and adds tests for it. Yikes!