Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/systemd-sysusers: silently ignores password and hashedPassword #307159

Closed
Princemachiavelli opened this issue Apr 27, 2024 · 4 comments · Fixed by #328926
Closed

nixos/systemd-sysusers: silently ignores password and hashedPassword #307159

Princemachiavelli opened this issue Apr 27, 2024 · 4 comments · Fixed by #328926
Labels
0.kind: bug Something is broken

Comments

@Princemachiavelli
Copy link
Contributor

Princemachiavelli commented Apr 27, 2024

Describe the bug

If systemd.sysusers.enable is used with users having passwords set by hashedPassword, the defined password is ignored and the users are provisioned as password-less (i.e "disabled").

Steps To Reproduce

Steps to reproduce the behavior:

  1. Enable systemd.sysusers.enable
  2. Enable disable users.mutableUsers or enable system.etc.overlay.enable. (I only tested via mutableUsers=false).
  3. Test new config (careful!)
  4. No user will be able to login via password - including root.

Expected behavior

Users should retain existing password configured via hashedPassword.

The existing users-groups module (./nixos/modules/config/users-groups.nix) actually sets the default opposite of what the new systemd-sysusers module expects. users-groups sets hashedPassword and password based on the initialHashedPassword and initialPassword values while systemd-sysusers only looks in the initial* values. systemd-sysfiles should just look at hasedPassword and password.

The assertions that prevent building a config without any login-able user (locally or via SSH) should be reviewed. I believe they were not triggered because while I did have an SSH public key configured via Nix - the config does not have an SSH server enabled.

@Princemachiavelli Princemachiavelli added the 0.kind: bug Something is broken label Apr 27, 2024
@Princemachiavelli
Copy link
Contributor Author

Also, the default UID of users does not start at 1000 and often results in an UID < 1000. systemd-sysusers doesn't really implement a distinction for isSystemUser or isNormalUser since it's intended to be used only for system users.

One option is to run systemd-sysusers twice; once for "normal" users and once for "system" users. In each call set the range of allowed UID/GID values via the r line option. I think just setting the r line type once will restrict all (dynamic) UID/GID allocations.

@poscat0x04
Copy link
Contributor

@Princemachiavelli Hi do you mind creating a separate issue for the UID issue? These are orthogonal and I think are better off tracked separately.

@con-f-use
Copy link
Contributor

#318365 for cross-reference.

@con-f-use con-f-use mentioned this issue Jun 8, 2024
13 tasks
@devurandom
Copy link
Contributor

Also, the default UID of users does not start at 1000 and often results in an UID < 1000. systemd-sysusers doesn't really implement a distinction for isSystemUser or isNormalUser since it's intended to be used only for system users.

This affects even manually specified uids: They are ignored and instead a random uid <1000 is assigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0.kind: bug Something is broken
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants