From b1b67e980a9a8e6227d5f71f8b036e17c7716f0d Mon Sep 17 00:00:00 2001 From: netali Date: Fri, 1 Dec 2023 14:04:45 +0100 Subject: [PATCH 1/4] nixos/mysql-auth: fix passwords in config files --- nixos/modules/config/mysql.nix | 57 +++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 22 deletions(-) diff --git a/nixos/modules/config/mysql.nix b/nixos/modules/config/mysql.nix index 95c9ba76663ea..4f72d22c4f0ec 100644 --- a/nixos/modules/config/mysql.nix +++ b/nixos/modules/config/mysql.nix @@ -6,6 +6,8 @@ let cfg = config.users.mysql; in { + meta.maintainers = [ maintainers.netali ]; + options = { users.mysql = { enable = mkEnableOption (lib.mdDoc "Authentication against a MySQL/MariaDB database"); @@ -358,7 +360,7 @@ in user = "root"; group = "root"; mode = "0600"; - # password will be added from password file in activation script + # password will be added from password file in systemd oneshot text = '' users.host=${cfg.host} users.db_user=${cfg.user} @@ -423,34 +425,45 @@ in mode = "0600"; user = config.services.nscd.user; group = config.services.nscd.group; - # password will be added from password file in activation script + # password will be added from password file in systemd oneshot text = '' username ${cfg.user} ''; }; - # preStart script to append the password from the password file - # to the configuration files. It also fixes the owner of the - # libnss-mysql-root.cfg because it is changed to root after the - # password is appended. - systemd.services.mysql.preStart = '' - if [[ -r ${cfg.passwordFile} ]]; then - org_umask=$(umask) - umask 0077 + systemd.services.mysql-auth-pw-init = { + description = "Adds the mysql password to the mysql auth config files"; + + before = [ "nscd.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "oneshot"; + User = "root"; + Group = "root"; + }; - conf_nss="$(mktemp)" - cp /etc/libnss-mysql-root.cfg $conf_nss - printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss - mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg - chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg + restartTriggers = [ + config.environment.etc."security/pam_mysql.conf".source + config.environment.etc."libnss-mysql.cfg".source + config.environment.etc."libnss-mysql-root.cfg".source + ]; - conf_pam="$(mktemp)" - cp /etc/security/pam_mysql.conf $conf_pam - printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam - mv -fT "$conf_pam" /etc/security/pam_mysql.conf + script = '' + if [[ -r ${cfg.passwordFile} ]]; then + umask 0077 + conf_nss="$(mktemp)" + cp /etc/libnss-mysql-root.cfg $conf_nss + printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss + mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg + chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg - umask $org_umask - fi - ''; + conf_pam="$(mktemp)" + cp /etc/security/pam_mysql.conf $conf_pam + printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam + mv -fT "$conf_pam" /etc/security/pam_mysql.conf + fi + ''; + }; }; } From 22b5fecd98c2af980c787e03ea98ead70f7d5a01 Mon Sep 17 00:00:00 2001 From: netali Date: Sat, 2 Dec 2023 20:18:30 +0100 Subject: [PATCH 2/4] nixos/tests/auth-mysql: fix test --- nixos/tests/auth-mysql.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/tests/auth-mysql.nix b/nixos/tests/auth-mysql.nix index 0ed4b050a69a4..77a69eb1cd581 100644 --- a/nixos/tests/auth-mysql.nix +++ b/nixos/tests/auth-mysql.nix @@ -84,7 +84,7 @@ in getpwuid = '' SELECT name, 'x', uid, gid, name, CONCAT('/home/', name), "/run/current-system/sw/bin/bash" \ FROM users \ - WHERE id=%1$u \ + WHERE uid=%1$u \ LIMIT 1 ''; getspnam = '' @@ -140,6 +140,7 @@ in machine.wait_for_unit("multi-user.target") machine.wait_for_unit("mysql.service") + machine.wait_until_succeeds("cat /etc/security/pam_mysql.conf | grep users.db_passwd") machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'") with subtest("Local login"): From ac3352a65c67adcd2d75d461b31ba02234394180 Mon Sep 17 00:00:00 2001 From: netali Date: Sat, 2 Dec 2023 21:05:39 +0100 Subject: [PATCH 3/4] pam_mysql: add test --- pkgs/os-specific/linux/pam_mysql/default.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/pam_mysql/default.nix b/pkgs/os-specific/linux/pam_mysql/default.nix index 036d4b20cb4c5..1088d8abe7a63 100644 --- a/pkgs/os-specific/linux/pam_mysql/default.nix +++ b/pkgs/os-specific/linux/pam_mysql/default.nix @@ -1,4 +1,15 @@ -{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb, libxcrypt }: +{ lib +, nixosTests +, stdenv +, fetchFromGitHub +, meson +, ninja +, pam +, pkg-config +, libmysqlclient +, mariadb +, libxcrypt +}: stdenv.mkDerivation rec { pname = "pam_mysql"; @@ -14,6 +25,10 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ meson pkg-config ninja ]; buildInputs = [ pam libmysqlclient mariadb libxcrypt ]; + passthru.tests = { + inherit (nixosTests) auth-mysql; + }; + meta = with lib; { description = "PAM authentication module against a MySQL database"; homepage = "https://github.com/NigelCunningham/pam-MySQL"; From c0b2326892f6f2468522b2062745e8d1cd1fae09 Mon Sep 17 00:00:00 2001 From: netali Date: Sat, 2 Dec 2023 21:07:31 +0100 Subject: [PATCH 4/4] libnss-mysql: add test --- pkgs/os-specific/linux/libnss-mysql/default.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/libnss-mysql/default.nix b/pkgs/os-specific/linux/libnss-mysql/default.nix index 77e629b03074d..1333128011191 100644 --- a/pkgs/os-specific/linux/libnss-mysql/default.nix +++ b/pkgs/os-specific/linux/libnss-mysql/default.nix @@ -1,4 +1,11 @@ -{ lib, stdenv, fetchFromGitHub, autoreconfHook, which, libmysqlclient }: +{ lib +, nixosTests +, stdenv +, fetchFromGitHub +, autoreconfHook +, which +, libmysqlclient +}: stdenv.mkDerivation rec { pname = "libnss-mysql"; @@ -20,6 +27,10 @@ stdenv.mkDerivation rec { rm -r $out/etc ''; + passthru.tests = { + inherit (nixosTests) auth-mysql; + }; + meta = with lib; { description = "MySQL module for the Solaris Nameservice Switch (NSS)"; homepage = "https://github.com/saknopper/libnss-mysql";