Unverified Commit e7e8ad1e authored by Tom Butler's avatar Tom Butler Committed by GitHub
Browse files

nixos: Set home directory parent tree permissions to 0755 

When the user's home directory is created using `createHome` e.g.

```
users.users.alice = {
    home = "/users/alice";
    createHome = true;
};
```

The `/users` directory was created with the same permissions as `/users/alice`, `0700` by default.

The parent directory `/users` permissions results in `createHome` creating a home directory that is inaccessible to the user:

```
$ su alice
$ cd /user/alice
cd: permission denied: /users/alice
```

The underlying cause is `make_path($u->{home}, { mode => oct($u->{homeMode}) })` which sets, in the example above`, `/users` to `0700`. Instead it should be `0755` like other system directories `/var`, `/dev`, etc.
parent 0a19ea8f

nixos/modules/config/update-users-groups.pl

+1 −1
Original line number Diff line number Diff line
@@ -234,7 +234,7 @@ foreach my $u (@{$spec->{users}}) { 


    # Ensure home directory incl. ownership and permissions.

    if ($u->{createHome} and !$is_dry) {

        make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home};

        make_path($u->{home}, { mode => 0755 }) if ! -e $u->{home};

        chown $u->{uid}, $u->{gid}, $u->{home};

        chmod oct($u->{homeMode}), $u->{home};

    }

nixos/tests/user-home-mode.nix

+8 −0
Original line number Diff line number Diff line
@@ -12,6 +12,12 @@ import ./make-test-python.nix ({ lib, ... }: { 
      isNormalUser = true;

      homeMode = "750";

    };

    users.users.carol = {

      initialPassword = "pass3";

      isNormalUser = true;

      createHome = true;

      home = "/users/carol";

    };

  };



  testScript = ''
@@ -23,5 +29,7 @@ import ./make-test-python.nix ({ lib, ... }: { 
    machine.send_chars("pass1\n")

    machine.succeed('[ "$(stat -c %a /home/alice)" == "700" ]')

    machine.succeed('[ "$(stat -c %a /home/bob)" == "750" ]')

    machine.succeed('[ "$(stat -c %a /users)" == "755" ]')

    machine.succeed('[ "$(stat -c %a /users/carol)" == "700" ]')

  '';

})