nixos/users-groups: Enforce ASCII usernames and fix repeated doubling of... (4f6e508a) · Commits · nix / nixpkgs

nixos/modules/config/update-users-groups.pl

+1 −1

Original line number	Diff line number	Diff line
		@@ -376,4 +376,4 @@ foreach my $u (values %usersOut) {

		updateFile("/etc/subuid", join("\n", @subUids) . "\n");
		updateFile("/etc/subgid", join("\n", @subGids) . "\n");
		updateFile($subUidMapFile, encode_json($subUidMap) . "\n");
		updateFile($subUidMapFile, to_json($subUidMap) . "\n");

+15 −0

Original line number	Diff line number	Diff line
		@@ -951,6 +951,21 @@ in {
		}
		] ++ flatten (flip mapAttrsToList cfg.users (name: user:
		[
		(
		let
		# Things fail in various ways with especially non-ascii usernames.
		# This regex mirrors the one from shadow's is_valid_name:
		# https://github.com/shadow-maint/shadow/blob/bee77ffc291dfed2a133496db465eaa55e2b0fec/lib/chkname.c#L68
		# though without the trailing $, because Samba 3 got its last release
		# over 10 years ago and is not in Nixpkgs anymore,
		# while later versions don't appear to require anything like that.
		nameRegex = "[a-zA-Z0-9_.][a-zA-Z0-9_.-]*";
		in
		{
		assertion = builtins.match nameRegex user.name != null;
		message = "The username \"${user.name}\" is not valid, it does not match the regex \"${nameRegex}\".";
		}
		)
		{
		assertion = (user.hashedPassword != null)
		-> (match ".:." user.hashedPassword == null);