Commit f2c5970a authored by Nikolay Amiantov's avatar Nikolay Amiantov
Browse files

users-groups service: add autoSubUidGidRange option 

Previously we allocated subuids automatically for all normal users.
Make this explicitly configurable, so that one can use this for system
users too (or explicitly disable for normal users). Also don't allocate
automatically by default if a user already has ranges specified statically.
parent 95e4f1ef

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

+9 −0
Original line number Diff line number Diff line
@@ -228,6 +228,15 @@ 
          to your configuration.

        </para>

      </listitem>

      <listitem>

        <para>

          Normal users (with <literal>isNormalUser = true</literal>)

          which have non-empty <literal>subUidRanges</literal> or

          <literal>subGidRanges</literal> set no longer have additional

          implicit ranges allocated. To enable automatic allocation back

          set <literal>autoSubUidGidRange = true</literal>.

        </para>

      </listitem>

    </itemizedlist>

  </section>

  <section xml:id="sec-release-22.05-notable-changes">

nixos/doc/manual/release-notes/rl-2205.section.md

+2 −0
Original line number Diff line number Diff line
@@ -77,6 +77,8 @@ In addition to numerous new and upgraded packages, this release has the followin 


- `documentation.man` has been refactored to support choosing a man implementation other than GNU's `man-db`. For this, `documentation.man.manualPages` has been renamed to `documentation.man.man-db.manualPages`. If you want to use the new alternative man implementation `mandoc`, add `documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }` to your configuration.



- Normal users (with `isNormalUser = true`) which have non-empty `subUidRanges` or `subGidRanges` set no longer have additional implicit ranges allocated. To enable automatic allocation back set `autoSubUidGidRange = true`.



## Other Notable Changes {#sec-release-22.05-notable-changes}



- The option [services.redis.servers](#opt-services.redis.servers) was added

nixos/modules/config/update-users-groups.pl

+1 −1
Original line number Diff line number Diff line
@@ -351,7 +351,7 @@ foreach my $u (values %usersOut) { 
        push @subGids, $value;

    }



    if($u->{isNormalUser}) {

    if($u->{autoSubUidGidRange}) {

        my $subordinate = allocSubUid($name);

        $subUidMap->{$name} = $subordinate;

        my $value = join(":", ($name, $subordinate, 65536));

nixos/modules/config/users-groups.nix

+14 −1
Original line number Diff line number Diff line
@@ -204,6 +204,16 @@ let 
        '';

      };



      autoSubUidGidRange = mkOption {

        type = types.bool;

        default = false;

        example = true;

        description = ''

          Automatically allocate subordinate user and group ids for this user.

          Allocated range is currently always of size 65536.

        '';

      };



      createHome = mkOption {

        type = types.bool;

        default = false;
@@ -320,6 +330,9 @@ let 
        (mkIf (!cfg.mutableUsers && config.initialHashedPassword != null) {

          hashedPassword = mkDefault config.initialHashedPassword;

        })

        (mkIf (config.isNormalUser && config.subUidRanges == [] && config.subGidRanges == []) {

          autoSubUidGidRange = mkDefault true;

        })

      ];



  };
@@ -419,7 +432,7 @@ let 
      { inherit (u)

          name uid group description home createHome isSystemUser

          password passwordFile hashedPassword

          isNormalUser subUidRanges subGidRanges

          autoSubUidGidRange subUidRanges subGidRanges

          initialPassword initialHashedPassword;

        shell = utils.toShellPath u.shell;

      }) cfg.users;