Unverified Commit f6954309 authored by Maximilian Bosch's avatar Maximilian Bosch
Browse files

nixos/users-groups: warn on ambiguous password settings 

After 4b128008 it took me a while in a
test setup to find out why `root` didn't have the password anymore I
declared in my config.

Because of that I got reminded how the order of preference works for the
password options:

    hashedPassword > password > hashedPasswordFile

If the user is new, initialPassword & initialHashedPassword are also
relevant. Also, the override is silent in contrast to any other
conflicting definition in NixOS.

To make this less surprising I decided to warn in such a case -
assertions would probably break too much that technically works as
intended.

Also removed the `initialHashedPassword` for `root`. This would cause a
warning whenever you set something in your own config and a `!` is added
automatically by `users-groups.pl`.

`systemd-sysusers` also seems to implement these precedence rules, so
having the warning for that case also seems useful.
parent a5d28c9b

nixos/modules/config/users-groups.nix

+20 −2
Original line number Diff line number Diff line
@@ -649,7 +649,6 @@ in { 
        home = "/root";

        shell = mkDefault cfg.defaultUserShell;

        group = "root";

        initialHashedPassword = mkDefault "!";

      };

      nobody = {

        uid = ids.uids.nobody;
@@ -897,7 +896,26 @@ in { 
    ));



    warnings =

      builtins.filter (x: x != null) (

      flip concatMap (attrValues cfg.users) (user: let

        unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([

          user.hashedPassword

          user.hashedPasswordFile

          user.password

        ] ++ optionals cfg.mutableUsers [

          # For immutable users, initialHashedPassword is set to hashedPassword,

          # so using these options would always trigger the assertion.

          user.initialHashedPassword

          user.initialPassword

        ]));

      in optional (!unambiguousPasswordConfiguration) ''

        The user '${user.name}' has multiple of the options

        `hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`

        & `initialHashedPassword` set to a non-null value.

        The options silently discard others by the order of precedence

        given above which can lead to surprising results. To resolve this warning,

        set at most one of the options above to a non-`null` value.

      '')

      ++ builtins.filter (x: x != null) (

        flip mapAttrsToList cfg.users (_: user:

        # This regex matches a subset of the Modular Crypto Format (MCF)[1]

        # informal standard. Since this depends largely on the OS or the