tobias/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-11-10 17:54:53 +01:00
Code Issues Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/system/boot/systemd/userdbd.nix
andre4ik3 8fdcd28f9d
nixos/systemd/userdbd: add warning for system users >= UID 1000 
When a disposition is not set in a user record, systemd determines user
disposition depending on the range the user's UID falls in. For system
users with UIDs above 1000, this will cause them to be incorrectly
identified as "regular" users.

This will cause `userctl` to report the user as a regular user, and more
importantly, `systemd-homed` will not run the first boot user creation
flow, as regular users are already present on the machine (when they are
really system users).

The most common source of high UID system users will undoubtedly be Nix
build users, so the warning provides additional guidance on how to
remove them or adjust their IDs to be within the system range.

The warning is shown only when userdbd/homed is enabled, and the option
to hide the warning is deliberately hidden, to ensure users will have to
read and acknowledge the warning before proceeding, as otherwise users
could end up deploying an OS with no users and no way of creating one
due to the first boot flow being skipped.
2025-08-15 16:17:58 +00:00

85 lines
3.1 KiB
Nix
Raw Blame History

{ config, lib, ... }:
let
cfg = config.services.userdbd;
# List of system users that will be incorrectly treated as regular/normal
# users by userdb.
highSystemUsers = lib.filter (
user: user.enable && user.isSystemUser && (lib.defaultTo 0 user.uid) >= 1000 && user.uid != 65534
) (lib.attrValues config.users.users);
in
{
options.services.userdbd = {
enable = lib.mkEnableOption ''
the systemd JSON user/group record lookup service
'';
enableSSHSupport = lib.mkEnableOption ''
exposing OpenSSH public keys defined in userdb. Be aware that this
enables modifying public keys at runtime, either by users managed by
{option}`services.homed`, or globally via drop-in files
'';
silenceHighSystemUsers = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Silence warning about system users with high UIDs.";
visible = false;
};
};
config = lib.mkIf cfg.enable {
assertions = lib.singleton {
assertion = cfg.enableSSHSupport -> config.security.enableWrappers;
message = "OpenSSH userdb integration requires security wrappers.";
};
warnings = lib.optional (lib.length highSystemUsers > 0 && !cfg.silenceHighSystemUsers) ''
The following system users have UIDs higher than 1000:
${lib.concatLines (lib.map (user: user.name) highSystemUsers)}
These users will be recognized by systemd-userdb as "regular" users, not
"system" users. This will affect programs that query regular users, such
as systemd-homed, which will not run the first boot user creation flow,
as regular users already exist.
To fix this issue, please remove or redefine these system users to have
UIDs below 1000. For Nix build users, it's possible to adjust the base
build user ID using the `ids.uids.nixbld` option, however care must be
taken to avoid collisions with UIDs of other services. Alternatively, you
may enable the `auto-allocate-uids` experimental feature and option in
the Nix configuration to avoid creating these users, however please note
that this option is experimental and subject to change.
Alternatively, to acknowledge and silence this warning, set
`services.userdbd.silenceHighSystemUsers` to true.
'';
systemd.additionalUpstreamSystemUnits = [
"systemd-userdbd.socket"
"systemd-userdbd.service"
];
systemd.sockets.systemd-userdbd.wantedBy = [ "sockets.target" ];
# OpenSSH requires AuthorizedKeysCommand to be owned only by root.
# Referencing `userdbctl` directly from the Nix store won't work, as
# `/nix/store` is owned by the `nixbld` group.
security.wrappers = lib.mkIf cfg.enableSSHSupport {
userdbctl = {
owner = "root";
group = "root";
source = lib.getExe' config.systemd.package "userdbctl";
};
};
services.openssh = lib.mkIf cfg.enableSSHSupport {
authorizedKeysCommand = "/run/wrappers/bin/userdbctl ssh-authorized-keys %u";
authorizedKeysCommandUser = "root";
};
};
}
Reference in a new issue View git blame Copy permalink