commit 397c7d26fcb001ce5e1e3c53a3366524c4f91bf9 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

installer: Don't run as root

There's many reason why it is and is going to
continue to be difficult to do this:

1. All display-managers (excluding slim) default PAM rules
disallow root auto login.

2. We can't use wayland

3. We have to use system-wide pulseaudio

4. It could break applications in the session.
This happened to dolphin in plasma5
in the past.

This is a growing technical debt, let's just use
passwordless sudo.

worldofpeace 6 years ago 397c7d26 1c709e0e

+60 -22

5 changed files

expand all

unified split

nixos

doc

manual

installation

installing.xml

release-notes

rl-1909.xml

modules

installer

cd-dvd

installation-cd-graphical-base.nix

installation-cd-graphical-kde.nix

profiles

installation-device.nix

+7 -6

nixos/doc/manual/installation/installing.xml

··· 29 </para> 30 31 <para> 32 - You are logged-in automatically as <literal>root</literal>. (The 33 - <literal>root</literal> user account has an empty password.) 34 </para> 35 36 <para> 37 If you downloaded the graphical ISO image, you can run <command>systemctl 38 - start display-manager</command> to start KDE. If you want to continue on the 39 terminal, you can use <command>loadkeys</command> to switch to your 40 preferred keyboard layout. (We even provide neo2 via <command>loadkeys de 41 neo</command>!) ··· 65 66 <para> 67 If you would like to continue the installation from a different machine you 68 - need to activate the SSH daemon via <literal>systemctl start 69 - sshd</literal>. In order to be able to login you also need to set a 70 - password for <literal>root</literal> using <literal>passwd</literal>. 71 </para> 72 </section> 73 </section>

··· 29 </para> 30 31 <para> 32 + You are logged-in automatically as <literal>nixos</literal>. 33 + The <literal>nixos</literal> user account has an empty password so you 34 + can use <command>sudo</command> without a password. 35 </para> 36 37 <para> 38 If you downloaded the graphical ISO image, you can run <command>systemctl 39 + start display-manager</command> to start the desktop environment. If you want to continue on the 40 terminal, you can use <command>loadkeys</command> to switch to your 41 preferred keyboard layout. (We even provide neo2 via <command>loadkeys de 42 neo</command>!) ··· 66 67 <para> 68 If you would like to continue the installation from a different machine you 69 + need to activate the SSH daemon via <command>systemctl start 70 + sshd</command>. You then must set a password for either <literal>root</literal> or 71 + <literal>nixos</literal> with <command>passwd></command> to be able to login. 72 </para> 73 </section> 74 </section>

nixos/doc/manual/release-notes/rl-1909.xml

··· 42 set up binfmt interpreters for each of those listed systems. 43 </para> 44 </listitem> 45 </itemizedlist> 46 </section> 47

··· 42 set up binfmt interpreters for each of those listed systems. 43 </para> 44 </listitem> 45 + <listitem> 46 + <para> 47 + The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root. 48 + To gain root privileges use <literal>sudo -i</literal> without a password. 49 + </para> 50 + </listitem> 51 </itemizedlist> 52 </section> 53

+16 -3

nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix

··· 8 { 9 imports = [ ./installation-cd-base.nix ]; 10 11 services.xserver = { 12 enable = true; 13 14 # Don't start the X server by default. 15 autorun = mkForce false; 16 17 - # Automatically login as root. 18 displayManager.slim = { 19 enable = true; 20 - defaultUser = "root"; 21 autoLogin = true; 22 }; 23 ··· 33 34 # Enable sound in graphical iso's. 35 hardware.pulseaudio.enable = true; 36 - hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root. 37 38 environment.systemPackages = [ 39 # Include gparted for partitioning disks.

··· 8 { 9 imports = [ ./installation-cd-base.nix ]; 10 11 + # Whitelist wheel users to do anything 12 + # This is useful for things like pkexec 13 + # 14 + # WARNING: this is dangerous for systems 15 + # outside the installation-cd and shouldn't 16 + # be used anywhere else. 17 + security.polkit.extraConfig = '' 18 + polkit.addRule(function(action, subject) { 19 + if (subject.isInGroup("wheel")) { 20 + return polkit.Result.YES; 21 + } 22 + }); 23 + ''; 24 + 25 services.xserver = { 26 enable = true; 27 28 # Don't start the X server by default. 29 autorun = mkForce false; 30 31 + # Automatically login as nixos. 32 displayManager.slim = { 33 enable = true; 34 + defaultUser = "nixos"; 35 autoLogin = true; 36 }; 37 ··· 47 48 # Enable sound in graphical iso's. 49 hardware.pulseaudio.enable = true; 50 51 environment.systemPackages = [ 52 # Include gparted for partitioning disks.

+11 -6

nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix

··· 1 # This module defines a NixOS installation CD that contains X11 and 2 - # Plasma5. 3 4 { config, lib, pkgs, ... }: 5 ··· 30 Version=1.0 31 Type=Application 32 Name=NixOS Manual 33 - Exec=firefox ${config.system.build.manual.manualHTMLIndex} 34 Icon=text-html 35 ''; 36 37 in '' 38 - mkdir -p /root/Desktop 39 - ln -sfT ${manualDesktopFile} /root/Desktop/nixos-manual.desktop 40 - ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop 41 - ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop 42 ''; 43 44 }

··· 1 # This module defines a NixOS installation CD that contains X11 and 2 + # Plasma 5. 3 4 { config, lib, pkgs, ... }: 5 ··· 30 Version=1.0 31 Type=Application 32 Name=NixOS Manual 33 + Exec=firefox ${config.system.build.manual.manual}/share/doc/nixos/index.html 34 Icon=text-html 35 ''; 36 37 + homeDir = "/home/nixos/"; 38 + desktopDir = homeDir + "Desktop/"; 39 + 40 in '' 41 + mkdir -p ${desktopDir} 42 + chown nixos ${homeDir} ${desktopDir} 43 + 44 + ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"} 45 + ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"} 46 + ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop ${desktopDir + "org.kde.konsole.desktop"} 47 ''; 48 49 }

+20 -7

nixos/modules/profiles/installation-device.nix

··· 32 #services.rogue.enable = true; 33 34 # Disable some other stuff we don't need. 35 - security.sudo.enable = mkDefault false; 36 services.udisks2.enable = mkDefault false; 37 38 # Automatically log in at the virtual consoles. 39 - services.mingetty.autologinUser = "root"; 40 41 # Some more help text. 42 services.mingetty.helpLine = 43 '' 44 45 - The "root" account has an empty password. ${ 46 optionalString config.services.xserver.enable 47 - "Type `systemctl start display-manager' to\nstart the graphical user interface."} 48 ''; 49 50 # Allow sshd to be started manually through "systemctl start sshd". ··· 86 # because we have the firewall enabled. This makes installs from the 87 # console less cumbersome if the machine has a public IP. 88 networking.firewall.logRefusedConnections = mkDefault false; 89 - 90 - # Allow the user to log in as root without a password. 91 - users.users.root.initialHashedPassword = ""; 92 }; 93 }

··· 32 #services.rogue.enable = true; 33 34 # Disable some other stuff we don't need. 35 services.udisks2.enable = mkDefault false; 36 37 + # Use less privileged nixos user 38 + users.users.nixos = { 39 + isNormalUser = true; 40 + extraGroups = [ "wheel" "networkmanager" "video" ]; 41 + # Allow the graphical user to login without password 42 + initialHashedPassword = ""; 43 + }; 44 + 45 + # Allow the user to log in as root without a password. 46 + users.users.root.initialHashedPassword = ""; 47 + 48 + # Allow passwordless sudo from nixos user 49 + security.sudo = { 50 + enable = mkDefault true; 51 + wheelNeedsPassword = mkForce false; 52 + }; 53 + 54 # Automatically log in at the virtual consoles. 55 + services.mingetty.autologinUser = "nixos"; 56 57 # Some more help text. 58 services.mingetty.helpLine = 59 '' 60 61 + The "nixos" and "root" account have empty passwords. ${ 62 optionalString config.services.xserver.enable 63 + "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."} 64 ''; 65 66 # Allow sshd to be started manually through "systemctl start sshd". ··· 102 # because we have the firewall enabled. This makes installs from the 103 # console less cumbersome if the machine has a public IP. 104 networking.firewall.logRefusedConnections = mkDefault false; 105 }; 106 }