pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #133006 from nberlee/pam-mk-homedir-umask

nixos/pam: pam_mkhomedir umask to 0077

authored by Aaron Andersen and committed by GitHub ecb6c351 a97d32da

+11 -1
unified split
+8
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
··· 1851 1851 </listitem> 1852 1852 </itemizedlist> 1853 1853 </listitem> 1854 + <listitem> 1855 + <para> 1856 + <literal>security.pam.services.&lt;name&gt;.makeHomeDir</literal> 1857 + now uses <literal>umask=0077</literal> instead of 1858 + <literal>umask=0022</literal> when creating the home 1859 + directory. 1860 + </para> 1861 + </listitem> 1854 1862 </itemizedlist> 1855 1863 </section> 1856 1864 </section>
+2
nixos/doc/manual/release-notes/rl-2111.section.md
··· 514 514 - The `services.unifi.dataDir` option is removed and the data is now always located under `/var/lib/unifi/data`. This is done to make better use of systemd state direcotiry and thus making the service restart more reliable. 515 515 - The unifi logs can now be found under: `/var/log/unifi` instead of `/var/lib/unifi/logs`. 516 516 - The unifi run directory can now be found under: `/run/unifi` instead of `/var/lib/unifi/run`. 517 + 518 + - `security.pam.services.<name>.makeHomeDir` now uses `umask=0077` instead of `umask=0022` when creating the home directory.
+1 -1
nixos/modules/security/pam.nix
··· 483 483 if config.boot.isContainer then "optional" else "required" 484 484 } pam_loginuid.so"} 485 485 ${optionalString cfg.makeHomeDir 486 - "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"} 486 + "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077"} 487 487 ${optionalString cfg.updateWtmp 488 488 "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} 489 489 ${optionalString config.security.pam.enableEcryptfs