+12

nixos/modules/config/ldap.nix

··· 62 description = "Whether to enable authentication against an LDAP server."; 63 }; 64 0 0 0 0 0 0 0 0 0 0 0 0 65 server = mkOption { 66 example = "ldap://ldap.example.org/"; 67 description = "The URL of the LDAP server.";

··· 62 description = "Whether to enable authentication against an LDAP server."; 63 }; 64 65 + loginPam = mkOption { 66 + type = types.bool; 67 + default = true; 68 + description = "Whether to include authentication against LDAP in login PAM"; 69 + }; 70 + 71 + nsswitch = mkOption { 72 + type = types.bool; 73 + default = true; 74 + description = "Whether to include lookup against LDAP in NSS"; 75 + }; 76 + 77 server = mkOption { 78 example = "ldap://ldap.example.org/"; 79 description = "The URL of the LDAP server.";

+1 -1

nixos/modules/config/nsswitch.nix

··· 8 9 inherit (config.services.avahi) nssmdns; 10 inherit (config.services.samba) nsswins; 11 - ldap = config.users.ldap.enable; 12 13 in 14

··· 8 9 inherit (config.services.avahi) nssmdns; 10 inherit (config.services.samba) nsswins; 11 + ldap = (config.users.ldap.enable && config.users.ldap.nsswitch); 12 13 in 14

+5 -4

nixos/modules/security/pam.nix

··· 221 ('' 222 # Account management. 223 account sufficient pam_unix.so 224 - ${optionalString config.users.ldap.enable 225 "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} 226 ${optionalString config.krb5.enable 227 "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} ··· 261 "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} 262 ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth 263 "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} 264 - ${optionalString config.users.ldap.enable 265 "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} 266 ${optionalString config.krb5.enable '' 267 auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass ··· 276 "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 277 ${optionalString cfg.pamMount 278 "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} 279 - ${optionalString config.users.ldap.enable 280 "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} 281 ${optionalString config.krb5.enable 282 "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} ··· 296 "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} 297 ${optionalString config.security.pam.enableEcryptfs 298 "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 299 - ${optionalString config.users.ldap.enable 300 "session optional ${pam_ldap}/lib/security/pam_ldap.so"} 301 ${optionalString config.krb5.enable 302 "session optional ${pam_krb5}/lib/security/pam_krb5.so"} ··· 322 323 inherit (pkgs) pam_krb5 pam_ccreds; 324 0 325 pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; 326 327 # Create a limits.conf(5) file.

··· 221 ('' 222 # Account management. 223 account sufficient pam_unix.so 224 + ${optionalString use_ldap 225 "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} 226 ${optionalString config.krb5.enable 227 "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} ··· 261 "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} 262 ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth 263 "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} 264 + ${optionalString use_ldap 265 "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} 266 ${optionalString config.krb5.enable '' 267 auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass ··· 276 "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 277 ${optionalString cfg.pamMount 278 "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} 279 + ${optionalString use_ldap 280 "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} 281 ${optionalString config.krb5.enable 282 "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} ··· 296 "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} 297 ${optionalString config.security.pam.enableEcryptfs 298 "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 299 + ${optionalString use_ldap 300 "session optional ${pam_ldap}/lib/security/pam_ldap.so"} 301 ${optionalString config.krb5.enable 302 "session optional ${pam_krb5}/lib/security/pam_krb5.so"} ··· 322 323 inherit (pkgs) pam_krb5 pam_ccreds; 324 325 + use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam); 326 pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; 327 328 # Create a limits.conf(5) file.

+21 -3

pkgs/applications/networking/browsers/qutebrowser/default.nix

··· 1 - { stdenv, fetchurl, buildPythonApplication, makeQtWrapper, wrapGAppsHook 2 , qtbase, pyqt5, jinja2, pygments, pyyaml, pypeg2, glib_networking 3 , asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2, libxslt 4 , gst-plugins-base, gst-plugins-good, gst-plugins-bad, gst-plugins-ugly, gst-libav 5 , qtwebkit-plugins }: 6 7 - let version = "0.8.2"; in 0 0 0 8 9 - buildPythonApplication rec { 0 0 0 0 0 0 0 0 0 0 0 0 0 10 name = "qutebrowser-${version}"; 0 11 namePrefix = ""; 12 13 src = fetchurl { ··· 34 35 postPatch = '' 36 sed -i "s,/usr/share/qutebrowser,$out/share/qutebrowser,g" qutebrowser/utils/standarddir.py 0 37 ''; 38 39 postBuild = ''

··· 1 + { stdenv, fetchurl, unzip, buildPythonApplication, makeQtWrapper, wrapGAppsHook 2 , qtbase, pyqt5, jinja2, pygments, pyyaml, pypeg2, glib_networking 3 , asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2, libxslt 4 , gst-plugins-base, gst-plugins-good, gst-plugins-bad, gst-plugins-ugly, gst-libav 5 , qtwebkit-plugins }: 6 7 + let 8 + pdfjs = stdenv.mkDerivation rec { 9 + name = "pdfjs-${version}"; 10 + version = "1.4.20"; 11 12 + src = fetchurl { 13 + url = "https://github.com/mozilla/pdf.js/releases/download/v${version}/${name}-dist.zip"; 14 + sha256 = "1ca1fzyc5qnan6gavcd8bnfqriqqvgdsf4m8ka4nayf50k64xxj9"; 15 + }; 16 + 17 + nativeBuildInputs = [ unzip ]; 18 + 19 + buildCommand = '' 20 + mkdir $out 21 + unzip -d $out $src 22 + ''; 23 + }; 24 + 25 + in buildPythonApplication rec { 26 name = "qutebrowser-${version}"; 27 + version = "0.8.2"; 28 namePrefix = ""; 29 30 src = fetchurl { ··· 51 52 postPatch = '' 53 sed -i "s,/usr/share/qutebrowser,$out/share/qutebrowser,g" qutebrowser/utils/standarddir.py 54 + sed -i "s,/usr/share/pdf.js,${pdfjs},g" qutebrowser/browser/pdfjs.py 55 ''; 56 57 postBuild = ''

+2 -8

pkgs/build-support/cc-wrapper/add-hardening.sh

··· 4 hardeningLDFlags=() 5 hardeningDisable=${hardeningDisable:-""} 6 7 - if [[ -z "@ld_supports_bindnow@" ]]; then 8 - hardeningDisable+=" bindnow" 9 - fi 10 - 11 - if [[ -z "@ld_supports_relro@" ]]; then 12 - hardeningDisable+=" relro" 13 - fi 14 15 if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi 16 17 - if [[ ! $hardeningDisable == "all" ]]; then 18 if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi 19 for flag in "${hardeningFlags[@]}" 20 do

··· 4 hardeningLDFlags=() 5 hardeningDisable=${hardeningDisable:-""} 6 7 + hardeningDisable+=" @hardening_unsupported_flags@" 0 0 0 0 0 0 8 9 if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi 10 11 + if [[ ! $hardeningDisable =~ "all" ]]; then 12 if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi 13 for flag in "${hardeningFlags[@]}" 14 do

+8 -3

pkgs/build-support/cc-wrapper/default.nix

··· 237 cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook 238 rm $out/nix-support/setup-hook.tmp 239 240 - # some linkers on some platforms don't support -z 241 - export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]]) 242 - export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]]) 0 0 0 0 0 243 244 substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh 245 substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh

··· 237 cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook 238 rm $out/nix-support/setup-hook.tmp 239 240 + # some linkers on some platforms don't support specific -z flags 241 + hardening_unsupported_flags="" 242 + if [[ "$($ldPath/ld -z now 2>&1 || true)" =~ "unknown option" ]]; then 243 + hardening_unsupported_flags+=" bindnow" 244 + fi 245 + if [[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "unknown option" ]]; then 246 + hardening_unsupported_flags+=" relro" 247 + fi 248 249 substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh 250 substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh