commit cfd22b733bc4c4d6486e179b45b671b25b546778 · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

physlock: add allowAnyUser option

Silvan Mosberger 8 years ago cfd22b73 9a5fe79d

+41 -19

1 changed file

expand all

unified split

nixos

modules

services

security

physlock.nix

+41 -19

nixos/modules/services/security/physlock.nix

··· 30 ''; 31 }; 32 33 disableSysRq = mkOption { 34 type = types.bool; 35 default = true; ··· 79 80 ###### implementation 81 82 - config = mkIf cfg.enable { 83 84 - # for physlock -l and physlock -L 85 - environment.systemPackages = [ pkgs.physlock ]; 86 87 - systemd.services."physlock" = { 88 - enable = true; 89 - description = "Physlock"; 90 - wantedBy = optional cfg.lockOn.suspend "suspend.target" 91 - ++ optional cfg.lockOn.hibernate "hibernate.target" 92 - ++ cfg.lockOn.extraTargets; 93 - before = optional cfg.lockOn.suspend "systemd-suspend.service" 94 - ++ optional cfg.lockOn.hibernate "systemd-hibernate.service" 95 - ++ cfg.lockOn.extraTargets; 96 - serviceConfig.Type = "forking"; 97 - script = '' 98 - ${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"} 99 - ''; 100 - }; 101 102 - security.pam.services.physlock = {}; 103 104 - }; 105 106 }

··· 30 ''; 31 }; 32 33 + allowAnyUser = mkOption { 34 + type = types.bool; 35 + default = false; 36 + description = '' 37 + Whether to allow any user to lock the screen. This will install a 38 + setuid wrapper to allow any user to start physlock as root, which 39 + is a minor security risk. Call the physlock binary to use this instead 40 + of using the systemd service. 41 + 42 + Note that you might need to relog to have the correct binary in your 43 + PATH upon changing this option. 44 + ''; 45 + }; 46 + 47 disableSysRq = mkOption { 48 type = types.bool; 49 default = true; ··· 93 94 ###### implementation 95 96 + config = mkIf cfg.enable (mkMerge [ 97 + { 98 99 + # for physlock -l and physlock -L 100 + environment.systemPackages = [ pkgs.physlock ]; 101 102 + systemd.services."physlock" = { 103 + enable = true; 104 + description = "Physlock"; 105 + wantedBy = optional cfg.lockOn.suspend "suspend.target" 106 + ++ optional cfg.lockOn.hibernate "hibernate.target" 107 + ++ cfg.lockOn.extraTargets; 108 + before = optional cfg.lockOn.suspend "systemd-suspend.service" 109 + ++ optional cfg.lockOn.hibernate "systemd-hibernate.service" 110 + ++ cfg.lockOn.extraTargets; 111 + serviceConfig = { 112 + Type = "forking"; 113 + ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}"; 114 + }; 115 + }; 116 117 + security.pam.services.physlock = {}; 118 + 119 + } 120 + 121 + (mkIf cfg.allowAnyUser { 122 + 123 + security.wrappers.physlock = { source = "${pkgs.physlock}/bin/physlock"; user = "root"; }; 124 125 + }) 126 + ]); 127 128 }