Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snowfall-Lib makes all users admins by default. #107

Open
YaroKasear opened this issue Jun 17, 2024 · 3 comments
Open

Snowfall-Lib makes all users admins by default. #107

YaroKasear opened this issue Jun 17, 2024 · 3 comments

Comments

@YaroKasear
Copy link

YaroKasear commented Jun 17, 2024
edited
Loading

I just solved a mystery that's been plaguing me for a little while: For some reason a user I don't want to be an admin was being put in the wheel group despite that not being set in extraGroups... and I discovered snowfall-lib has a module for users (That I don't see in the documentation.) that defaults users to admins and puts them into wheel.

May I make a couple suggestions?

  1. Don't default users to being admins and therefore part of wheel and therefore full sudo access to the system without someone realizing it.
  2. Document this modules/nixos/user/default.nix module?
@jakehamilton
Copy link
Member

jakehamilton commented Jun 17, 2024
edited
Loading

I would like to have better documentation for this for sure. Currently there aren't any generated module docs.

I'm not sure whether I want to disable wheel-by-default. The intention with having it enabled out of the box is to help users avoid accidentally creating a system without sudo access. I'll give this some thought.

For your use, you can set admin = false on the user to ensure they are a normal user or set create = false to disable Snowfall Lib's user management entirely.

lib/modules/nixos/user/default.nix

Line 58 in aa19b02

admin = mkOption {

@YaroKasear
Copy link
Author

YaroKasear commented Jun 17, 2024
edited
Loading

I'm not sure whether I want to disable wheel-by-default. The intention with having it enabled out of the box is to help users avoid accidentally creating a system without sudo access. I'll give this some thought.

Maybe I'm not reading it right, but nixpkgs itself already seems to have a check against locking a user out of the system. Not a full on sudo check, but it makes sure either root or a wheel user has a password.

At the very least it might be wise to give a heads up that snowfall-lib makes users wheel-by-default because I can see people deploying NixOS using snowfall-lib without knowing about this and inadvertently making users they don't intend to have access to privileged stuff exactly that.

For your use, you can set admin = false on the user to ensure they are a normal user or set create = false to disable Snowfall Lib's user management entirely.

Yep, currently I disabled it for the affected user. I might do the latter once I look at the rest of the user module and conclude I won't use it.

@theotheroracle
Copy link

i'm currently trying to disable the wheel group for a user, but i can't seem to be able to, even though i have

		snowfallorg.users.deck = {
			admin = false;
		};

in my flake.nix, the deck user still is in the wheel group, even after i manually remove the user from the group, so i really don't know what's going wrong here . the user is defined as

	users.users.deck = {
		isNormalUser = true;
		description = "Deck User";
		extraGroups = [ "networkmanager" "gamemode" ];
	};

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jakehamilton @YaroKasear @theotheroracle