After the change from revision 30103, nixos-rebuild suddenly consumed
freaky amounts of memory. I had to abort the process after it had
allocated well in excess of 30GB(!) of RAM. I'm not sure what is causing
this behavior, but undoing that assignment fixes the problem. The other
two commits needed to be revoked, too, because they depend on 30103.
svn path=/nixos/trunk/; revision=30127
services (rather than just login(1)). It's rather unexpected if
resource limits are not applied to (say) users logged in via SSH or
X11.
svn path=/nixos/trunk/; revision=28105
enabled by modules that need it (KDE < 4.7, Xfce).
* Don't enable the PolicyKit module by default either, it's also
obsolete (replaced by PolKit). It's still enabled if HAL is
enabled.
svn path=/nixos/trunk/; revision=27933
default.
It does not look very modular, and the manual may not look very good, but I think it
works better than before. And setting cron.enable = false and fcron.enable = true works fine.
svn path=/nixos/trunk/; revision=24199
* Moved some scriptlets to the appropriate modules.
* Put the scriptlet that sets the default path at the start, since it
never makes sense not to have it there. It no longer needs to be
declared as a dependency.
* If a scriptlet has no dependencies, it can be denoted as a plain
string (i.e., `noDepEntry' is not needed anymore).
svn path=/nixos/trunk/; revision=23762
config.krb5.enable needs to be set as true.
Also use pam_ccreds to cache Kerberos credentials for offline logins.
svn path=/nixos/trunk/; revision=22986
`su'.
* The `usermod' from `shadow' allows setting a supplementary group
equal to the user's primary group, so the special hack for the
`nixbld' group is no longer needed.
* Removed /etc/default/passwd since it's not used by the new passwd.
The hash is configured in pam_unix.
* Move some values for `security.setuidPrograms' and
`security.pam.services' to the appropriate modules.
svn path=/nixos/trunk/; revision=22107
Now both polkit-1 and old policykit are enabled. Packages that can use both will
be migrated to new polkit-1, than old one can be disabled.
svn path=/nixos/trunk/; revision=21776
the CURL_CA_BUNDLE environment variable. This allows curl to work
without the `-k' flag on https sites with a properly signed
certificate.
svn path=/nixos/trunk/; revision=19572
with an empty password, rather than with a hashed empty password.
The latter is a security risk, because it allows remote root logins
if a user enables sshd before setting a proper root password.
* Allow empty passwords for login and slim, but nothing else.
svn path=/nixos/trunk/; revision=17833
work for X logins. (The documentation also says so.) Instead just
call ck-launch-session from the xsession script.
svn path=/nixos/trunk/; revision=17090
* Let ConsoleKit track the current logins instead of pam_console.
Udev now takes care of setting the device permissions to the active
user. This works much better, since pam_console wouldn't apply
permissions to new (hot-plugged) devices. Also, the udev+ConsoleKit
approach supports user switching. (We don't have that for X yet,
but it already works for logins on virtual consoles: if you switch
between different users on differents VCs with Alt+Fn, the device
ownership will be changed automatically.)
svn path=/nixos/trunk/; revision=16743
mkOption argument, because then we lose them if somebody sets
security.setuidPrograms somewhere else. (Shouldn't "default" be
merged as well?)
svn path=/nixos/trunk/; revision=16734
programs require that the mode is 4550 so that execution of the
setuid program can be restricted to members of a group.
* setuid-wrappers: remove a race condition in the creation of the
wrappers if the ownership or mode was different than root:root and
4555.
* setuid-wrappers: allow the full path of the wrapped program to be
specified, rather than looking it up in $PATH.
svn path=/nixos/trunk/; revision=16733
option security.pam.services containing the list of PAM services.
For instance, the SLiM module simply declares:
security.pam.services = [ { name = "slim"; localLogin = true; } ];
svn path=/nixos/trunk/; revision=16729
enabled as a session type. Since I'm lazy, provide it
unconditionally. Also have it include "common-console" to set
device ownership when logging in.
svn path=/nixos/branches/modular-nixos/; revision=15800
modules/security/setuid-wrappers.nix.
* Removed the "path" activation scriptlet. The partial ordering was
underspecified (there was nothing ensuring that it came near the end
of the activation script), and it wasn't needed in any case.
svn path=/nixos/branches/modular-nixos/; revision=15726