search

snowfallorg / lib

Unified configuration for systems, packages, modules, shells, templates, and more with Nix Flakes.
https://snowfall.org
Other
379 stars 30 forks source link

Snowfall-Lib makes all users admins by default. #107

Open YaroKasear opened 2 months ago

YaroKasear commented 2 months ago

I just solved a mystery that's been plaguing me for a little while: For some reason a user I don't want to be an admin was being put in the wheel group despite that not being set in extraGroups... and I discovered snowfall-lib has a module for users (That I don't see in the documentation.) that defaults users to admins and puts them into wheel.

May I make a couple suggestions?

  1. Don't default users to being admins and therefore part of wheel and therefore full sudo access to the system without someone realizing it.
  2. Document this modules/nixos/user/default.nix module?
jakehamilton commented 2 months ago

I would like to have better documentation for this for sure. Currently there aren't any generated module docs.

I'm not sure whether I want to disable wheel-by-default. The intention with having it enabled out of the box is to help users avoid accidentally creating a system without sudo access. I'll give this some thought.

For your use, you can set admin = false on the user to ensure they are a normal user or set create = false to disable Snowfall Lib's user management entirely.

https://github.com/snowfallorg/lib/blob/aa19b02b63025263cec041fcb7a0857c3cb98859/modules/nixos/user/default.nix#L58

YaroKasear commented 2 months ago

I'm not sure whether I want to disable wheel-by-default. The intention with having it enabled out of the box is to help users avoid accidentally creating a system without sudo access. I'll give this some thought.

Maybe I'm not reading it right, but nixpkgs itself already seems to have a check against locking a user out of the system. Not a full on sudo check, but it makes sure either root or a wheel user has a password.

At the very least it might be wise to give a heads up that snowfall-lib makes users wheel-by-default because I can see people deploying NixOS using snowfall-lib without knowing about this and inadvertently making users they don't intend to have access to privileged stuff exactly that.

For your use, you can set admin = false on the user to ensure they are a normal user or set create = false to disable Snowfall Lib's user management entirely.

Yep, currently I disabled it for the affected user. I might do the latter once I look at the rest of the user module and conclude I won't use it.

theotheroracle commented 1 month ago

i'm currently trying to disable the wheel group for a user, but i can't seem to be able to, even though i have 

        snowfallorg.users.deck = {
            admin = false;
        };

in my flake.nix, the deck user still is in the wheel group, even after i manually remove the user from the group, so i really don't know what's going wrong here . the user is defined as 

    users.users.deck = {
        isNormalUser = true;
        description = "Deck User";
        extraGroups = [ "networkmanager" "gamemode" ];
    };