Merge pull request #66338 from worldofpeace/installer/no-root

installer: Don't run as root

nixos/doc/manual/installation/installing.xml

@@ -29,13 +29,14 @@
   </para>
 
   <para>
-   You are logged-in automatically as <literal>root</literal>. (The
+   You are logged-in automatically as <literal>nixos</literal>.
-   <literal>root</literal> user account has an empty password.)
+   The <literal>nixos</literal> user account has an empty password so you
+   can use <command>sudo</command> without a password.
   </para>
 
   <para>
    If you downloaded the graphical ISO image, you can run <command>systemctl
-   start display-manager</command> to start KDE. If you want to continue on the
+   start display-manager</command> to start the desktop environment. If you want to continue on the
    terminal, you can use <command>loadkeys</command> to switch to your
    preferred keyboard layout. (We even provide neo2 via <command>loadkeys de
    neo</command>!)
@@ -65,9 +66,9 @@
 
    <para>
     If you would like to continue the installation from a different machine you
-    need to activate the SSH daemon via <literal>systemctl start
+    need to activate the SSH daemon via <command>systemctl start
-    sshd</literal>. In order to be able to login you also need to set a
+    sshd</command>. You then must set a password for either <literal>root</literal> or
-    password for <literal>root</literal> using <literal>passwd</literal>.
+    <literal>nixos</literal> with <command>passwd></command> to be able to login.
    </para>
   </section>
  </section>

nixos/doc/manual/release-notes/rl-1909.xml

@@ -42,6 +42,12 @@
        set up binfmt interpreters for each of those listed systems.
      </para>
    </listitem>
+   <listitem>
+     <para>
+     The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root.
+     To gain root privileges use <literal>sudo -i</literal> without a password.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix

@@ -8,16 +8,30 @@ with lib;
 {
   imports = [ ./installation-cd-base.nix ];
 
+  # Whitelist wheel users to do anything
+  # This is useful for things like pkexec
+  #
+  # WARNING: this is dangerous for systems
+  # outside the installation-cd and shouldn't
+  # be used anywhere else.
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (subject.isInGroup("wheel")) {
+        return polkit.Result.YES;
+      }
+    });
+  '';
+
   services.xserver = {
     enable = true;
 
     # Don't start the X server by default.
     autorun = mkForce false;
 
-    # Automatically login as root.
+    # Automatically login as nixos.
     displayManager.slim = {
       enable = true;
-      defaultUser = "root";
+      defaultUser = "nixos";
       autoLogin = true;
     };
 
@@ -33,7 +47,6 @@ with lib;
 
   # Enable sound in graphical iso's.
   hardware.pulseaudio.enable = true;
-  hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root.
 
   environment.systemPackages = [
     # Include gparted for partitioning disks.

nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix

@@ -1,5 +1,5 @@
 # This module defines a NixOS installation CD that contains X11 and
-# Plasma5.
+# Plasma 5.
 
 { config, lib, pkgs, ... }:
 
@@ -30,15 +30,20 @@ with lib;
       Version=1.0
       Type=Application
       Name=NixOS Manual
-      Exec=firefox ${config.system.build.manual.manualHTMLIndex}
+      Exec=firefox ${config.system.build.manual.manual}/share/doc/nixos/index.html
       Icon=text-html
     '';
 
+    homeDir = "/home/nixos/";
+    desktopDir = homeDir + "Desktop/";
+
   in ''
-    mkdir -p /root/Desktop
+    mkdir -p ${desktopDir}
-    ln -sfT ${manualDesktopFile} /root/Desktop/nixos-manual.desktop
+    chown nixos ${homeDir} ${desktopDir}
-    ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
+
-    ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
+    ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"}
+    ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"}
+    ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop ${desktopDir + "org.kde.konsole.desktop"}
   '';
 
 }

nixos/modules/profiles/installation-device.nix

@@ -32,19 +32,35 @@ with lib;
     #services.rogue.enable = true;
 
     # Disable some other stuff we don't need.
-    security.sudo.enable = mkDefault false;
     services.udisks2.enable = mkDefault false;
 
+    # Use less privileged nixos user
+    users.users.nixos = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" "networkmanager" "video" ];
+      # Allow the graphical user to login without password
+      initialHashedPassword = "";
+    };
+
+    # Allow the user to log in as root without a password.
+    users.users.root.initialHashedPassword = "";
+
+    # Allow passwordless sudo from nixos user
+    security.sudo = {
+      enable = mkDefault true;
+      wheelNeedsPassword = mkForce false;
+    };
+
     # Automatically log in at the virtual consoles.
-    services.mingetty.autologinUser = "root";
+    services.mingetty.autologinUser = "nixos";
 
     # Some more help text.
     services.mingetty.helpLine =
       ''
 
-        The "root" account has an empty password.  ${
+        The "nixos" and "root" account have empty passwords.  ${
           optionalString config.services.xserver.enable
-            "Type `systemctl start display-manager' to\nstart the graphical user interface."}
+            "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."}
       '';
 
     # Allow sshd to be started manually through "systemctl start sshd".
@@ -86,8 +102,5 @@ with lib;
     # because we have the firewall enabled. This makes installs from the
     # console less cumbersome if the machine has a public IP.
     networking.firewall.logRefusedConnections = mkDefault false;
-
-    # Allow the user to log in as root without a password.
-    users.users.root.initialHashedPassword = "";
   };
 }

pkgs/tools/misc/gparted/default.nix

@@ -1,6 +1,6 @@
-{ stdenv, fetchurl, intltool, gettext, makeWrapper
+{ stdenv, fetchurl, intltool, gettext, makeWrapper, coreutils, gnused, gnome3
-, parted, glib, libuuid, pkgconfig, gtkmm3, libxml2, hicolor-icon-theme
+, gnugrep, parted, glib, libuuid, pkgconfig, gtkmm3, libxml2, hicolor-icon-theme
-, gpart, hdparm, procps, utillinux
+, gpart, hdparm, procps, utillinux, polkit, wrapGAppsHook, substituteAll
 }:
 
 stdenv.mkDerivation rec {
@@ -11,16 +11,31 @@ stdenv.mkDerivation rec {
     sha256 = "0mdvn85jvy72ff7nds3dakx9kzknh8gx1z8i0w2sf970q03qp2z4";
   };
 
+  # Tries to run `pkexec --version` to get version.
+  # however the binary won't be suid so it returns
+  # an error preventing the program from detection
+  patches = [
+    (substituteAll {
+      src = ./polkit.patch;
+      polkit_version = polkit.version;
+    })
+  ];
+
   configureFlags = [ "--disable-doc" ];
 
-  buildInputs = [ parted glib libuuid gtkmm3 libxml2 hicolor-icon-theme ];
+  buildInputs = [ parted glib libuuid gtkmm3 libxml2 hicolor-icon-theme polkit.bin gnome3.adwaita-icon-theme  ];
-  nativeBuildInputs = [ intltool gettext makeWrapper pkgconfig ];
+  nativeBuildInputs = [ intltool gettext pkgconfig wrapGAppsHook ];
 
+  preFixup = ''
+    gappsWrapperArgs+=(
+       --prefix PATH : "${stdenv.lib.makeBinPath [ gpart hdparm utillinux procps coreutils gnused gnugrep ]}"
+    )
+  '';
+
+  # Doesn't get installed automaticallly if PREFIX != /usr
   postInstall = ''
-    wrapProgram $out/bin/gparted \
+    install -D -m0644 org.gnome.gparted.policy \
-      --prefix PATH : "${procps}/bin"
+      $out/share/polkit-1/actions/org.gnome.gparted.policy
-    wrapProgram $out/sbin/gpartedbin \
-      --prefix PATH : "${stdenv.lib.makeBinPath [ gpart hdparm utillinux ]}"
   '';
 
   meta = with stdenv.lib; {

pkgs/tools/misc/gparted/polkit.patch

@@ -0,0 +1,12 @@
+diff -ru old/gparted-1.0.0/configure gparted-1.0.0/configure
+--- old/gparted-1.0.0/configure	2019-05-29 12:02:13.000000000 -0400
++++ gparted-1.0.0/configure	2019-08-08 18:09:52.792795781 -0400
+@@ -16145,7 +16145,7 @@
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pkexec >= $PKEXEC_REQUIRED_VERSION" >&5
+ $as_echo_n "checking for pkexec >= $PKEXEC_REQUIRED_VERSION... " >&6; }
+ PKEXEC_REQUIRED_INT=`echo "$PKEXEC_REQUIRED_VERSION" | $AWK -F. '{print $1 * 10000 + $2}'`
+-PKEXEC_VERSION_OUTPUT=`pkexec --version 2> /dev/null` ||
++PKEXEC_VERSION_OUTPUT='pkexec version @polkit_version@' ||
+ 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+ $as_echo "not found" >&6; }
+ if test "x$PKEXEC_VERSION_OUTPUT" != 'x'; then