NixOS · symphorien · Sep 13, 2021 · Aug 8, 2021 · Aug 8, 2021 · Aug 8, 2021
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@@ -324,6 +324,33 @@ Superuser created successfully.
           notes</link>).
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="options.html#opt-users.users._name_.group">users.users.&lt;name&gt;.group</link>
+          no longer defaults to <literal>nogroup</literal>, which was
+          insecure. Out-of-tree modules are likely to require
+          adaptation: instead of
+        </para>
+        <programlisting language="bash">
+{
+  users.users.foo = {
+    isSystemUser = true;
+  };
+}
+</programlisting>
+        <para>
+          also create a group for your user:
+        </para>
+        <programlisting language="bash">
+{
+  users.users.foo = {
+    isSystemUser = true;
+    group = &quot;foo&quot;;
+  };
+  users.groups.foo = {};
+}
+</programlisting>
+      </listitem>
       <listitem>
         <para>
           <literal>services.geoip-updater</literal> was broken and has

diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md
@@ -120,6 +120,25 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
 
 - The `erigon` ethereum node has moved it's database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)).
 
+- [users.users.&lt;name&gt;.group](options.html#opt-users.users._name_.group) no longer defaults to `nogroup`, which was insecure. Out-of-tree modules are likely to require adaptation: instead of
+  ```nix
+  {
+    users.users.foo = {
+      isSystemUser = true;
+    };
+  }
+  ```
+  also create a group for your user:
+  ```nix
+  {
+    users.users.foo = {
+      isSystemUser = true;
+      group = "foo";
+    };
+    users.groups.foo = {};
+  }
+  ```
+
 - `services.geoip-updater` was broken and has been replaced by [services.geoipupdate](options.html#opt-services.geoipupdate.enable).
 
 - PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.

diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
@@ -123,7 +123,7 @@ let
       group = mkOption {
         type = types.str;
         apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;
-        default = "nogroup";
+        default = "";
         description = "The user's primary group.";
       };
 
@@ -638,6 +638,16 @@ in {
               Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
             '';
           }
+          {
+            assertion = user.group != "";
+            message = ''
+              users.users.${user.name}.group is unset. This used to default to
+              nogroup, but this is unsafe. For example you can create a group
+              for this user with:
+              users.users.${user.name}.group = "${user.name}";
+              users.groups.${user.name} = {};
+            '';
+          }
         ]
     ));
 

diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
@@ -83,14 +83,14 @@ in
       #fourstore = 42; # dropped in 20.03
       #fourstorehttp = 43; # dropped in 20.03
       virtuoso = 44;
-      rtkit = 45;
+      #rtkit = 45; # dynamically allocated 2021-09-03
       dovecot2 = 46;
       dovenull2 = 47;
       prayer = 49;
       mpd = 50;
       clamav = 51;
       fprot = 52;
-      bind = 53;
+      # bind = 53; #dynamically allocated as of 2021-09-03
       wwwrun = 54;
       #adm = 55; # unused
       spamd = 56;
@@ -134,13 +134,13 @@ in
       firebird = 95;
       #keys = 96; # unused
       #haproxy = 97; # dynamically allocated as of 2020-03-11
-      mongodb = 98;
+      #mongodb = 98; #dynamically allocated as of 2021-09-03
       #openldap = 99; # dynamically allocated as of PR#94610
       #users = 100; # unused
       cgminer = 101;
       munin = 102;
       logcheck = 103;
-      nix-ssh = 104;
+      #nix-ssh = 104; #dynamically allocated as of 2021-09-03
       dictd = 105;
       couchdb = 106;
       #searx = 107; # dynamically allocated as of 2020-10-27
@@ -149,9 +149,9 @@ in
       systemd-journal-gateway = 110;
       #notbit = 111; # unused
       aerospike = 111;
-      ngircd = 112;
+      #ngircd = 112; #dynamically allocated as of 2021-09-03
       #btsync = 113; # unused
-      minecraft = 114;
+      #minecraft = 114; #dynamically allocated as of 2021-09-03
       vault = 115;
       rippled = 116;
       murmur = 117;
@@ -169,19 +169,19 @@ in
       mopidy = 130;
       #docker = 131; # unused
       gdm = 132;
-      dhcpd = 133;
+      #dhcpd = 133; # dynamically allocated as of 2021-09-03
       siproxd = 134;
       mlmmj = 135;
-      neo4j = 136;
+      #neo4j = 136;# dynamically allocated as of 2021-09-03
       riemann = 137;
       riemanndash = 138;
-      radvd = 139;
-      zookeeper = 140;
-      dnsmasq = 141;
+      #radvd = 139;# dynamically allocated as of 2021-09-03
+      #zookeeper = 140;# dynamically allocated as of 2021-09-03
+      #dnsmasq = 141;# dynamically allocated as of 2021-09-03
       #uhub = 142; # unused
       yandexdisk = 143;
       mxisd = 144; # was once collectd
-      consul = 145;
+      #consul = 145;# dynamically allocated as of 2021-09-03
       mailpile = 146;
       redmine = 147;
       #seeks = 148; # removed 2020-06-21
@@ -192,7 +192,7 @@ in
       systemd-resolve = 153;
       systemd-timesync = 154;
       liquidsoap = 155;
-      etcd = 156;
+      #etcd = 156;# dynamically allocated as of 2021-09-03
       hbase = 158;
       opentsdb = 159;
       scollector = 160;
@@ -204,7 +204,7 @@ in
       tox-bootstrapd = 166;
       cadvisor = 167;
       nylon = 168;
-      apache-kafka = 169;
+      #apache-kafka = 169;# dynamically allocated as of 2021-09-03
       #panamax = 170; # unused
       exim = 172;
       #fleet = 173; # unused
@@ -241,7 +241,7 @@ in
       gateone = 207;
       namecoin = 208;
       #lxd = 210; # unused
-      kibana = 211;
+      #kibana = 211;# dynamically allocated as of 2021-09-03
       xtreemfs = 212;
       calibre-server = 213;
       heapster = 214;
@@ -264,22 +264,22 @@ in
       avahi-autoipd = 231;
       nntp-proxy = 232;
       mjpg-streamer = 233;
-      radicale = 234;
+      #radicale = 234;# dynamically allocated as of 2021-09-03
       hydra-queue-runner = 235;
       hydra-www = 236;
       syncthing = 237;
       caddy = 239;
       taskd = 240;
       # factorio = 241; # DynamicUser = true
       # emby = 242; # unusued, removed 2019-05-01
-      graylog = 243;
+      #graylog = 243;# dynamically allocated as of 2021-09-03
       sniproxy = 244;
       nzbget = 245;
       mosquitto = 246;
       toxvpn = 247;
       # squeezelite = 248; # DynamicUser = true
       turnserver = 249;
-      smokeping = 250;
+      #smokeping = 250;# dynamically allocated as of 2021-09-03
       gocd-agent = 251;
       gocd-server = 252;
       terraria = 253;
@@ -553,7 +553,7 @@ in
       #shout = 206; #unused
       gateone = 207;
       namecoin = 208;
-      lxd = 210; # unused
+      #lxd = 210; # unused
       #kibana = 211;
       xtreemfs = 212;
       calibre-server = 213;
@@ -572,7 +572,7 @@ in
       cfdyndns = 227;
       pdnsd = 229;
       octoprint = 230;
-      radicale = 234;
+      #radicale = 234;# dynamically allocated as of 2021-09-03
       syncthing = 237;
       caddy = 239;
       taskd = 240;
@@ -584,7 +584,7 @@ in
       #toxvpn = 247; # unused
       #squeezelite = 248; #unused
       turnserver = 249;
-      smokeping = 250;
+      #smokeping = 250;# dynamically allocated as of 2021-09-03
       gocd-agent = 251;
       gocd-server = 252;
       terraria = 253;

diff --git a/nixos/modules/security/rtkit.nix b/nixos/modules/security/rtkit.nix
@@ -35,9 +35,12 @@ with lib;
     services.dbus.packages = [ pkgs.rtkit ];
 
     users.users.rtkit =
-      { uid = config.ids.uids.rtkit;
+      {
+        isSystemUser = true;
+        group = "rtkit";
         description = "RealtimeKit daemon";
       };
+    users.groups.rtkit = {};
 
   };
 

diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix
@@ -169,6 +169,7 @@ let
         (map (mkAuthorizedKey cfg false) cfg.authorizedKeys
         ++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly);
       useDefaultShell = true;
+      group = cfg.group;
       isSystemUser = true;
     };
     groups.${cfg.group} = { };

diff --git a/nixos/modules/services/databases/influxdb.nix b/nixos/modules/services/databases/influxdb.nix
@@ -185,6 +185,7 @@ in
     users.users = optionalAttrs (cfg.user == "influxdb") {
       influxdb = {
         uid = config.ids.uids.influxdb;
+        group = "influxdb";
         description = "Influxdb daemon user";
       };
     };

diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix
@@ -67,7 +67,9 @@ in
     users.users = optionalAttrs (cfg.user == "memcached") {
       memcached.description = "Memcached server user";
       memcached.isSystemUser = true;
+      memcached.group = "memcached";
     };
+    users.groups = optionalAttrs (cfg.user == "memcached") { memcached = {}; };
 
     environment.systemPackages = [ memcached ];
 

diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix
@@ -123,9 +123,11 @@ in
 
     users.users.mongodb = mkIf (cfg.user == "mongodb")
       { name = "mongodb";
-        uid = config.ids.uids.mongodb;
+        isSystemUser = true;
+        group = "mongodb";
         description = "MongoDB server user";
       };
+    users.groups.mongodb = mkIf (cfg.user == "mongodb") {};
 
     environment.systemPackages = [ mongodb ];
 

diff --git a/nixos/modules/services/databases/neo4j.nix b/nixos/modules/services/databases/neo4j.nix
@@ -651,10 +651,12 @@ in {
       environment.systemPackages = [ cfg.package ];
 
       users.users.neo4j = {
-        uid = config.ids.uids.neo4j;
+        isSystemUser = true;
+        group = "neo4j";
         description = "Neo4j daemon user";
         home = cfg.directories.home;
       };
+      users.groups.neo4j = {};
     };
 
   meta = {

diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix
@@ -246,6 +246,7 @@ in {
 
     users.users.redis = {
       description = "Redis database user";
+      group = "redis";
       isSystemUser = true;
     };
     users.groups.redis = {};

diff --git a/nixos/modules/services/games/minecraft-server.nix b/nixos/modules/services/games/minecraft-server.nix
@@ -167,8 +167,10 @@ in {
       description     = "Minecraft server service user";
       home            = cfg.dataDir;
       createHome      = true;
-      uid             = config.ids.uids.minecraft;
+      isSystemUser    = true;
+      group           = "minecraft";
     };
+    users.groups.minecraft = {};
 
     systemd.services.minecraft-server = {
       description   = "Minecraft Server Service";

diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix
@@ -128,10 +128,12 @@ in
 
     users.users = mkIf (cfg.user == "graylog") {
       graylog = {
-        uid = config.ids.uids.graylog;
+        isSystemUser = true;
+        group = "graylog";
         description = "Graylog server daemon user";
       };
     };
+    users.groups = mkIf (cfg.user == "graylog") {};
 
     systemd.tmpfiles.rules = [
       "d '${cfg.messageJournalDir}' - ${cfg.user} - - -"

diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix
@@ -165,10 +165,12 @@ in {
 
     users.users.airsonic = {
       description = "Airsonic service user";
+      group = "airsonic";
       name = cfg.user;
       home = cfg.home;
       createHome = true;
       isSystemUser = true;
     };
+    users.groups.airsonic = {};
   };
 }
diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix
@@ -120,10 +120,12 @@ in {
     environment.systemPackages = [cfg.package];
 
     users.users.apache-kafka = {
-      uid = config.ids.uids.apache-kafka;
+      isSystemUser = true;
+      group = "apache-kafka";
       description = "Apache Kafka daemon user";
       home = head cfg.logDirs;
     };
+    users.groups.apache-kafka = {};
 
     systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs;
 

diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix
@@ -151,7 +151,9 @@ in {
         home = cfg.storagePath;
       }
       else {}) // {
+        group = "docker-registry";
         isSystemUser = true;
       };
+    users.groups.docker-registry = {};
   };
 }
diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix
@@ -187,9 +187,11 @@ in {
     environment.systemPackages = [ pkgs.etcd ];
 
     users.users.etcd = {
-      uid = config.ids.uids.etcd;
+      isSystemUser = true;
+      group = "etcd";
       description = "Etcd daemon user";
       home = cfg.dataDir;
     };
+    users.groups.etcd = {};
   };
 }