security/pam: add umask option to configure pam_mkhomedir

author: Aaron Andersen <aaron@fosslib.net> 2023-08-10 20:35:08 -0400
committer: Aaron Andersen <aaron@fosslib.net> 2023-08-10 20:35:08 -0400
commit: 9d56365451588555cb21a50f28dbeac6c2d628d0 (patch)
tree: 78726617711ff251076b4422b66c185e5f9b2352 /nixos/modules/security
parent: cf73a86c35a84de0e2f3ba494327cf6fb51c0dfd (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index ee260a097c691..a431817fe1bb3 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -697,7 +697,7 @@ let
             session required ${config.systemd.package}/lib/security/pam_systemd_home.so
           '' +
           optionalString cfg.makeHomeDir ''
-            session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077
+            session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=${config.security.pam.makeHomeDir.umask}
           '' +
           optionalString cfg.updateWtmp ''
             session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
@@ -902,6 +902,16 @@ in
       '';
     };
 
+    security.pam.makeHomeDir.umask = mkOption {
+      type = types.str;
+      default = "0077";
+      example = "0022";
+      description = lib.mdDoc ''
+        The user file mode creation mask to use on home directories
+        newly created by `pam_mkhomedir`.
+      '';
+    };
+
     security.pam.enableSSHAgentAuth = mkOption {
       type = types.bool;
       default = false;
author	Aaron Andersen <aaron@fosslib.net>	2023-08-10 20:35:08 -0400
committer	Aaron Andersen <aaron@fosslib.net>	2023-08-10 20:35:08 -0400
commit	9d56365451588555cb21a50f28dbeac6c2d628d0 (patch)
tree	78726617711ff251076b4422b66c185e5f9b2352 /nixos/modules/security
parent	cf73a86c35a84de0e2f3ba494327cf6fb51c0dfd (diff)