From 467a0d3d0c27ed7e688c040281aced98d37120d2 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 24 Oct 2024 02:00:15 +1100 Subject: [PATCH] users: prevent deleting the user calling `darwin-rebuild` `sysadminctl -deleteUser` will only prevent you from deleting the current user if it's not the last admin and not the last secure token user, otherwise it will happily oblige. --- modules/users/default.nix | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/modules/users/default.nix b/modules/users/default.nix index ce77d4d9..e8a030b4 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -149,6 +149,15 @@ in echo "setting up users..." >&2 deleteUser() { + # TODO: add `darwin.primaryUser` as well + if [[ "$1" == "$SUDO_USER" ]]; then + printf >&2 '\e[1;31merror: refusing to delete the user calling `darwin-rebuild` (%s), aborting activation\e[0m\n', "$1" + exit 1 + elif [[ "$1" == "root" ]]; then + printf >&2 '\e[1;31merror: refusing to delete `root`, aborting activation\e[0m\n', "$1" + exit 1 + fi + fullDiskAccess=false if cat /Library/Preferences/com.apple.TimeMachine.plist > /dev/null 2>&1; then @@ -191,8 +200,15 @@ in ${optionalString cfg.forceRecreate '' u=$(id -u ${name} 2> /dev/null) || true if [[ "$u" -eq ${toString v.uid} ]]; then - echo "deleting user ${v.name}..." >&2 - deleteUser ${name} + # TODO: add `darwin.primaryUser` as well + if [[ ${name} == "$SUDO_USER" ]]; then + printf >&2 'warning: not going to recreate the user calling `darwin-rebuild` (%s), skipping...\n' "$SUDO_USER" + elif [[ ${name} == "root" ]]; then + printf >&2 'warning: not going to recreate root, skipping...\n' + else + printf >&2 'deleting user ${v.name}...\n' + deleteUser ${name} + fi else echo "warning: existing user '${v.name}' has unexpected uid $u, skipping..." >&2 fi