Merge pull request #133622 from erikarvstedt/fix-recursive-doas

nixos/doas: fix recursive calls to doas
2024-11-13 09:17:07 +03:00 · 2021-08-12 22:39:24 +03:00 · 2021-08-12 22:39:24 +03:00 · 17265bc319
commit 17265bc319
parent d11ed5661e 781ab443c2
2 changed files with 8 additions and 1 deletions
--- a/nixos/tests/doas.nix
+++ b/nixos/tests/doas.nix
@ -78,6 +78,13 @@ import ./make-test-python.nix (
              'su - test7 -c "SSH_AUTH_SOCK=HOLEY doas env"'
          ):
              raise Exception("failed to exclude SSH_AUTH_SOCK")
+
+      # Test that the doas setuid wrapper precedes the unwrapped version in PATH after
+      # calling doas.
+      # The PATH set by doas is defined in
+      # ../../pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch
+      with subtest("recursive calls to doas from subprocesses should succeed"):
+          machine.succeed('doas -u test0 sh -c "doas -u test0 true"')
    '';
  }
 )
--- a/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch
+++ b/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch
@ -15,7 +15,7 @@ index e253905..2fdb20f 100644
 main(int argc, char **argv)
 {
 	const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:"
-+	    "/run/current-system/sw/bin:/run/current-system/sw/sbin:/run/wrappers/bin:"
+	    "/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/sbin:"
 	    "/usr/local/bin:/usr/local/sbin";
 	const char *confpath = NULL;
 	char *shargv[] = { NULL, NULL };