nixos/{sudo, terminfo}: Adjust defaults for compatibility with sudo-rs

2024-11-10 08:39:08 +03:00 · 2023-09-07 14:55:33 +00:00 · 2023-09-07 14:55:33 +00:00 · 914bf58369
commit 914bf58369
parent f0107b4f63
3 changed files with 18 additions and 7 deletions
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@ -10,6 +10,16 @@

 - The `nixos-rebuild` command has been given a `list-generations` subcommand. See `man nixos-rebuild` for more details.

+- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
+  Switching to it (via `security.sudo.package = pkgs.sudo-rs;`) introduces
+  slight changes in default behaviour, due to `sudo-rs`' current limitations:
+  - terminfo-related environment variables aren't preserved for `root` and `wheel`;
+  - `root` and `wheel` are not given the ability to set (or preserve)
+    arbitrary environment variables.
+
+[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
+
+
 ## New Services {#sec-release-23.11-new-services}

 - [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable).
--- a/nixos/modules/config/terminfo.nix
+++ b/nixos/modules/config/terminfo.nix
@ -16,7 +16,10 @@ with lib;
    };

    security.sudo.keepTerminfo = mkOption {
-      default = true;
+      default = config.security.sudo.package.pname != "sudo-rs";
+      defaultText = literalMD ''
+        `true` unless using `sudo-rs`
+      '';
      type = types.bool;
      description = lib.mdDoc ''
        Whether to preserve the `TERMINFO` and `TERMINFO_DIRS`
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@ -40,7 +40,10 @@ in

    defaultOptions = mkOption {
      type = with types; listOf str;
-      default = [ "SETENV" ];
+      default = optional usingMillersSudo "SETENV";
+      defaultText = literalMD ''
+        `[ "SETENV" ]` if using the default `sudo` implementation
+      '';
      description = mdDoc ''
        Options used for the default rules, granting `root` and the
        `wheel` group permission to run any command as any user.
@ -204,11 +207,6 @@ in
  ###### implementation

  config = mkIf cfg.enable {
-    assertions = [
-      { assertion = usingMillersSudo;
-        message = "The NixOS `sudo` module does not yet work with other implementations."; }
-    ];
-
    security.sudo.extraRules =
      let
        defaultRule = { users ? [], groups ? [], opts ? [] }: [ {