Merge pull request #262790 from nbraud/nixos/sudo

nixos/sudo: bring in line with release notes
This commit is contained in:
Pierre Bourdon 2023-11-09 16:53:02 +01:00 committed by GitHub
commit b75b355b50
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 81 additions and 75 deletions

View File

@ -16,10 +16,7 @@ with lib;
};
security.sudo.keepTerminfo = mkOption {
default = config.security.sudo.package.pname != "sudo-rs";
defaultText = literalMD ''
`true` unless using `sudo-rs`
'';
default = true;
type = types.bool;
description = lib.mdDoc ''
Whether to preserve the `TERMINFO` and `TERMINFO_DIRS`

View File

@ -1531,6 +1531,10 @@ in
(map (module: "mr ${module},"))
concatLines
]);
};
security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
'';
};
}

View File

@ -6,6 +6,8 @@ let
cfg = config.security.sudo;
inherit (config.security.pam) enableSSHAgentAuth;
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
@ -28,41 +30,36 @@ in
###### interface
options = {
options.security.sudo = {
security.sudo.enable = mkOption {
type = types.bool;
default = true;
description =
lib.mdDoc ''
Whether to enable the {command}`sudo` command, which
allows non-root users to execute commands as root.
'';
};
security.sudo.package = mkOption {
type = types.package;
default = pkgs.sudo;
defaultText = literalExpression "pkgs.sudo";
description = lib.mdDoc ''
Which package to use for `sudo`.
defaultOptions = mkOption {
type = with types; listOf str;
default = [ "SETENV" ];
description = mdDoc ''
Options used for the default rules, granting `root` and the
`wheel` group permission to run any command as any user.
'';
};
security.sudo.wheelNeedsPassword = mkOption {
enable = mkEnableOption (mdDoc ''
the {command}`sudo` command, which allows non-root users to execute commands as root.
'');
package = mkPackageOption pkgs "sudo" { };
wheelNeedsPassword = mkOption {
type = types.bool;
default = true;
description =
lib.mdDoc ''
Whether users of the `wheel` group must
provide a password to run commands as super user via {command}`sudo`.
'';
description = mdDoc ''
Whether users of the `wheel` group must
provide a password to run commands as super user via {command}`sudo`.
'';
};
security.sudo.execWheelOnly = mkOption {
execWheelOnly = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
description = mdDoc ''
Only allow members of the `wheel` group to execute sudo by
setting the executable's permissions accordingly.
This prevents users that are not members of `wheel` from
@ -70,19 +67,18 @@ in
'';
};
security.sudo.configFile = mkOption {
configFile = mkOption {
type = types.lines;
# Note: if syntax errors are detected in this file, the NixOS
# configuration will fail to build.
description =
lib.mdDoc ''
This string contains the contents of the
{file}`sudoers` file.
'';
description = mdDoc ''
This string contains the contents of the
{file}`sudoers` file.
'';
};
security.sudo.extraRules = mkOption {
description = lib.mdDoc ''
extraRules = mkOption {
description = mdDoc ''
Define specific rules to be in the {file}`sudoers` file.
More specific rules should come after more general ones in order to
yield the expected behavior. You can use mkBefore/mkAfter to ensure
@ -112,7 +108,7 @@ in
options = {
users = mkOption {
type = with types; listOf (either str int);
description = lib.mdDoc ''
description = mdDoc ''
The usernames / UIDs this rule should apply for.
'';
default = [];
@ -120,7 +116,7 @@ in
groups = mkOption {
type = with types; listOf (either str int);
description = lib.mdDoc ''
description = mdDoc ''
The groups / GIDs this rule should apply for.
'';
default = [];
@ -129,7 +125,7 @@ in
host = mkOption {
type = types.str;
default = "ALL";
description = lib.mdDoc ''
description = mdDoc ''
For what host this rule should apply.
'';
};
@ -137,7 +133,7 @@ in
runAs = mkOption {
type = with types; str;
default = "ALL:ALL";
description = lib.mdDoc ''
description = mdDoc ''
Under which user/group the specified command is allowed to run.
A user can be specified using just the username: `"foo"`.
@ -147,7 +143,7 @@ in
};
commands = mkOption {
description = lib.mdDoc ''
description = mdDoc ''
The commands for which the rule should apply.
'';
type = with types; listOf (either str (submodule {
@ -155,7 +151,7 @@ in
options = {
command = mkOption {
type = with types; str;
description = lib.mdDoc ''
description = mdDoc ''
A command being either just a path to a binary to allow any arguments,
the full command with arguments pre-set or with `""` used as the argument,
not allowing arguments to the command at all.
@ -164,7 +160,7 @@ in
options = mkOption {
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
description = lib.mdDoc ''
description = mdDoc ''
Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
'';
default = [];
@ -177,10 +173,10 @@ in
});
};
security.sudo.extraConfig = mkOption {
extraConfig = mkOption {
type = types.lines;
default = "";
description = lib.mdDoc ''
description = mdDoc ''
Extra configuration text appended to {file}`sudoers`.
'';
};
@ -195,39 +191,48 @@ in
message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
];
# We `mkOrder 600` so that the default rule shows up first, but there is
# still enough room for a user to `mkBefore` it.
security.sudo.extraRules = mkOrder 600 [
{ groups = [ "wheel" ];
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
}
];
security.sudo.extraRules =
let
defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
inherit users groups;
commands = [ {
command = "ALL";
options = opts ++ cfg.defaultOptions;
} ];
} ];
in mkMerge [
# This is ordered before users' `mkBefore` rules,
# so as not to introduce unexpected changes.
(mkOrder 400 (defaultRule { users = [ "root" ]; }))
security.sudo.configFile =
# This is ordered to show before (most) other rules, but
# late-enough for a user to `mkBefore` it.
(mkOrder 600 (defaultRule {
groups = [ "wheel" ];
opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
}))
];
security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
''
# Don't edit this file. Set the NixOS options security.sudo.configFile
# or security.sudo.extraRules instead.
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
# "root" is allowed to do anything.
root ALL=(ALL:ALL) SETENV: ALL
# extraRules
${concatStringsSep "\n" (
lists.flatten (
map (
rule: optionals (length rule.commands != 0) [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
]
) cfg.extraRules
)
)}
''
(pipe cfg.extraRules [
(filter (rule: length rule.commands != 0))
(map (rule: [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
]))
flatten
(concatStringsSep "\n")
])
"\n"
(optionalString (cfg.extraConfig != "") ''
# extraConfig
${cfg.extraConfig}
'';
'')
]);
security.wrappers = let
owner = "root";