sudo: only allow exec by wheel (#289)

2024-08-17 01:40:26 +03:00 · 2023-11-06 16:43:57 +01:00 · 2023-11-06 16:43:57 +01:00 · b93f9eec50
commit b93f9eec50
parent c77cacc8c0
2 changed files with 11 additions and 6 deletions
--- a/nixos/common/default.nix
+++ b/nixos/common/default.nix
@ -10,6 +10,7 @@
    ./nix.nix
    ./openssh.nix
    ./serial.nix
+    ./sudo.nix
    ./upgrade-diff.nix
    ./well-known-hosts.nix
    ./zfs.nix
@ -36,12 +37,6 @@
  # unecessary rebuilds.
  environment.noXlibs = false;

-  # Allow sudo from the @wheel group
-  security.sudo.enable = true;
-  security.sudo.extraConfig = ''
-    Defaults lecture = never
-  '';
-
  # Ensure a clean & sparkling /tmp on fresh boots.
  boot.tmp.cleanOnBoot = lib.mkDefault true;
 }
--- a/nixos/common/sudo.nix
+++ b/nixos/common/sudo.nix
@ -0,0 +1,10 @@
+{
+  # Allow sudo from the @wheel group
+  security.sudo.enable = true;
+  # Only allow members of the wheel group to execute sudo by setting the executable’s permissions accordingly. This prevents users that are not members of wheel from exploiting vulnerabilities in sudo such as CVE-2021-3156.
+  security.sudo.execWheelOnly = true;
+  # Don't lecture the user. Less mutable state.
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+}