From b93f9eec50f162d7ca94318c85fe405452d2459b Mon Sep 17 00:00:00 2001
From: Jonas Chevalier <zimbatm@zimbatm.com>
Date: Mon, 6 Nov 2023 16:43:57 +0100
Subject: [PATCH] sudo: only allow exec by wheel (#289)

---
 nixos/common/default.nix |  7 +------
 nixos/common/sudo.nix    | 10 ++++++++++
 2 files changed, 11 insertions(+), 6 deletions(-)
 create mode 100644 nixos/common/sudo.nix

diff --git a/nixos/common/default.nix b/nixos/common/default.nix
index 8d94f4e..5d5fdab 100644
--- a/nixos/common/default.nix
+++ b/nixos/common/default.nix
@@ -10,6 +10,7 @@
     ./nix.nix
     ./openssh.nix
     ./serial.nix
+    ./sudo.nix
     ./upgrade-diff.nix
     ./well-known-hosts.nix
     ./zfs.nix
@@ -36,12 +37,6 @@
   # unecessary rebuilds.
   environment.noXlibs = false;
 
-  # Allow sudo from the @wheel group
-  security.sudo.enable = true;
-  security.sudo.extraConfig = ''
-    Defaults lecture = never
-  '';
-
   # Ensure a clean & sparkling /tmp on fresh boots.
   boot.tmp.cleanOnBoot = lib.mkDefault true;
 }
diff --git a/nixos/common/sudo.nix b/nixos/common/sudo.nix
new file mode 100644
index 0000000..b7a1695
--- /dev/null
+++ b/nixos/common/sudo.nix
@@ -0,0 +1,10 @@
+{
+  # Allow sudo from the @wheel group
+  security.sudo.enable = true;
+  # Only allow members of the wheel group to execute sudo by setting the executable’s permissions accordingly. This prevents users that are not members of wheel from exploiting vulnerabilities in sudo such as CVE-2021-3156.
+  security.sudo.execWheelOnly = true;
+  # Don't lecture the user. Less mutable state.
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+}