mirror of
https://github.com/nix-community/srvos.git
synced 2024-10-26 17:49:54 +03:00
sudo: only allow exec by wheel (#289)
This commit is contained in:
parent
c77cacc8c0
commit
b93f9eec50
@ -10,6 +10,7 @@
|
||||
./nix.nix
|
||||
./openssh.nix
|
||||
./serial.nix
|
||||
./sudo.nix
|
||||
./upgrade-diff.nix
|
||||
./well-known-hosts.nix
|
||||
./zfs.nix
|
||||
@ -36,12 +37,6 @@
|
||||
# unecessary rebuilds.
|
||||
environment.noXlibs = false;
|
||||
|
||||
# Allow sudo from the @wheel group
|
||||
security.sudo.enable = true;
|
||||
security.sudo.extraConfig = ''
|
||||
Defaults lecture = never
|
||||
'';
|
||||
|
||||
# Ensure a clean & sparkling /tmp on fresh boots.
|
||||
boot.tmp.cleanOnBoot = lib.mkDefault true;
|
||||
}
|
||||
|
10
nixos/common/sudo.nix
Normal file
10
nixos/common/sudo.nix
Normal file
@ -0,0 +1,10 @@
|
||||
{
|
||||
# Allow sudo from the @wheel group
|
||||
security.sudo.enable = true;
|
||||
# Only allow members of the wheel group to execute sudo by setting the executable’s permissions accordingly. This prevents users that are not members of wheel from exploiting vulnerabilities in sudo such as CVE-2021-3156.
|
||||
security.sudo.execWheelOnly = true;
|
||||
# Don't lecture the user. Less mutable state.
|
||||
security.sudo.extraConfig = ''
|
||||
Defaults lecture = never
|
||||
'';
|
||||
}
|
Loading…
Reference in New Issue
Block a user