Unverified Commit 3250f153 authored by Maciej Krüger's avatar Maciej Krüger Committed by GitHub
Browse files

Merge pull request #263471 from nbraud/nixos/sudo-rs/cleanup

parents ecef65f0 bcc2d123

nixos/doc/manual/release-notes/rl-2311.section.md

+6 −2
Original line number Diff line number Diff line
@@ -22,16 +22,20 @@ 


- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.

  An experimental new module `security.sudo-rs` was added.

  Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces

  Switching to it (via ` security.sudo-rs.enable = true;`) introduces

  slight changes in sudo behaviour, due to `sudo-rs`' current limitations:

  - terminfo-related environment variables aren't preserved for `root` and `wheel`;

  - `root` and `wheel` are not given the ability to set (or preserve)

    arbitrary environment variables.



- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.

  **Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`,

  and in particular does not automatically use previously-set rules; this could be

  achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance.



[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/



- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.



- `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`.

  - Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.

nixos/modules/security/pam.nix

+8 −5
Original line number Diff line number Diff line
@@ -943,6 +943,11 @@ let 
      value.source = pkgs.writeText "${name}.pam" service.text;

    };



  optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth ''

    # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.

    Defaults env_keep+=SSH_AUTH_SOCK

  '';



in



{
@@ -1532,9 +1537,7 @@ in 
        concatLines

      ]);



    security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''

      # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.

      Defaults env_keep+=SSH_AUTH_SOCK

    '';

    security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;

    security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth;

  };

}

nixos/modules/security/sudo-rs.nix

+26 −51
Original line number Diff line number Diff line
@@ -4,16 +4,9 @@ with lib; 


let



  inherit (pkgs) sudo sudo-rs;



  cfg = config.security.sudo-rs;



  enableSSHAgentAuth =

    with config.security;

    pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;



  usingMillersSudo = cfg.package.pname == sudo.pname;

  usingSudoRs = cfg.package.pname == sudo-rs.pname;

  inherit (config.security.pam) enableSSHAgentAuth;



  toUserString = user: if (isInt user) then "#${toString user}" else "${user}";

  toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
@@ -41,33 +34,19 @@ in 


    defaultOptions = mkOption {

      type = with types; listOf str;

      default = optional usingMillersSudo "SETENV";

      defaultText = literalMD ''

        `[ "SETENV" ]` if using the default `sudo` implementation

      '';

      default = [];

      description = mdDoc ''

        Options used for the default rules, granting `root` and the

        `wheel` group permission to run any command as any user.

      '';

    };



    enable = mkOption {

      type = types.bool;

      default = false;

      description = mdDoc ''

        Whether to enable the {command}`sudo` command, which

        allows non-root users to execute commands as root.

      '';

    };

    enable = mkEnableOption (mdDoc ''

      a memory-safe implementation of the {command}`sudo` command,

      which allows non-root users to execute commands as root.

    '');



    package = mkOption {

      type = types.package;

      default = pkgs.sudo-rs;

      defaultText = literalExpression "pkgs.sudo-rs";

      description = mdDoc ''

        Which package to use for `sudo`.

      '';

    };

    package = mkPackageOption pkgs "sudo-rs" { };



    wheelNeedsPassword = mkOption {

      type = types.bool;
@@ -208,6 +187,12 @@ in 
  ###### implementation



  config = mkIf cfg.enable {

    assertions = [ {

      assertion = ! config.security.sudo.enable;

      message = "`security.sudo` and `security.sudo-rs` cannot both be enabled";

    }];

    security.sudo.enable = mkDefault false;



    security.sudo-rs.extraRules =

      let

        defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
@@ -235,20 +220,16 @@ in 
        # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’

        # or ‘security.sudo-rs.extraRules’ instead.

      ''

      (optionalString enableSSHAgentAuth ''

        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.

        Defaults env_keep+=SSH_AUTH_SOCK

      '')

      (concatStringsSep "\n" (

        lists.flatten (

          map (

            rule: optionals (length rule.commands != 0) [

      (pipe cfg.extraRules [

        (filter (rule: length rule.commands != 0))

        (map (rule: [

          (map (user: "${toUserString user}     ${rule.host}=(${rule.runAs})    ${toCommandsString rule.commands}") rule.users)

          (map (group: "${toGroupString group}  ${rule.host}=(${rule.runAs})    ${toCommandsString rule.commands}") rule.groups)

            ]

          ) cfg.extraRules

        )

      ) + "\n")

        ]))

        flatten

        (concatStringsSep "\n")

      ])

      "\n"

      (optionalString (cfg.extraConfig != "") ''

        # extraConfig

        ${cfg.extraConfig}
@@ -265,18 +246,12 @@ in 
        source = "${cfg.package.out}/bin/sudo";

        inherit owner group setuid permissions;

      };

      # sudo-rs does not yet ship a sudoedit (as of v0.2.0)

      sudoedit = mkIf usingMillersSudo {

        source = "${cfg.package.out}/bin/sudoedit";

        inherit owner group setuid permissions;

      };

    };



    environment.systemPackages = [ sudo ];

    environment.systemPackages = [ cfg.package ];



    security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };

    security.pam.services.sudo-i = mkIf usingSudoRs

      { sshAgentAuth = true; usshAuth = true; };

    security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; };



    environment.etc.sudoers =

      { source =
@@ -285,7 +260,7 @@ in 
            src = pkgs.writeText "sudoers-in" cfg.configFile;

            preferLocalBuild = true;

          }

          "${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out";

          "${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out";

        mode = "0440";

      };

nixos/tests/sudo-rs.nix

+0 −6
Original line number Diff line number Diff line
@@ -22,11 +22,8 @@ in 
          test5 = { isNormalUser = true; };

        };



        security.sudo.enable = false;



        security.sudo-rs = {

          enable = true;

          package = pkgs.sudo-rs;

          wheelNeedsPassword = false;



          extraRules = [
@@ -56,10 +53,7 @@ in 
        noadmin = { isNormalUser = true; };

      };



      security.sudo.enable = false;



      security.sudo-rs = {

        package = pkgs.sudo-rs;

        enable = true;

        wheelNeedsPassword = false;

        execWheelOnly = true;