Merge pull request #262790 from nbraud/nixos/sudo (b75b355b) · Commits · nix / nixpkgs

nixos/modules/config/terminfo.nix

+1 −4

Original line number	Diff line number	Diff line
		@@ -16,10 +16,7 @@ with lib;
		};

		security.sudo.keepTerminfo = mkOption {
		default = config.security.sudo.package.pname != "sudo-rs";
		defaultText = literalMD ''
		`true` unless using `sudo-rs`
		'';
		default = true;
		type = types.bool;
		description = lib.mdDoc ''
		Whether to preserve the `TERMINFO` and `TERMINFO_DIRS`

nixos/modules/security/pam.nix

+5 −1

Original line number	Diff line number	Diff line
		@@ -1531,6 +1531,10 @@ in
		(map (module: "mr ${module},"))
		concatLines
		]);
		};

		security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''
		# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
		Defaults env_keep+=SSH_AUTH_SOCK
		'';
		};
		}

nixos/modules/security/sudo.nix

+76 −71

Original line number	Diff line number	Diff line
		@@ -6,6 +6,8 @@ let

		cfg = config.security.sudo;

		inherit (config.security.pam) enableSSHAgentAuth;

		toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
		toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";

		@@ -28,41 +30,36 @@ in

		###### interface

		options = {
		options.security.sudo = {

		security.sudo.enable = mkOption {
		type = types.bool;
		default = true;
		description =
		lib.mdDoc ''
		Whether to enable the {command}`sudo` command, which
		allows non-root users to execute commands as root.
		defaultOptions = mkOption {
		type = with types; listOf str;
		default = [ "SETENV" ];
		description = mdDoc ''
		Options used for the default rules, granting `root` and the
		`wheel` group permission to run any command as any user.
		'';
		};

		security.sudo.package = mkOption {
		type = types.package;
		default = pkgs.sudo;
		defaultText = literalExpression "pkgs.sudo";
		description = lib.mdDoc ''
		Which package to use for `sudo`.
		'';
		};
		enable = mkEnableOption (mdDoc ''
		the {command}`sudo` command, which allows non-root users to execute commands as root.
		'');

		security.sudo.wheelNeedsPassword = mkOption {
		package = mkPackageOption pkgs "sudo" { };

		wheelNeedsPassword = mkOption {
		type = types.bool;
		default = true;
		description =
		lib.mdDoc ''
		description = mdDoc ''
		Whether users of the `wheel` group must
		provide a password to run commands as super user via {command}`sudo`.
		'';
		};

		security.sudo.execWheelOnly = mkOption {
		execWheelOnly = mkOption {
		type = types.bool;
		default = false;
		description = lib.mdDoc ''
		description = mdDoc ''
		Only allow members of the `wheel` group to execute sudo by
		setting the executable's permissions accordingly.
		This prevents users that are not members of `wheel` from
		@@ -70,19 +67,18 @@ in
		'';
		};

		security.sudo.configFile = mkOption {
		configFile = mkOption {
		type = types.lines;
		# Note: if syntax errors are detected in this file, the NixOS
		# configuration will fail to build.
		description =
		lib.mdDoc ''
		description = mdDoc ''
		This string contains the contents of the
		{file}`sudoers` file.
		'';
		};

		security.sudo.extraRules = mkOption {
		description = lib.mdDoc ''
		extraRules = mkOption {
		description = mdDoc ''
		Define specific rules to be in the {file}`sudoers` file.
		More specific rules should come after more general ones in order to
		yield the expected behavior. You can use mkBefore/mkAfter to ensure
		@@ -112,7 +108,7 @@ in
		options = {
		users = mkOption {
		type = with types; listOf (either str int);
		description = lib.mdDoc ''
		description = mdDoc ''
		The usernames / UIDs this rule should apply for.
		'';
		default = [];
		@@ -120,7 +116,7 @@ in

		groups = mkOption {
		type = with types; listOf (either str int);
		description = lib.mdDoc ''
		description = mdDoc ''
		The groups / GIDs this rule should apply for.
		'';
		default = [];
		@@ -129,7 +125,7 @@ in
		host = mkOption {
		type = types.str;
		default = "ALL";
		description = lib.mdDoc ''
		description = mdDoc ''
		For what host this rule should apply.
		'';
		};
		@@ -137,7 +133,7 @@ in
		runAs = mkOption {
		type = with types; str;
		default = "ALL:ALL";
		description = lib.mdDoc ''
		description = mdDoc ''
		Under which user/group the specified command is allowed to run.

		A user can be specified using just the username: `"foo"`.
		@@ -147,7 +143,7 @@ in
		};

		commands = mkOption {
		description = lib.mdDoc ''
		description = mdDoc ''
		The commands for which the rule should apply.
		'';
		type = with types; listOf (either str (submodule {
		@@ -155,7 +151,7 @@ in
		options = {
		command = mkOption {
		type = with types; str;
		description = lib.mdDoc ''
		description = mdDoc ''
		A command being either just a path to a binary to allow any arguments,
		the full command with arguments pre-set or with `""` used as the argument,
		not allowing arguments to the command at all.
		@@ -164,7 +160,7 @@ in

		options = mkOption {
		type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
		description = lib.mdDoc ''
		description = mdDoc ''
		Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
		'';
		default = [];
		@@ -177,10 +173,10 @@ in
		});
		};

		security.sudo.extraConfig = mkOption {
		extraConfig = mkOption {
		type = types.lines;
		default = "";
		description = lib.mdDoc ''
		description = mdDoc ''
		Extra configuration text appended to {file}`sudoers`.
		'';
		};
		@@ -195,39 +191,48 @@ in
		message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
		];

		# We `mkOrder 600` so that the default rule shows up first, but there is
		# still enough room for a user to `mkBefore` it.
		security.sudo.extraRules = mkOrder 600 [
		{ groups = [ "wheel" ];
		commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
		}
		security.sudo.extraRules =
		let
		defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
		inherit users groups;
		commands = [ {
		command = "ALL";
		options = opts ++ cfg.defaultOptions;
		} ];
		} ];
		in mkMerge [
		# This is ordered before users' `mkBefore` rules,
		# so as not to introduce unexpected changes.
		(mkOrder 400 (defaultRule { users = [ "root" ]; }))

		# This is ordered to show before (most) other rules, but
		# late-enough for a user to `mkBefore` it.
		(mkOrder 600 (defaultRule {
		groups = [ "wheel" ];
		opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
		}))
		];

		security.sudo.configFile =
		security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
		''
		# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
		# or ‘security.sudo.extraRules’ instead.

		# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
		Defaults env_keep+=SSH_AUTH_SOCK

		# "root" is allowed to do anything.
		root ALL=(ALL:ALL) SETENV: ALL

		# extraRules
		${concatStringsSep "\n" (
		lists.flatten (
		map (
		rule: optionals (length rule.commands != 0) [
		''
		(pipe cfg.extraRules [
		(filter (rule: length rule.commands != 0))
		(map (rule: [
		(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
		(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
		]
		) cfg.extraRules
		)
		)}

		]))
		flatten
		(concatStringsSep "\n")
		])
		"\n"
		(optionalString (cfg.extraConfig != "") ''
		# extraConfig
		${cfg.extraConfig}
		'';
		'')
		]);

		security.wrappers = let
		owner = "root";