nixos/shadow: use su from sudo-rs when enabled (#495216)

      '';

    };

    security.shadow.su.package = lib.mkPackageOption pkgs [ "shadow" "su" ] {

      extraDescription = ''

        This can be overridden by other modules (e.g. sudo-rs) to provide

        an alternative `su` implementation.

      '';

    };

    security.loginDefs = {

      package = lib.mkPackageOption pkgs "shadow" { };

          };

        in

        {

          su = mkSetuidRoot "${cfg.package.su}/bin/su";

          su = mkSetuidRoot "${config.security.shadow.su.package}/bin/su";

          sg = mkSetuidRoot "${cfg.package.out}/bin/sg";

          newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";

          newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";

    ];

    security.sudo.enable = lib.mkDefault false;

    security.shadow.su.package = lib.mkDefault cfg.package;

    security.sudo-rs.extraRules =

      let

        defaultRule =

        shadow.wait_for_file("/tmp/leo")

        assert "leo" in shadow.succeed("cat /tmp/leo")

        shadow.send_chars("logout\n")

    with subtest("su wrapper should point to shadow by default"):

        output = shadow.succeed("grep -aoP '/nix/store/[a-z0-9]{32}-[^\\x00]+' /run/wrappers/bin/su | head -1").strip()

        assert "shadow" in output, \

            f"su should come from shadow, but points to: {output}"

  '';

}

      with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):

          strict.fail('faketty -- su - noadmin -c "sudo --help"')

      with subtest("su should come from sudo-rs"):

          output = machine.succeed("grep -aoP '/nix/store/[a-z0-9]{32}-[^\\x00]+' /run/wrappers/bin/su | head -1").strip()

          assert "sudo-rs" in output, \

              f"su should come from sudo-rs, but points to: {output}"

    '';

}