Unverified Commit d5e34f5e authored by github-actions[bot]'s avatar github-actions[bot] Committed by GitHub
Browse files

Merge release-23.11 into staging-next-23.11

parents 363facf4 20fd3800

doc/packages/darwin-builder.section.md

+5 −1
Original line number Diff line number Diff line
@@ -94,7 +94,11 @@ $ sudo launchctl kickstart -k system/org.nixos.nix-daemon 
      system = linuxSystem;

      modules = [

        "${nixpkgs}/nixos/modules/profiles/macos-builder.nix"

        { virtualisation.host.pkgs = pkgs; }

        { virtualisation = {

            host.pkgs = pkgs;

            darwin-builder.workingDirectory = "/var/lib/darwin-builder";

          };

        };

      ];

    };

  in {

nixos/doc/manual/release-notes/rl-2311.section.md

+6 −2
Original line number Diff line number Diff line
@@ -22,16 +22,20 @@ 


- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.

  An experimental new module `security.sudo-rs` was added.

  Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces

  Switching to it (via ` security.sudo-rs.enable = true;`) introduces

  slight changes in sudo behaviour, due to `sudo-rs`' current limitations:

  - terminfo-related environment variables aren't preserved for `root` and `wheel`;

  - `root` and `wheel` are not given the ability to set (or preserve)

    arbitrary environment variables.



- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.

  **Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`,

  and in particular does not automatically use previously-set rules; this could be

  achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance.



[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/



- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.



- `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`.

  - Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.

nixos/modules/security/pam.nix

+8 −5
Original line number Diff line number Diff line
@@ -943,6 +943,11 @@ let 
      value.source = pkgs.writeText "${name}.pam" service.text;

    };



  optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth ''

    # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.

    Defaults env_keep+=SSH_AUTH_SOCK

  '';



in



{
@@ -1532,9 +1537,7 @@ in 
        concatLines

      ]);



    security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''

      # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.

      Defaults env_keep+=SSH_AUTH_SOCK

    '';

    security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;

    security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth;

  };

}

nixos/modules/security/sudo-rs.nix

+26 −51
Original line number Diff line number Diff line
@@ -4,16 +4,9 @@ with lib; 


let



  inherit (pkgs) sudo sudo-rs;



  cfg = config.security.sudo-rs;



  enableSSHAgentAuth =

    with config.security;

    pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;



  usingMillersSudo = cfg.package.pname == sudo.pname;

  usingSudoRs = cfg.package.pname == sudo-rs.pname;

  inherit (config.security.pam) enableSSHAgentAuth;



  toUserString = user: if (isInt user) then "#${toString user}" else "${user}";

  toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
@@ -41,33 +34,19 @@ in 


    defaultOptions = mkOption {

      type = with types; listOf str;

      default = optional usingMillersSudo "SETENV";

      defaultText = literalMD ''

        `[ "SETENV" ]` if using the default `sudo` implementation

      '';

      default = [];

      description = mdDoc ''

        Options used for the default rules, granting `root` and the

        `wheel` group permission to run any command as any user.

      '';

    };



    enable = mkOption {

      type = types.bool;

      default = false;

      description = mdDoc ''

        Whether to enable the {command}`sudo` command, which

        allows non-root users to execute commands as root.

      '';

    };

    enable = mkEnableOption (mdDoc ''

      a memory-safe implementation of the {command}`sudo` command,

      which allows non-root users to execute commands as root.

    '');



    package = mkOption {

      type = types.package;

      default = pkgs.sudo-rs;

      defaultText = literalExpression "pkgs.sudo-rs";

      description = mdDoc ''

        Which package to use for `sudo`.

      '';

    };

    package = mkPackageOption pkgs "sudo-rs" { };



    wheelNeedsPassword = mkOption {

      type = types.bool;
@@ -208,6 +187,12 @@ in 
  ###### implementation



  config = mkIf cfg.enable {

    assertions = [ {

      assertion = ! config.security.sudo.enable;

      message = "`security.sudo` and `security.sudo-rs` cannot both be enabled";

    }];

    security.sudo.enable = mkDefault false;



    security.sudo-rs.extraRules =

      let

        defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
@@ -235,20 +220,16 @@ in 
        # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’

        # or ‘security.sudo-rs.extraRules’ instead.

      ''

      (optionalString enableSSHAgentAuth ''

        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.

        Defaults env_keep+=SSH_AUTH_SOCK

      '')

      (concatStringsSep "\n" (

        lists.flatten (

          map (

            rule: optionals (length rule.commands != 0) [

      (pipe cfg.extraRules [

        (filter (rule: length rule.commands != 0))

        (map (rule: [

          (map (user: "${toUserString user}     ${rule.host}=(${rule.runAs})    ${toCommandsString rule.commands}") rule.users)

          (map (group: "${toGroupString group}  ${rule.host}=(${rule.runAs})    ${toCommandsString rule.commands}") rule.groups)

            ]

          ) cfg.extraRules

        )

      ) + "\n")

        ]))

        flatten

        (concatStringsSep "\n")

      ])

      "\n"

      (optionalString (cfg.extraConfig != "") ''

        # extraConfig

        ${cfg.extraConfig}
@@ -265,18 +246,12 @@ in 
        source = "${cfg.package.out}/bin/sudo";

        inherit owner group setuid permissions;

      };

      # sudo-rs does not yet ship a sudoedit (as of v0.2.0)

      sudoedit = mkIf usingMillersSudo {

        source = "${cfg.package.out}/bin/sudoedit";

        inherit owner group setuid permissions;

      };

    };



    environment.systemPackages = [ sudo ];

    environment.systemPackages = [ cfg.package ];



    security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };

    security.pam.services.sudo-i = mkIf usingSudoRs

      { sshAgentAuth = true; usshAuth = true; };

    security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; };



    environment.etc.sudoers =

      { source =
@@ -285,7 +260,7 @@ in 
            src = pkgs.writeText "sudoers-in" cfg.configFile;

            preferLocalBuild = true;

          }

          "${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out";

          "${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out";

        mode = "0440";

      };

nixos/modules/services/backup/btrbk.nix

+18 −17
Original line number Diff line number Diff line
@@ -47,8 +47,21 @@ let 
    then [ "${name} ${value}" ]

    else concatLists (mapAttrsToList (genSection name) value);



  sudoRule = {

    users = [ "btrbk" ];

    commands = [

      { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; }

      { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; }

      { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; }

      # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk}

      { command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; }

      { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; }

      { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }

    ];

  };



  sudo_doas =

    if config.security.sudo.enable then "sudo"

    if config.security.sudo.enable || config.security.sudo-rs.enable then "sudo"

    else if config.security.doas.enable then "doas"

    else throw "The btrbk nixos module needs either sudo or doas enabled in the configuration";
@@ -157,22 +170,10 @@ in 
  };

  config = mkIf (sshEnabled || serviceEnabled) {

    environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages;

    security.sudo = mkIf (sudo_doas == "sudo") {

      extraRules = [

        {

            users = [ "btrbk" ];

            commands = [

            { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; }

            { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; }

            { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; }

            # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk}

            { command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; }

            { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; }

            { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }

            ];

        }

      ];

    };



    security.sudo.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ];

    security.sudo-rs.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ];



    security.doas = mkIf (sudo_doas == "doas") {

      extraRules = let

        doasCmdNoPass = cmd: { users = [ "btrbk" ]; cmd = cmd; noPass = true; };