Merge pull request #263471 from nbraud/nixos/sudo-rs/cleanup

This commit is contained in:
Maciej Krüger 2023-11-26 19:57:31 +01:00 committed by GitHub
commit 3250f15338
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 40 additions and 64 deletions

View file

@ -22,16 +22,20 @@
- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported. - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
An experimental new module `security.sudo-rs` was added. An experimental new module `security.sudo-rs` was added.
Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces Switching to it (via ` security.sudo-rs.enable = true;`) introduces
slight changes in sudo behaviour, due to `sudo-rs`' current limitations: slight changes in sudo behaviour, due to `sudo-rs`' current limitations:
- terminfo-related environment variables aren't preserved for `root` and `wheel`; - terminfo-related environment variables aren't preserved for `root` and `wheel`;
- `root` and `wheel` are not given the ability to set (or preserve) - `root` and `wheel` are not given the ability to set (or preserve)
arbitrary environment variables. arbitrary environment variables.
- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed. **Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`,
and in particular does not automatically use previously-set rules; this could be
achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance.
[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/ [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
- `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`. - `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`.
- Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released. - Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.

View file

@ -943,6 +943,11 @@ let
value.source = pkgs.writeText "${name}.pam" service.text; value.source = pkgs.writeText "${name}.pam" service.text;
}; };
optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth ''
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
'';
in in
{ {
@ -1532,9 +1537,7 @@ in
concatLines concatLines
]); ]);
security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth;
Defaults env_keep+=SSH_AUTH_SOCK
'';
}; };
} }

View file

@ -4,16 +4,9 @@ with lib;
let let
inherit (pkgs) sudo sudo-rs;
cfg = config.security.sudo-rs; cfg = config.security.sudo-rs;
enableSSHAgentAuth = inherit (config.security.pam) enableSSHAgentAuth;
with config.security;
pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
usingMillersSudo = cfg.package.pname == sudo.pname;
usingSudoRs = cfg.package.pname == sudo-rs.pname;
toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
@ -41,33 +34,19 @@ in
defaultOptions = mkOption { defaultOptions = mkOption {
type = with types; listOf str; type = with types; listOf str;
default = optional usingMillersSudo "SETENV"; default = [];
defaultText = literalMD ''
`[ "SETENV" ]` if using the default `sudo` implementation
'';
description = mdDoc '' description = mdDoc ''
Options used for the default rules, granting `root` and the Options used for the default rules, granting `root` and the
`wheel` group permission to run any command as any user. `wheel` group permission to run any command as any user.
''; '';
}; };
enable = mkOption { enable = mkEnableOption (mdDoc ''
type = types.bool; a memory-safe implementation of the {command}`sudo` command,
default = false; which allows non-root users to execute commands as root.
description = mdDoc '' '');
Whether to enable the {command}`sudo` command, which
allows non-root users to execute commands as root.
'';
};
package = mkOption { package = mkPackageOption pkgs "sudo-rs" { };
type = types.package;
default = pkgs.sudo-rs;
defaultText = literalExpression "pkgs.sudo-rs";
description = mdDoc ''
Which package to use for `sudo`.
'';
};
wheelNeedsPassword = mkOption { wheelNeedsPassword = mkOption {
type = types.bool; type = types.bool;
@ -208,6 +187,12 @@ in
###### implementation ###### implementation
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [ {
assertion = ! config.security.sudo.enable;
message = "`security.sudo` and `security.sudo-rs` cannot both be enabled";
}];
security.sudo.enable = mkDefault false;
security.sudo-rs.extraRules = security.sudo-rs.extraRules =
let let
defaultRule = { users ? [], groups ? [], opts ? [] }: [ { defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
@ -235,20 +220,16 @@ in
# Don't edit this file. Set the NixOS options security.sudo-rs.configFile # Don't edit this file. Set the NixOS options security.sudo-rs.configFile
# or security.sudo-rs.extraRules instead. # or security.sudo-rs.extraRules instead.
'' ''
(optionalString enableSSHAgentAuth '' (pipe cfg.extraRules [
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. (filter (rule: length rule.commands != 0))
Defaults env_keep+=SSH_AUTH_SOCK (map (rule: [
'')
(concatStringsSep "\n" (
lists.flatten (
map (
rule: optionals (length rule.commands != 0) [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
] ]))
) cfg.extraRules flatten
) (concatStringsSep "\n")
) + "\n") ])
"\n"
(optionalString (cfg.extraConfig != "") '' (optionalString (cfg.extraConfig != "") ''
# extraConfig # extraConfig
${cfg.extraConfig} ${cfg.extraConfig}
@ -265,18 +246,12 @@ in
source = "${cfg.package.out}/bin/sudo"; source = "${cfg.package.out}/bin/sudo";
inherit owner group setuid permissions; inherit owner group setuid permissions;
}; };
# sudo-rs does not yet ship a sudoedit (as of v0.2.0)
sudoedit = mkIf usingMillersSudo {
source = "${cfg.package.out}/bin/sudoedit";
inherit owner group setuid permissions;
};
}; };
environment.systemPackages = [ sudo ]; environment.systemPackages = [ cfg.package ];
security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
security.pam.services.sudo-i = mkIf usingSudoRs security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; };
{ sshAgentAuth = true; usshAuth = true; };
environment.etc.sudoers = environment.etc.sudoers =
{ source = { source =
@ -285,7 +260,7 @@ in
src = pkgs.writeText "sudoers-in" cfg.configFile; src = pkgs.writeText "sudoers-in" cfg.configFile;
preferLocalBuild = true; preferLocalBuild = true;
} }
"${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out"; "${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out";
mode = "0440"; mode = "0440";
}; };

View file

@ -22,11 +22,8 @@ in
test5 = { isNormalUser = true; }; test5 = { isNormalUser = true; };
}; };
security.sudo.enable = false;
security.sudo-rs = { security.sudo-rs = {
enable = true; enable = true;
package = pkgs.sudo-rs;
wheelNeedsPassword = false; wheelNeedsPassword = false;
extraRules = [ extraRules = [
@ -56,10 +53,7 @@ in
noadmin = { isNormalUser = true; }; noadmin = { isNormalUser = true; };
}; };
security.sudo.enable = false;
security.sudo-rs = { security.sudo-rs = {
package = pkgs.sudo-rs;
enable = true; enable = true;
wheelNeedsPassword = false; wheelNeedsPassword = false;
execWheelOnly = true; execWheelOnly = true;