Merge pull request #263471 from nbraud/nixos/sudo-rs/cleanup
This commit is contained in:
commit
3250f15338
4 changed files with 40 additions and 64 deletions
|
@ -22,16 +22,20 @@
|
||||||
|
|
||||||
- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
|
- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
|
||||||
An experimental new module `security.sudo-rs` was added.
|
An experimental new module `security.sudo-rs` was added.
|
||||||
Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces
|
Switching to it (via ` security.sudo-rs.enable = true;`) introduces
|
||||||
slight changes in sudo behaviour, due to `sudo-rs`' current limitations:
|
slight changes in sudo behaviour, due to `sudo-rs`' current limitations:
|
||||||
- terminfo-related environment variables aren't preserved for `root` and `wheel`;
|
- terminfo-related environment variables aren't preserved for `root` and `wheel`;
|
||||||
- `root` and `wheel` are not given the ability to set (or preserve)
|
- `root` and `wheel` are not given the ability to set (or preserve)
|
||||||
arbitrary environment variables.
|
arbitrary environment variables.
|
||||||
|
|
||||||
- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
|
**Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`,
|
||||||
|
and in particular does not automatically use previously-set rules; this could be
|
||||||
|
achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance.
|
||||||
|
|
||||||
[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
|
[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
|
||||||
|
|
||||||
|
- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
|
||||||
|
|
||||||
- `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`.
|
- `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`.
|
||||||
- Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.
|
- Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.
|
||||||
|
|
||||||
|
|
|
@ -943,6 +943,11 @@ let
|
||||||
value.source = pkgs.writeText "${name}.pam" service.text;
|
value.source = pkgs.writeText "${name}.pam" service.text;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth ''
|
||||||
|
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
||||||
|
Defaults env_keep+=SSH_AUTH_SOCK
|
||||||
|
'';
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -1532,9 +1537,7 @@ in
|
||||||
concatLines
|
concatLines
|
||||||
]);
|
]);
|
||||||
|
|
||||||
security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''
|
security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;
|
||||||
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth;
|
||||||
Defaults env_keep+=SSH_AUTH_SOCK
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,16 +4,9 @@ with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
inherit (pkgs) sudo sudo-rs;
|
|
||||||
|
|
||||||
cfg = config.security.sudo-rs;
|
cfg = config.security.sudo-rs;
|
||||||
|
|
||||||
enableSSHAgentAuth =
|
inherit (config.security.pam) enableSSHAgentAuth;
|
||||||
with config.security;
|
|
||||||
pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
|
|
||||||
|
|
||||||
usingMillersSudo = cfg.package.pname == sudo.pname;
|
|
||||||
usingSudoRs = cfg.package.pname == sudo-rs.pname;
|
|
||||||
|
|
||||||
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
|
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
|
||||||
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
|
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
|
||||||
|
@ -41,33 +34,19 @@ in
|
||||||
|
|
||||||
defaultOptions = mkOption {
|
defaultOptions = mkOption {
|
||||||
type = with types; listOf str;
|
type = with types; listOf str;
|
||||||
default = optional usingMillersSudo "SETENV";
|
default = [];
|
||||||
defaultText = literalMD ''
|
|
||||||
`[ "SETENV" ]` if using the default `sudo` implementation
|
|
||||||
'';
|
|
||||||
description = mdDoc ''
|
description = mdDoc ''
|
||||||
Options used for the default rules, granting `root` and the
|
Options used for the default rules, granting `root` and the
|
||||||
`wheel` group permission to run any command as any user.
|
`wheel` group permission to run any command as any user.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
enable = mkOption {
|
enable = mkEnableOption (mdDoc ''
|
||||||
type = types.bool;
|
a memory-safe implementation of the {command}`sudo` command,
|
||||||
default = false;
|
which allows non-root users to execute commands as root.
|
||||||
description = mdDoc ''
|
'');
|
||||||
Whether to enable the {command}`sudo` command, which
|
|
||||||
allows non-root users to execute commands as root.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
package = mkOption {
|
package = mkPackageOption pkgs "sudo-rs" { };
|
||||||
type = types.package;
|
|
||||||
default = pkgs.sudo-rs;
|
|
||||||
defaultText = literalExpression "pkgs.sudo-rs";
|
|
||||||
description = mdDoc ''
|
|
||||||
Which package to use for `sudo`.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
wheelNeedsPassword = mkOption {
|
wheelNeedsPassword = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
|
@ -208,6 +187,12 @@ in
|
||||||
###### implementation
|
###### implementation
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
assertions = [ {
|
||||||
|
assertion = ! config.security.sudo.enable;
|
||||||
|
message = "`security.sudo` and `security.sudo-rs` cannot both be enabled";
|
||||||
|
}];
|
||||||
|
security.sudo.enable = mkDefault false;
|
||||||
|
|
||||||
security.sudo-rs.extraRules =
|
security.sudo-rs.extraRules =
|
||||||
let
|
let
|
||||||
defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
|
defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
|
||||||
|
@ -235,20 +220,16 @@ in
|
||||||
# Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’
|
# Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’
|
||||||
# or ‘security.sudo-rs.extraRules’ instead.
|
# or ‘security.sudo-rs.extraRules’ instead.
|
||||||
''
|
''
|
||||||
(optionalString enableSSHAgentAuth ''
|
(pipe cfg.extraRules [
|
||||||
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
(filter (rule: length rule.commands != 0))
|
||||||
Defaults env_keep+=SSH_AUTH_SOCK
|
(map (rule: [
|
||||||
'')
|
|
||||||
(concatStringsSep "\n" (
|
|
||||||
lists.flatten (
|
|
||||||
map (
|
|
||||||
rule: optionals (length rule.commands != 0) [
|
|
||||||
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
|
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
|
||||||
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
|
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
|
||||||
]
|
]))
|
||||||
) cfg.extraRules
|
flatten
|
||||||
)
|
(concatStringsSep "\n")
|
||||||
) + "\n")
|
])
|
||||||
|
"\n"
|
||||||
(optionalString (cfg.extraConfig != "") ''
|
(optionalString (cfg.extraConfig != "") ''
|
||||||
# extraConfig
|
# extraConfig
|
||||||
${cfg.extraConfig}
|
${cfg.extraConfig}
|
||||||
|
@ -265,18 +246,12 @@ in
|
||||||
source = "${cfg.package.out}/bin/sudo";
|
source = "${cfg.package.out}/bin/sudo";
|
||||||
inherit owner group setuid permissions;
|
inherit owner group setuid permissions;
|
||||||
};
|
};
|
||||||
# sudo-rs does not yet ship a sudoedit (as of v0.2.0)
|
|
||||||
sudoedit = mkIf usingMillersSudo {
|
|
||||||
source = "${cfg.package.out}/bin/sudoedit";
|
|
||||||
inherit owner group setuid permissions;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = [ sudo ];
|
environment.systemPackages = [ cfg.package ];
|
||||||
|
|
||||||
security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
|
security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
|
||||||
security.pam.services.sudo-i = mkIf usingSudoRs
|
security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; };
|
||||||
{ sshAgentAuth = true; usshAuth = true; };
|
|
||||||
|
|
||||||
environment.etc.sudoers =
|
environment.etc.sudoers =
|
||||||
{ source =
|
{ source =
|
||||||
|
@ -285,7 +260,7 @@ in
|
||||||
src = pkgs.writeText "sudoers-in" cfg.configFile;
|
src = pkgs.writeText "sudoers-in" cfg.configFile;
|
||||||
preferLocalBuild = true;
|
preferLocalBuild = true;
|
||||||
}
|
}
|
||||||
"${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out";
|
"${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out";
|
||||||
mode = "0440";
|
mode = "0440";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -22,11 +22,8 @@ in
|
||||||
test5 = { isNormalUser = true; };
|
test5 = { isNormalUser = true; };
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.enable = false;
|
|
||||||
|
|
||||||
security.sudo-rs = {
|
security.sudo-rs = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.sudo-rs;
|
|
||||||
wheelNeedsPassword = false;
|
wheelNeedsPassword = false;
|
||||||
|
|
||||||
extraRules = [
|
extraRules = [
|
||||||
|
@ -56,10 +53,7 @@ in
|
||||||
noadmin = { isNormalUser = true; };
|
noadmin = { isNormalUser = true; };
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.enable = false;
|
|
||||||
|
|
||||||
security.sudo-rs = {
|
security.sudo-rs = {
|
||||||
package = pkgs.sudo-rs;
|
|
||||||
enable = true;
|
enable = true;
|
||||||
wheelNeedsPassword = false;
|
wheelNeedsPassword = false;
|
||||||
execWheelOnly = true;
|
execWheelOnly = true;
|
||||||
|
|
Loading…
Reference in a new issue