Merge pull request #263471 from nbraud/nixos/sudo-rs/cleanup

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -22,16 +22,20 @@
 
 - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
   An experimental new module `security.sudo-rs` was added.
-  Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces
+  Switching to it (via ` security.sudo-rs.enable = true;`) introduces
   slight changes in sudo behaviour, due to `sudo-rs`' current limitations:
   - terminfo-related environment variables aren't preserved for `root` and `wheel`;
   - `root` and `wheel` are not given the ability to set (or preserve)
     arbitrary environment variables.
 
-- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
+  **Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`,
+  and in particular does not automatically use previously-set rules; this could be
+  achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance.
 
 [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
 
+- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
+
 - `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`.
   - Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.
 

nixos/modules/security/pam.nix

@@ -943,6 +943,11 @@ let
       value.source = pkgs.writeText "${name}.pam" service.text;
     };
 
+  optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth ''
+    # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
+    Defaults env_keep+=SSH_AUTH_SOCK
+  '';
+
 in
 
 {
@@ -1532,9 +1537,7 @@ in
         concatLines
       ]);
 
-    security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''
+    security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;
-      # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
+    security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth;
-      Defaults env_keep+=SSH_AUTH_SOCK
+  };
-    '';
-    };
 }

nixos/modules/security/sudo-rs.nix

@@ -4,16 +4,9 @@ with lib;
 
 let
 
-  inherit (pkgs) sudo sudo-rs;
-
   cfg = config.security.sudo-rs;
 
-  enableSSHAgentAuth =
+  inherit (config.security.pam) enableSSHAgentAuth;
-    with config.security;
-    pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
-
-  usingMillersSudo = cfg.package.pname == sudo.pname;
-  usingSudoRs = cfg.package.pname == sudo-rs.pname;
 
   toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
   toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
@@ -41,33 +34,19 @@ in
 
     defaultOptions = mkOption {
       type = with types; listOf str;
-      default = optional usingMillersSudo "SETENV";
+      default = [];
-      defaultText = literalMD ''
-        `[ "SETENV" ]` if using the default `sudo` implementation
-      '';
       description = mdDoc ''
         Options used for the default rules, granting `root` and the
         `wheel` group permission to run any command as any user.
       '';
     };
 
-    enable = mkOption {
+    enable = mkEnableOption (mdDoc ''
-      type = types.bool;
+      a memory-safe implementation of the {command}`sudo` command,
-      default = false;
+      which allows non-root users to execute commands as root.
-      description = mdDoc ''
+    '');
-        Whether to enable the {command}`sudo` command, which
-        allows non-root users to execute commands as root.
-      '';
-    };
 
-    package = mkOption {
+    package = mkPackageOption pkgs "sudo-rs" { };
-      type = types.package;
-      default = pkgs.sudo-rs;
-      defaultText = literalExpression "pkgs.sudo-rs";
-      description = mdDoc ''
-        Which package to use for `sudo`.
-      '';
-    };
 
     wheelNeedsPassword = mkOption {
       type = types.bool;
@@ -208,6 +187,12 @@ in
   ###### implementation
 
   config = mkIf cfg.enable {
+    assertions = [ {
+      assertion = ! config.security.sudo.enable;
+      message = "`security.sudo` and `security.sudo-rs` cannot both be enabled";
+    }];
+    security.sudo.enable = mkDefault false;
+
     security.sudo-rs.extraRules =
       let
         defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
@@ -235,20 +220,16 @@ in
         # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’
         # or ‘security.sudo-rs.extraRules’ instead.
       ''
-      (optionalString enableSSHAgentAuth ''
+      (pipe cfg.extraRules [
-        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
+        (filter (rule: length rule.commands != 0))
-        Defaults env_keep+=SSH_AUTH_SOCK
+        (map (rule: [
-      '')
+          (map (user: "${toUserString user}     ${rule.host}=(${rule.runAs})    ${toCommandsString rule.commands}") rule.users)
-      (concatStringsSep "\n" (
+          (map (group: "${toGroupString group}  ${rule.host}=(${rule.runAs})    ${toCommandsString rule.commands}") rule.groups)
-        lists.flatten (
+        ]))
-          map (
+        flatten
-            rule: optionals (length rule.commands != 0) [
+        (concatStringsSep "\n")
-              (map (user: "${toUserString user}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.users)
+      ])
-              (map (group: "${toGroupString group}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.groups)
+      "\n"
-            ]
-          ) cfg.extraRules
-        )
-      ) + "\n")
       (optionalString (cfg.extraConfig != "") ''
         # extraConfig
         ${cfg.extraConfig}
@@ -265,18 +246,12 @@ in
         source = "${cfg.package.out}/bin/sudo";
         inherit owner group setuid permissions;
       };
-      # sudo-rs does not yet ship a sudoedit (as of v0.2.0)
-      sudoedit = mkIf usingMillersSudo {
-        source = "${cfg.package.out}/bin/sudoedit";
-        inherit owner group setuid permissions;
-      };
     };
 
-    environment.systemPackages = [ sudo ];
+    environment.systemPackages = [ cfg.package ];
 
     security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
-    security.pam.services.sudo-i = mkIf usingSudoRs
+    security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; };
-      { sshAgentAuth = true; usshAuth = true; };
 
     environment.etc.sudoers =
       { source =
@@ -285,7 +260,7 @@ in
             src = pkgs.writeText "sudoers-in" cfg.configFile;
             preferLocalBuild = true;
           }
-          "${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out";
+          "${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out";
         mode = "0440";
       };
 

nixos/tests/sudo-rs.nix

@@ -22,11 +22,8 @@ in
           test5 = { isNormalUser = true; };
         };
 
-        security.sudo.enable = false;
-
         security.sudo-rs = {
           enable = true;
-          package = pkgs.sudo-rs;
           wheelNeedsPassword = false;
 
           extraRules = [
@@ -56,10 +53,7 @@ in
         noadmin = { isNormalUser = true; };
       };
 
-      security.sudo.enable = false;
-
       security.sudo-rs = {
-        package = pkgs.sudo-rs;
         enable = true;
         wheelNeedsPassword = false;
         execWheelOnly = true;