From 13e2c75c932adac6a198e35b04e2cb9a1eaf86cf Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Sun, 10 May 2020 21:49:52 -0700 Subject: [PATCH] nixos/sudo: default rule should be first In /etc/sudoers, the last-matched rule will override all previously-matched rules. Thus, make the default rule show up first (but still allow some wiggle room for a user to `mkBefore` it), before any user-defined rules. --- nixos/modules/security/sudo.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index e3e43177def3..1ed5269c5ae7 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -173,7 +173,9 @@ in config = mkIf cfg.enable { - security.sudo.extraRules = [ + # We `mkOrder 600` so that the default rule shows up first, but there is + # still enough room for a user to `mkBefore` it. + security.sudo.extraRules = mkOrder 600 [ { groups = [ "wheel" ]; commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ]; }