nixpkgs/nixos/modules/security
ivanbrennan d08967a3a8
nixos/security.sudo: describe extraRules order
The order of sudoers entries is significant. The man page for sudoers(5)
notes:

  Where there are multiple matches, the last match is used (which is not
  necessarily the most specific match).

This module adds a rule for group "wheel" matching all commands. If you
wanted to add a more specific rule allowing members of the "wheel" group
to run command `foo` without a password, you'd need to use mkAfter to
ensure your rule comes after the more general rule.

  extraRules = lib.mkAfter [
    {
      groups = [ "wheel" ];
      commands = [
        {
          command = "${pkgs.foo}/bin/foo";
          options = [ "NOPASSWD" "SETENV" ];
        }
      ]
    }
  ];

Otherwise, when configuration options are merged, if the general rule
ends up after the specific rule, it will dictate the behavior even when
running the `foo` command.
2018-07-01 15:50:51 -04:00
..
wrappers wrapper.c: fixup includes to work w/musl 2018-03-25 18:06:02 -05:00
acme.nix acme service: generate a CA for self-signed certificate 2018-04-17 12:53:29 +03:00
acme.xml nixos/acme: remove doc note about restarting nginx 2017-10-30 13:51:35 -04:00
apparmor-suid.nix
apparmor.nix
audit.nix nixos: Move uses of stdenv.shell to runtimeShell. 2018-03-01 14:38:53 -05:00
auditd.nix
ca.nix
chromium-suid-sandbox.nix nixos/chromium-suid-sandbox: remove reference to grsecurity 2017-09-02 20:35:28 +02:00
dhparams.nix
duosec.nix duosec: use root uid as sshd uid has been retired (#33597) 2018-03-21 18:46:35 -05:00
hidepid.nix
hidepid.xml
lock-kernel-modules.nix nixos/lock-kernel-modules: fix deferred fileSystem mounts 2017-09-22 23:55:04 +02:00
oath.nix
pam.nix Merge pull request #31969 from Assassinkin/master 2018-04-21 14:36:47 -05:00
pam_mount.nix
pam_usb.nix security.pam.usb: link to wiki on github.com 2017-09-28 16:00:28 +02:00
polkit.nix
prey.nix
rngd.nix
rtkit.nix
sudo.nix nixos/security.sudo: describe extraRules order 2018-07-01 15:50:51 -04:00