pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #263471 from nbraud/nixos/sudo-rs/cleanup

authored by Maciej Krüger and committed by GitHub 3250f153 ecef65f0

+40 -64
unified split
+6 -2
nixos/doc/manual/release-notes/rl-2311.section.md
··· 22 22 23 23 - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported. 24 24 An experimental new module `security.sudo-rs` was added. 25 - Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces 25 + Switching to it (via ` security.sudo-rs.enable = true;`) introduces 26 26 slight changes in sudo behaviour, due to `sudo-rs`' current limitations: 27 27 - terminfo-related environment variables aren't preserved for `root` and `wheel`; 28 28 - `root` and `wheel` are not given the ability to set (or preserve) 29 29 arbitrary environment variables. 30 30 31 - - [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed. 31 + **Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`, 32 + and in particular does not automatically use previously-set rules; this could be 33 + achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance. 32 34 33 35 [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/ 36 + 37 + - [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed. 34 38 35 39 - `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`. 36 40 - Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.
+8 -5
nixos/modules/security/pam.nix
··· 943 943 value.source = pkgs.writeText "${name}.pam" service.text; 944 944 }; 945 945 946 + optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth '' 947 + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 948 + Defaults env_keep+=SSH_AUTH_SOCK 949 + ''; 950 + 946 951 in 947 952 948 953 { ··· 1532 1537 concatLines 1533 1538 ]); 1534 1539 1535 - security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' 1536 - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 1537 - Defaults env_keep+=SSH_AUTH_SOCK 1538 - ''; 1539 - }; 1540 + security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth; 1541 + security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth; 1542 + }; 1540 1543 }
+26 -51
nixos/modules/security/sudo-rs.nix
··· 4 4 5 5 let 6 6 7 - inherit (pkgs) sudo sudo-rs; 8 - 9 7 cfg = config.security.sudo-rs; 10 8 11 - enableSSHAgentAuth = 12 - with config.security; 13 - pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth; 14 - 15 - usingMillersSudo = cfg.package.pname == sudo.pname; 16 - usingSudoRs = cfg.package.pname == sudo-rs.pname; 9 + inherit (config.security.pam) enableSSHAgentAuth; 17 10 18 11 toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; 19 12 toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; ··· 41 34 42 35 defaultOptions = mkOption { 43 36 type = with types; listOf str; 44 - default = optional usingMillersSudo "SETENV"; 45 - defaultText = literalMD '' 46 - `[ "SETENV" ]` if using the default `sudo` implementation 47 - ''; 37 + default = []; 48 38 description = mdDoc '' 49 39 Options used for the default rules, granting `root` and the 50 40 `wheel` group permission to run any command as any user. 51 41 ''; 52 42 }; 53 43 54 - enable = mkOption { 55 - type = types.bool; 56 - default = false; 57 - description = mdDoc '' 58 - Whether to enable the {command}`sudo` command, which 59 - allows non-root users to execute commands as root. 60 - ''; 61 - }; 44 + enable = mkEnableOption (mdDoc '' 45 + a memory-safe implementation of the {command}`sudo` command, 46 + which allows non-root users to execute commands as root. 47 + ''); 62 48 63 - package = mkOption { 64 - type = types.package; 65 - default = pkgs.sudo-rs; 66 - defaultText = literalExpression "pkgs.sudo-rs"; 67 - description = mdDoc '' 68 - Which package to use for `sudo`. 69 - ''; 70 - }; 49 + package = mkPackageOption pkgs "sudo-rs" { }; 71 50 72 51 wheelNeedsPassword = mkOption { 73 52 type = types.bool; ··· 208 187 ###### implementation 209 188 210 189 config = mkIf cfg.enable { 190 + assertions = [ { 191 + assertion = ! config.security.sudo.enable; 192 + message = "`security.sudo` and `security.sudo-rs` cannot both be enabled"; 193 + }]; 194 + security.sudo.enable = mkDefault false; 195 + 211 196 security.sudo-rs.extraRules = 212 197 let 213 198 defaultRule = { users ? [], groups ? [], opts ? [] }: [ { ··· 235 220 # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’ 236 221 # or ‘security.sudo-rs.extraRules’ instead. 237 222 '' 238 - (optionalString enableSSHAgentAuth '' 239 - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 240 - Defaults env_keep+=SSH_AUTH_SOCK 241 - '') 242 - (concatStringsSep "\n" ( 243 - lists.flatten ( 244 - map ( 245 - rule: optionals (length rule.commands != 0) [ 246 - (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) 247 - (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) 248 - ] 249 - ) cfg.extraRules 250 - ) 251 - ) + "\n") 223 + (pipe cfg.extraRules [ 224 + (filter (rule: length rule.commands != 0)) 225 + (map (rule: [ 226 + (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) 227 + (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) 228 + ])) 229 + flatten 230 + (concatStringsSep "\n") 231 + ]) 232 + "\n" 252 233 (optionalString (cfg.extraConfig != "") '' 253 234 # extraConfig 254 235 ${cfg.extraConfig} ··· 265 246 source = "${cfg.package.out}/bin/sudo"; 266 247 inherit owner group setuid permissions; 267 248 }; 268 - # sudo-rs does not yet ship a sudoedit (as of v0.2.0) 269 - sudoedit = mkIf usingMillersSudo { 270 - source = "${cfg.package.out}/bin/sudoedit"; 271 - inherit owner group setuid permissions; 272 - }; 273 249 }; 274 250 275 - environment.systemPackages = [ sudo ]; 251 + environment.systemPackages = [ cfg.package ]; 276 252 277 253 security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; 278 - security.pam.services.sudo-i = mkIf usingSudoRs 279 - { sshAgentAuth = true; usshAuth = true; }; 254 + security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; }; 280 255 281 256 environment.etc.sudoers = 282 257 { source = ··· 285 260 src = pkgs.writeText "sudoers-in" cfg.configFile; 286 261 preferLocalBuild = true; 287 262 } 288 - "${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out"; 263 + "${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out"; 289 264 mode = "0440"; 290 265 }; 291 266
-6
nixos/tests/sudo-rs.nix
··· 22 22 test5 = { isNormalUser = true; }; 23 23 }; 24 24 25 - security.sudo.enable = false; 26 - 27 25 security.sudo-rs = { 28 26 enable = true; 29 - package = pkgs.sudo-rs; 30 27 wheelNeedsPassword = false; 31 28 32 29 extraRules = [ ··· 56 53 noadmin = { isNormalUser = true; }; 57 54 }; 58 55 59 - security.sudo.enable = false; 60 - 61 56 security.sudo-rs = { 62 - package = pkgs.sudo-rs; 63 57 enable = true; 64 58 wheelNeedsPassword = false; 65 59 execWheelOnly = true;