pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #263471 from nbraud/nixos/sudo-rs/cleanup

authored by Maciej Krüger and committed by GitHub 3250f153 ecef65f0

+40 -64
unified split
+6 -2
nixos/doc/manual/release-notes/rl-2311.section.md
··· 22 23 - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported. 24 An experimental new module `security.sudo-rs` was added. 25 - Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces 26 slight changes in sudo behaviour, due to `sudo-rs`' current limitations: 27 - terminfo-related environment variables aren't preserved for `root` and `wheel`; 28 - `root` and `wheel` are not given the ability to set (or preserve) 29 arbitrary environment variables. 30 31 - - [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed. 32 33 [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/ 34 35 - `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`. 36 - Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.
··· 22 23 - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported. 24 An experimental new module `security.sudo-rs` was added. 25 + Switching to it (via ` security.sudo-rs.enable = true;`) introduces 26 slight changes in sudo behaviour, due to `sudo-rs`' current limitations: 27 - terminfo-related environment variables aren't preserved for `root` and `wheel`; 28 - `root` and `wheel` are not given the ability to set (or preserve) 29 arbitrary environment variables. 30 31 + **Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`, 32 + and in particular does not automatically use previously-set rules; this could be 33 + achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance. 34 35 [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/ 36 + 37 + - [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed. 38 39 - `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`. 40 - Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.
+8 -5
nixos/modules/security/pam.nix
··· 943 value.source = pkgs.writeText "${name}.pam" service.text; 944 }; 945 946 in 947 948 { ··· 1532 concatLines 1533 ]); 1534 1535 - security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' 1536 - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 1537 - Defaults env_keep+=SSH_AUTH_SOCK 1538 - ''; 1539 - }; 1540 }
··· 943 value.source = pkgs.writeText "${name}.pam" service.text; 944 }; 945 946 + optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth '' 947 + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 948 + Defaults env_keep+=SSH_AUTH_SOCK 949 + ''; 950 + 951 in 952 953 { ··· 1537 concatLines 1538 ]); 1539 1540 + security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth; 1541 + security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth; 1542 + }; 1543 }
+26 -51
nixos/modules/security/sudo-rs.nix
··· 4 5 let 6 7 - inherit (pkgs) sudo sudo-rs; 8 - 9 cfg = config.security.sudo-rs; 10 11 - enableSSHAgentAuth = 12 - with config.security; 13 - pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth; 14 - 15 - usingMillersSudo = cfg.package.pname == sudo.pname; 16 - usingSudoRs = cfg.package.pname == sudo-rs.pname; 17 18 toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; 19 toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; ··· 41 42 defaultOptions = mkOption { 43 type = with types; listOf str; 44 - default = optional usingMillersSudo "SETENV"; 45 - defaultText = literalMD '' 46 - `[ "SETENV" ]` if using the default `sudo` implementation 47 - ''; 48 description = mdDoc '' 49 Options used for the default rules, granting `root` and the 50 `wheel` group permission to run any command as any user. 51 ''; 52 }; 53 54 - enable = mkOption { 55 - type = types.bool; 56 - default = false; 57 - description = mdDoc '' 58 - Whether to enable the {command}`sudo` command, which 59 - allows non-root users to execute commands as root. 60 - ''; 61 - }; 62 63 - package = mkOption { 64 - type = types.package; 65 - default = pkgs.sudo-rs; 66 - defaultText = literalExpression "pkgs.sudo-rs"; 67 - description = mdDoc '' 68 - Which package to use for `sudo`. 69 - ''; 70 - }; 71 72 wheelNeedsPassword = mkOption { 73 type = types.bool; ··· 208 ###### implementation 209 210 config = mkIf cfg.enable { 211 security.sudo-rs.extraRules = 212 let 213 defaultRule = { users ? [], groups ? [], opts ? [] }: [ { ··· 235 # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’ 236 # or ‘security.sudo-rs.extraRules’ instead. 237 '' 238 - (optionalString enableSSHAgentAuth '' 239 - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 240 - Defaults env_keep+=SSH_AUTH_SOCK 241 - '') 242 - (concatStringsSep "\n" ( 243 - lists.flatten ( 244 - map ( 245 - rule: optionals (length rule.commands != 0) [ 246 - (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) 247 - (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) 248 - ] 249 - ) cfg.extraRules 250 - ) 251 - ) + "\n") 252 (optionalString (cfg.extraConfig != "") '' 253 # extraConfig 254 ${cfg.extraConfig} ··· 265 source = "${cfg.package.out}/bin/sudo"; 266 inherit owner group setuid permissions; 267 }; 268 - # sudo-rs does not yet ship a sudoedit (as of v0.2.0) 269 - sudoedit = mkIf usingMillersSudo { 270 - source = "${cfg.package.out}/bin/sudoedit"; 271 - inherit owner group setuid permissions; 272 - }; 273 }; 274 275 - environment.systemPackages = [ sudo ]; 276 277 security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; 278 - security.pam.services.sudo-i = mkIf usingSudoRs 279 - { sshAgentAuth = true; usshAuth = true; }; 280 281 environment.etc.sudoers = 282 { source = ··· 285 src = pkgs.writeText "sudoers-in" cfg.configFile; 286 preferLocalBuild = true; 287 } 288 - "${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out"; 289 mode = "0440"; 290 }; 291
··· 4 5 let 6 7 cfg = config.security.sudo-rs; 8 9 + inherit (config.security.pam) enableSSHAgentAuth; 10 11 toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; 12 toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; ··· 34 35 defaultOptions = mkOption { 36 type = with types; listOf str; 37 + default = []; 38 description = mdDoc '' 39 Options used for the default rules, granting `root` and the 40 `wheel` group permission to run any command as any user. 41 ''; 42 }; 43 44 + enable = mkEnableOption (mdDoc '' 45 + a memory-safe implementation of the {command}`sudo` command, 46 + which allows non-root users to execute commands as root. 47 + ''); 48 49 + package = mkPackageOption pkgs "sudo-rs" { }; 50 51 wheelNeedsPassword = mkOption { 52 type = types.bool; ··· 187 ###### implementation 188 189 config = mkIf cfg.enable { 190 + assertions = [ { 191 + assertion = ! config.security.sudo.enable; 192 + message = "`security.sudo` and `security.sudo-rs` cannot both be enabled"; 193 + }]; 194 + security.sudo.enable = mkDefault false; 195 + 196 security.sudo-rs.extraRules = 197 let 198 defaultRule = { users ? [], groups ? [], opts ? [] }: [ { ··· 220 # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’ 221 # or ‘security.sudo-rs.extraRules’ instead. 222 '' 223 + (pipe cfg.extraRules [ 224 + (filter (rule: length rule.commands != 0)) 225 + (map (rule: [ 226 + (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) 227 + (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) 228 + ])) 229 + flatten 230 + (concatStringsSep "\n") 231 + ]) 232 + "\n" 233 (optionalString (cfg.extraConfig != "") '' 234 # extraConfig 235 ${cfg.extraConfig} ··· 246 source = "${cfg.package.out}/bin/sudo"; 247 inherit owner group setuid permissions; 248 }; 249 }; 250 251 + environment.systemPackages = [ cfg.package ]; 252 253 security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; 254 + security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; }; 255 256 environment.etc.sudoers = 257 { source = ··· 260 src = pkgs.writeText "sudoers-in" cfg.configFile; 261 preferLocalBuild = true; 262 } 263 + "${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out"; 264 mode = "0440"; 265 }; 266
-6
nixos/tests/sudo-rs.nix
··· 22 test5 = { isNormalUser = true; }; 23 }; 24 25 - security.sudo.enable = false; 26 - 27 security.sudo-rs = { 28 enable = true; 29 - package = pkgs.sudo-rs; 30 wheelNeedsPassword = false; 31 32 extraRules = [ ··· 56 noadmin = { isNormalUser = true; }; 57 }; 58 59 - security.sudo.enable = false; 60 - 61 security.sudo-rs = { 62 - package = pkgs.sudo-rs; 63 enable = true; 64 wheelNeedsPassword = false; 65 execWheelOnly = true;
··· 22 test5 = { isNormalUser = true; }; 23 }; 24 25 security.sudo-rs = { 26 enable = true; 27 wheelNeedsPassword = false; 28 29 extraRules = [ ··· 53 noadmin = { isNormalUser = true; }; 54 }; 55 56 security.sudo-rs = { 57 enable = true; 58 wheelNeedsPassword = false; 59 execWheelOnly = true;