nixpkgs/nixos/modules/security/sudo.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.security.sudo;

  inherit (pkgs) sudo;

  toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
  toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";

  toCommandOptionsString = options:
    "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";

  toCommandsString = commands:
    concatStringsSep ", " (
      map (command:
        if (isString command) then
          command
        else
          "${toCommandOptionsString command.options}${command.command}"
      ) commands
    );

in

{

  ###### interface

  options = {

    security.sudo.enable = mkOption {
      type = types.bool;
      default = true;
      description =
        lib.mdDoc ''
          Whether to enable the {command}`sudo` command, which
          allows non-root users to execute commands as root.
        '';
    };

    security.sudo.package = mkOption {
      type = types.package;
      default = pkgs.sudo;
      defaultText = literalExpression "pkgs.sudo";
      description = lib.mdDoc ''
        Which package to use for `sudo`.
      '';
    };

    security.sudo.wheelNeedsPassword = mkOption {
      type = types.bool;
      default = true;
      description =
        lib.mdDoc ''
          Whether users of the `wheel` group must
          provide a password to run commands as super user via {command}`sudo`.
        '';
      };

    security.sudo.execWheelOnly = mkOption {
      type = types.bool;
      default = false;
      description = lib.mdDoc ''
        Only allow members of the `wheel` group to execute sudo by
        setting the executable's permissions accordingly.
        This prevents users that are not members of `wheel` from
        exploiting vulnerabilities in sudo such as CVE-2021-3156.
      '';
    };

    security.sudo.configFile = mkOption {
      type = types.lines;
      # Note: if syntax errors are detected in this file, the NixOS
      # configuration will fail to build.
      description =
        lib.mdDoc ''
          This string contains the contents of the
          {file}`sudoers` file.
        '';
    };

    security.sudo.extraRules = mkOption {
      description = lib.mdDoc ''
        Define specific rules to be in the {file}`sudoers` file.
        More specific rules should come after more general ones in order to
        yield the expected behavior. You can use mkBefore/mkAfter to ensure
        this is the case when configuration options are merged.
      '';
      default = [];
      example = literalExpression ''
        [
          # Allow execution of any command by all users in group sudo,
          # requiring a password.
          { groups = [ "sudo" ]; commands = [ "ALL" ]; }

          # Allow execution of "/home/root/secret.sh" by user `backup`, `database`
          # and the group with GID `1006` without a password.
          { users = [ "backup" "database" ]; groups = [ 1006 ];
            commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }

          # Allow all users of group `bar` to run two executables as user `foo`
          # with arguments being pre-set.
          { groups = [ "bar" ]; runAs = "foo";
            commands =
              [ "/home/baz/cmd1.sh hello-sudo"
                  { command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; }
        ]
      '';
      type = with types; listOf (submodule {
        options = {
          users = mkOption {
            type = with types; listOf (either str int);
            description = lib.mdDoc ''
              The usernames / UIDs this rule should apply for.
            '';
            default = [];
          };

          groups = mkOption {
            type = with types; listOf (either str int);
            description = lib.mdDoc ''
              The groups / GIDs this rule should apply for.
            '';
            default = [];
          };

          host = mkOption {
            type = types.str;
            default = "ALL";
            description = lib.mdDoc ''
              For what host this rule should apply.
            '';
          };

          runAs = mkOption {
            type = with types; str;
            default = "ALL:ALL";
            description = lib.mdDoc ''
              Under which user/group the specified command is allowed to run.

              A user can be specified using just the username: `"foo"`.
              It is also possible to specify a user/group combination using `"foo:bar"`
              or to only allow running as a specific group with `":bar"`.
            '';
          };

          commands = mkOption {
            description = lib.mdDoc ''
              The commands for which the rule should apply.
            '';
            type = with types; listOf (either str (submodule {

              options = {
                command = mkOption {
                  type = with types; str;
                  description = lib.mdDoc ''
                    A command being either just a path to a binary to allow any arguments,
                    the full command with arguments pre-set or with `""` used as the argument,
                    not allowing arguments to the command at all.
                  '';
                };

                options = mkOption {
                  type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
                  description = lib.mdDoc ''
                    Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
                  '';
                  default = [];
                };
              };

            }));
          };
        };
      });
    };

    security.sudo.extraConfig = mkOption {
      type = types.lines;
      default = "";
      description = lib.mdDoc ''
        Extra configuration text appended to {file}`sudoers`.
      '';
    };
  };


  ###### implementation

  config = mkIf cfg.enable {
    assertions = [
      { assertion = cfg.package.pname != "sudo-rs";
        message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
    ];

    # We `mkOrder 600` so that the default rule shows up first, but there is
    # still enough room for a user to `mkBefore` it.
    security.sudo.extraRules = mkOrder 600 [
      { groups = [ "wheel" ];
        commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
      }
    ];

    security.sudo.configFile =
      ''
        # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
        # or ‘security.sudo.extraRules’ instead.

        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
        Defaults env_keep+=SSH_AUTH_SOCK

        # "root" is allowed to do anything.
        root        ALL=(ALL:ALL) SETENV: ALL

        # extraRules
        ${concatStringsSep "\n" (
          lists.flatten (
            map (
              rule: optionals (length rule.commands != 0) [
                (map (user: "${toUserString user}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.users)
                (map (group: "${toGroupString group}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.groups)
              ]
            ) cfg.extraRules
          )
        )}

        ${cfg.extraConfig}
      '';

    security.wrappers = let
      owner = "root";
      group = if cfg.execWheelOnly then "wheel" else "root";
      setuid = true;
      permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
    in {
      sudo = {
        source = "${cfg.package.out}/bin/sudo";
        inherit owner group setuid permissions;
      };
      sudoedit = {
        source = "${cfg.package.out}/bin/sudoedit";
        inherit owner group setuid permissions;
      };
    };

    environment.systemPackages = [ sudo ];

    security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };

    environment.etc.sudoers =
      { source =
          pkgs.runCommand "sudoers"
          {
            src = pkgs.writeText "sudoers-in" cfg.configFile;
            preferLocalBuild = true;
          }
          # Make sure that the sudoers file is syntactically valid.
          # (currently disabled - NIXOS-66)
          "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out";
        mode = "0440";
      };

  };

}
-												Rewrite ‘with pkgs.lib’ -> ‘with lib’

Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.

											
										
										
											2014-04-14 14:26:48 +00:00
+								{ config, lib, pkgs, ... }:
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
-												Rewrite ‘with pkgs.lib’ -> ‘with lib’

Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.

											
										
										
											2014-04-14 14:26:48 +00:00
+								with lib;
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
+								let
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
 								  cfg = config.security.sudo;
-												strip trailing whitespace; no functional change

svn path=/nixos/trunk/; revision=29285

											
										
										
											2011-09-14 18:20:50 +00:00
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								  inherit (pkgs) sudo;
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								  toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
 								  toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
 								  toCommandOptionsString = options:
 								    "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
 								  toCommandsString = commands:
 								    concatStringsSep ", " (
 								      map (command:
 								        if (isString command) then
 								          command
 								        else
 								          "${toCommandOptionsString command.options}${command.command}"
 								      ) commands
 								    );
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								in
 								{
 								  ###### interface
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
 								  options = {
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								    security.sudo.enable = mkOption {
-												Add lots of missing option types

											
										
										
											2013-10-30 16:37:45 +00:00
+								      type = types.bool;
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								      default = true;
 								      description =
 								        lib.mdDoc ''
 								          Whether to enable the {command}`sudo` command, which
 								          allows non-root users to execute commands as root.
 								        '';
 								    };
-												nixos/sudo: add `package` option

The `package`-option is always useful if modifying a package in an
overlay would mean that a lot of other packages need to be rebuilt as
well.

In case of `sudo` this is actually the case: when having an override for
it (e.g. for `withInsults = true;`), you'd have to rebuild e.g. `zfs`
and `grub` although that's not strictly needed.

											
										
										
											2020-10-01 11:00:52 +00:00
+								    security.sudo.package = mkOption {
 								      type = types.package;
 								      default = pkgs.sudo;
-												nixos/doc: clean up defaults and examples

											
										
										
											2021-10-03 16:06:03 +00:00
+								      defaultText = literalExpression "pkgs.sudo";
-												nixos/sudo: add `package` option

The `package`-option is always useful if modifying a package in an
overlay would mean that a lot of other packages need to be rebuilt as
well.

In case of `sudo` this is actually the case: when having an override for
it (e.g. for `withInsults = true;`), you'd have to rebuild e.g. `zfs`
and `grub` although that's not strictly needed.

											
										
										
											2020-10-01 11:00:52 +00:00
+								      description = lib.mdDoc ''
 								        Which package to use for `sudo`.
 								      '';
 								    };
-												modules/security/sudo.nix: added 'wheelNeedsPassword' option (default: true)

Change this setting to 'false' to allow users in the 'wheel' group to execute
commands as super user without entering a password.

											
										
										
											2012-08-13 12:37:32 +00:00
+								    security.sudo.wheelNeedsPassword = mkOption {
-												Add lots of missing option types

											
										
										
											2013-10-30 16:37:45 +00:00
+								      type = types.bool;
-												modules/security/sudo.nix: added 'wheelNeedsPassword' option (default: true)

Change this setting to 'false' to allow users in the 'wheel' group to execute
commands as super user without entering a password.

											
										
										
											2012-08-13 12:37:32 +00:00
+								      default = true;
 								      description =
 								        lib.mdDoc ''
-												nixos/security: fix description of sudo.wheelNeedsPassword

the previous description mistakenly described the opposite semantics
											
										
										
											2018-03-16 21:50:46 +00:00
+								          Whether users of the `wheel` group must
 								          provide a password to run commands as super user via {command}`sudo`.
-												Enable sudoedit

											
										
										
											2013-04-03 10:54:40 +00:00
+								        '';
-												modules/security/sudo.nix: added 'wheelNeedsPassword' option (default: true)

Change this setting to 'false' to allow users in the 'wheel' group to execute
commands as super user without entering a password.

											
										
										
											2012-08-13 12:37:32 +00:00
+								      };
-												nixos/sudo: add option execWheelOnly

By setting the executable's group to wheel and permissions to 4510, we
make sure that only members of the wheel group can execute sudo.

											
										
										
											2021-05-05 11:09:45 +00:00
+								    security.sudo.execWheelOnly = mkOption {
 								      type = types.bool;
 								      default = false;
 								      description = lib.mdDoc ''
 								        Only allow members of the `wheel` group to execute sudo by
 								        setting the executable's permissions accordingly.
 								        This prevents users that are not members of `wheel` from
 								        exploiting vulnerabilities in sudo such as CVE-2021-3156.
 								      '';
 								    };
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								    security.sudo.configFile = mkOption {
-												Add lots of missing option types

											
										
										
											2013-10-30 16:37:45 +00:00
+								      type = types.lines;
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								      # Note: if syntax errors are detected in this file, the NixOS
 								      # configuration will fail to build.
 								      description =
 								        lib.mdDoc ''
 								          This string contains the contents of the
 								          {file}`sudoers` file.
 								        '';
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
+								    };
-												sudo: allow adding extra configuration options to the bottom of sudoers

from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

											
										
										
											2014-10-30 12:59:21 +00:00
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								    security.sudo.extraRules = mkOption {
 								      description = lib.mdDoc ''
 								        Define specific rules to be in the {file}`sudoers` file.
-												nixos/security.sudo: describe extraRules order

The order of sudoers entries is significant. The man page for sudoers(5)
notes:

  Where there are multiple matches, the last match is used (which is not
  necessarily the most specific match).

This module adds a rule for group "wheel" matching all commands. If you
wanted to add a more specific rule allowing members of the "wheel" group
to run command `foo` without a password, you'd need to use mkAfter to
ensure your rule comes after the more general rule.

  extraRules = lib.mkAfter [
    {
      groups = [ "wheel" ];
      commands = [
        {
          command = "${pkgs.foo}/bin/foo";
          options = [ "NOPASSWD" "SETENV" ];
        }
      ]
    }
  ];

Otherwise, when configuration options are merged, if the general rule
ends up after the specific rule, it will dictate the behavior even when
running the `foo` command.

											
										
										
											2018-07-01 19:26:07 +00:00
+								        More specific rules should come after more general ones in order to
 								        yield the expected behavior. You can use mkBefore/mkAfter to ensure
 								        this is the case when configuration options are merged.
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								      '';
 								      default = [];
-												nixos/doc: clean up defaults and examples

											
										
										
											2021-10-03 16:06:03 +00:00
+								      example = literalExpression ''
-												nixos/sudo: Fix extraRules example rendering

											
										
										
											2020-02-10 00:37:07 +00:00
+								        [
 								          # Allow execution of any command by all users in group sudo,
 								          # requiring a password.
 								          { groups = [ "sudo" ]; commands = [ "ALL" ]; }
 								          # Allow execution of "/home/root/secret.sh" by user `backup`, `database`
 								          # and the group with GID `1006` without a password.
 								          { users = [ "backup" "database" ]; groups = [ 1006 ];
 								            commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
 								          # Allow all users of group `bar` to run two executables as user `foo`
 								          # with arguments being pre-set.
 								          { groups = [ "bar" ]; runAs = "foo";
 								            commands =
 								              [ "/home/baz/cmd1.sh hello-sudo"
 								                  { command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; }
 								        ]
 								      '';
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								      type = with types; listOf (submodule {
 								        options = {
 								          users = mkOption {
-												nixos/modules: Remove all usages of types.string

And replace them with a more appropriate type

Also fix up some minor module problems along the way

											
										
										
											2019-08-08 20:48:27 +00:00
+								            type = with types; listOf (either str int);
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								            description = lib.mdDoc ''
 								              The usernames / UIDs this rule should apply for.
 								            '';
 								            default = [];
 								          };
 								          groups = mkOption {
-												nixos/modules: Remove all usages of types.string

And replace them with a more appropriate type

Also fix up some minor module problems along the way

											
										
										
											2019-08-08 20:48:27 +00:00
+								            type = with types; listOf (either str int);
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								            description = lib.mdDoc ''
 								              The groups / GIDs this rule should apply for.
 								            '';
 								            default = [];
 								          };
 								          host = mkOption {
-												nixos/modules: Remove all usages of types.string

And replace them with a more appropriate type

Also fix up some minor module problems along the way

											
										
										
											2019-08-08 20:48:27 +00:00
+								            type = types.str;
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								            default = "ALL";
 								            description = lib.mdDoc ''
 								              For what host this rule should apply.
 								            '';
 								          };
 								          runAs = mkOption {
-												nixos/modules: Remove all usages of types.string

And replace them with a more appropriate type

Also fix up some minor module problems along the way

											
										
										
											2019-08-08 20:48:27 +00:00
+								            type = with types; str;
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								            default = "ALL:ALL";
 								            description = lib.mdDoc ''
 								              Under which user/group the specified command is allowed to run.
 								              A user can be specified using just the username: `"foo"`.
 								              It is also possible to specify a user/group combination using `"foo:bar"`
 								              or to only allow running as a specific group with `":bar"`.
 								            '';
 								          };
 								          commands = mkOption {
 								            description = lib.mdDoc ''
 								              The commands for which the rule should apply.
 								            '';
-												nixos/modules: Remove all usages of types.string

And replace them with a more appropriate type

Also fix up some minor module problems along the way

											
										
										
											2019-08-08 20:48:27 +00:00
+								            type = with types; listOf (either str (submodule {
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
 								              options = {
 								                command = mkOption {
-												nixos/modules: Remove all usages of types.string

And replace them with a more appropriate type

Also fix up some minor module problems along the way

											
										
										
											2019-08-08 20:48:27 +00:00
+								                  type = with types; str;
-												nixos/*: md-convert hidden plaintext options

most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.

											
										
										
											2022-08-29 17:33:50 +00:00
+								                  description = lib.mdDoc ''
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								                    A command being either just a path to a binary to allow any arguments,
-												nixos/*: md-convert hidden plaintext options

most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.

											
										
										
											2022-08-29 17:33:50 +00:00
+								                    the full command with arguments pre-set or with `""` used as the argument,
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								                    not allowing arguments to the command at all.
 								                  '';
 								                };
 								                options = mkOption {
 								                  type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
-												nixos/*: md-convert hidden plaintext options

most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.

											
										
										
											2022-08-29 17:33:50 +00:00
+								                  description = lib.mdDoc ''
 								                    Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								                  '';
 								                  default = [];
 								                };
 								              };
 								            }));
 								          };
 								        };
 								      });
 								    };
-												sudo: allow adding extra configuration options to the bottom of sudoers

from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

											
										
										
											2014-10-30 12:59:21 +00:00
+								    security.sudo.extraConfig = mkOption {
 								      type = types.lines;
 								      default = "";
 								      description = lib.mdDoc ''
 								        Extra configuration text appended to {file}`sudoers`.
 								      '';
 								    };
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
+								  };
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								  ###### implementation
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								  config = mkIf cfg.enable {
-												nixos/sudo: Guard against `security.sudo.package = pkgs.sudo-rs;`

This is not unlikely to happen, given the enthusiasm shown by some users,
but we are not there yet, and this will save them from breaking their system.

											
										
										
											2023-08-31 10:02:14 +00:00
+								    assertions = [
 								      { assertion = cfg.package.pname != "sudo-rs";
 								        message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
 								    ];
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
-												nixos/sudo: default rule should be first

In /etc/sudoers, the last-matched rule will override all
previously-matched rules. Thus, make the default rule show up first (but
still allow some wiggle room for a user to `mkBefore` it), before any
user-defined rules.

											
										
										
											2020-05-11 04:49:52 +00:00
+								    # We `mkOrder 600` so that the default rule shows up first, but there is
 								    # still enough room for a user to `mkBefore` it.
 								    security.sudo.extraRules = mkOrder 600 [
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								      { groups = [ "wheel" ];
 								        commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
 								      }
 								    ];
-												Make it easier to append to the default sudo configuration

											
										
										
											2012-11-23 14:14:16 +00:00
+								    security.sudo.configFile =
 								      ''
-												sudo: allow adding extra configuration options to the bottom of sudoers

from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

											
										
										
											2014-10-30 12:59:21 +00:00
+								        # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								        # or ‘security.sudo.extraRules’ instead.
-												Make it easier to append to the default sudo configuration

											
										
										
											2012-11-23 14:14:16 +00:00
 								        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
 								        Defaults env_keep+=SSH_AUTH_SOCK
 								        # "root" is allowed to do anything.
-												sudo: Allow root to use sudo to switch groups

											
										
										
											2016-09-13 13:15:56 +00:00
+								        root        ALL=(ALL:ALL) SETENV: ALL
-												Make it easier to append to the default sudo configuration

											
										
										
											2012-11-23 14:14:16 +00:00
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								        # extraRules
 								        ${concatStringsSep "\n" (
 								          lists.flatten (
 								            map (
-												treewide: use optional instead of 'then []'

											
										
										
											2023-06-25 09:47:43 +00:00
+								              rule: optionals (length rule.commands != 0) [
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								                (map (user: "${toUserString user}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.users)
 								                (map (group: "${toGroupString group}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.groups)
-												treewide: use optional instead of 'then []'

											
										
										
											2023-06-25 09:47:43 +00:00
+								              ]
-												sudo: define extra rules in Nix language (#33905)


											
										
										
											2018-01-17 14:56:08 +00:00
+								            ) cfg.extraRules
 								          )
 								        )}
-												sudo: allow adding extra configuration options to the bottom of sudoers

from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

											
										
										
											2014-10-30 12:59:21 +00:00
+								        ${cfg.extraConfig}
-												Make it easier to append to the default sudo configuration

											
										
										
											2012-11-23 14:14:16 +00:00
+								      '';
-												nixos/sudo: add option execWheelOnly

By setting the executable's group to wheel and permissions to 4510, we
make sure that only members of the wheel group can execute sudo.

											
										
										
											2021-05-05 11:09:45 +00:00
+								    security.wrappers = let
 								      owner = "root";
 								      group = if cfg.execWheelOnly then "wheel" else "root";
 								      setuid = true;
 								      permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
 								    in {
 								      sudo = {
 								        source = "${cfg.package.out}/bin/sudo";
 								        inherit owner group setuid permissions;
 								      };
 								      sudoedit = {
 								        source = "${cfg.package.out}/bin/sudoedit";
 								        inherit owner group setuid permissions;
 								      };
-												More derp

											
										
										
											2017-01-29 11:33:56 +00:00
+								    };
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								    environment.systemPackages = [ sudo ];
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
-												nixos/pam: add support for pam-ussh

pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.

											
										
										
											2022-03-13 17:20:23 +00:00
+								    security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
-												treewide: use attrs instead of list for types.loaOf options

											
										
										
											2019-09-14 17:51:29 +00:00
+								    environment.etc.sudoers =
-												Enable checking sudoers syntax. Fixes #2850, probably.

											
										
										
											2014-06-08 20:54:13 +00:00
+								      { source =
 								          pkgs.runCommand "sudoers"
-												nixos: add preferLocalBuild=true; on derivations for config files

											
										
										
											2018-11-08 10:59:03 +00:00
+								          {
 								            src = pkgs.writeText "sudoers-in" cfg.configFile;
 								            preferLocalBuild = true;
 								          }
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
+								          # Make sure that the sudoers file is syntactically valid.
 								          # (currently disabled - NIXOS-66)
-												nixos: sudo: Use build-time visudo for syntax check.

											
										
										
											2018-02-28 19:37:26 +00:00
+								          "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out";
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
+								        mode = "0440";
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
+								      };
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
+								  };
-												* Make the generation of /etc/pam.d more declarative.  There now is an
  option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729

											
										
										
											2009-08-16 14:49:14 +00:00
-												Extra sudo configuration file from:
- system/options.nix
- system/system.nix
- etc/default.nix

svn path=/nixos/branches/fix-style/; revision=13681

											
										
										
											2009-01-02 16:07:15 +00:00
+								}