2014-04-14 14:26:48 +00:00
|
|
|
|
{ config, lib, pkgs, ... }:
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2014-04-14 14:26:48 +00:00
|
|
|
|
with lib;
|
2009-08-16 14:49:14 +00:00
|
|
|
|
|
2009-01-02 16:07:15 +00:00
|
|
|
|
let
|
2009-08-16 14:49:14 +00:00
|
|
|
|
|
|
|
|
|
cfg = config.security.sudo;
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2023-09-04 21:06:12 +00:00
|
|
|
|
enableSSHAgentAuth =
|
|
|
|
|
with config.security;
|
|
|
|
|
pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
|
|
|
|
|
|
2009-08-16 14:49:14 +00:00
|
|
|
|
inherit (pkgs) sudo;
|
|
|
|
|
|
2018-01-17 14:56:08 +00:00
|
|
|
|
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
|
|
|
|
|
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
|
|
|
|
|
|
|
|
|
|
toCommandOptionsString = options:
|
|
|
|
|
"${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
|
|
|
|
|
|
|
|
|
|
toCommandsString = commands:
|
|
|
|
|
concatStringsSep ", " (
|
|
|
|
|
map (command:
|
|
|
|
|
if (isString command) then
|
|
|
|
|
command
|
|
|
|
|
else
|
|
|
|
|
"${toCommandOptionsString command.options}${command.command}"
|
|
|
|
|
) commands
|
|
|
|
|
);
|
|
|
|
|
|
2009-08-16 14:49:14 +00:00
|
|
|
|
in
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
###### interface
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2023-09-07 11:57:20 +00:00
|
|
|
|
options.security.sudo = {
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2023-09-07 11:57:20 +00:00
|
|
|
|
enable = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
|
type = types.bool;
|
2009-08-16 14:49:14 +00:00
|
|
|
|
default = true;
|
|
|
|
|
description =
|
|
|
|
|
lib.mdDoc ''
|
|
|
|
|
Whether to enable the {command}`sudo` command, which
|
|
|
|
|
allows non-root users to execute commands as root.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2023-09-07 11:57:20 +00:00
|
|
|
|
package = mkOption {
|
2020-10-01 11:00:52 +00:00
|
|
|
|
type = types.package;
|
|
|
|
|
default = pkgs.sudo;
|
2021-10-03 16:06:03 +00:00
|
|
|
|
defaultText = literalExpression "pkgs.sudo";
|
2020-10-01 11:00:52 +00:00
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Which package to use for `sudo`.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2023-09-07 11:57:20 +00:00
|
|
|
|
wheelNeedsPassword = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
|
type = types.bool;
|
2012-08-13 12:37:32 +00:00
|
|
|
|
default = true;
|
|
|
|
|
description =
|
|
|
|
|
lib.mdDoc ''
|
2018-03-16 21:50:46 +00:00
|
|
|
|
Whether users of the `wheel` group must
|
|
|
|
|
provide a password to run commands as super user via {command}`sudo`.
|
2013-04-03 10:54:40 +00:00
|
|
|
|
'';
|
2012-08-13 12:37:32 +00:00
|
|
|
|
};
|
|
|
|
|
|
2023-09-07 11:57:20 +00:00
|
|
|
|
execWheelOnly = mkOption {
|
2021-05-05 11:09:45 +00:00
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Only allow members of the `wheel` group to execute sudo by
|
|
|
|
|
setting the executable's permissions accordingly.
|
|
|
|
|
This prevents users that are not members of `wheel` from
|
|
|
|
|
exploiting vulnerabilities in sudo such as CVE-2021-3156.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2023-09-07 11:57:20 +00:00
|
|
|
|
configFile = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
|
type = types.lines;
|
2009-08-16 14:49:14 +00:00
|
|
|
|
# Note: if syntax errors are detected in this file, the NixOS
|
|
|
|
|
# configuration will fail to build.
|
|
|
|
|
description =
|
|
|
|
|
lib.mdDoc ''
|
|
|
|
|
This string contains the contents of the
|
|
|
|
|
{file}`sudoers` file.
|
|
|
|
|
'';
|
2009-01-02 16:07:15 +00:00
|
|
|
|
};
|
2014-10-30 12:59:21 +00:00
|
|
|
|
|
2023-09-07 11:57:20 +00:00
|
|
|
|
extraRules = mkOption {
|
2018-01-17 14:56:08 +00:00
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Define specific rules to be in the {file}`sudoers` file.
|
2018-07-01 19:26:07 +00:00
|
|
|
|
More specific rules should come after more general ones in order to
|
|
|
|
|
yield the expected behavior. You can use mkBefore/mkAfter to ensure
|
|
|
|
|
this is the case when configuration options are merged.
|
2018-01-17 14:56:08 +00:00
|
|
|
|
'';
|
|
|
|
|
default = [];
|
2021-10-03 16:06:03 +00:00
|
|
|
|
example = literalExpression ''
|
2020-02-10 00:37:07 +00:00
|
|
|
|
[
|
|
|
|
|
# Allow execution of any command by all users in group sudo,
|
|
|
|
|
# requiring a password.
|
|
|
|
|
{ groups = [ "sudo" ]; commands = [ "ALL" ]; }
|
|
|
|
|
|
|
|
|
|
# Allow execution of "/home/root/secret.sh" by user `backup`, `database`
|
|
|
|
|
# and the group with GID `1006` without a password.
|
|
|
|
|
{ users = [ "backup" "database" ]; groups = [ 1006 ];
|
|
|
|
|
commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
|
|
|
|
|
|
|
|
|
|
# Allow all users of group `bar` to run two executables as user `foo`
|
|
|
|
|
# with arguments being pre-set.
|
|
|
|
|
{ groups = [ "bar" ]; runAs = "foo";
|
|
|
|
|
commands =
|
|
|
|
|
[ "/home/baz/cmd1.sh hello-sudo"
|
|
|
|
|
{ command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; }
|
|
|
|
|
]
|
|
|
|
|
'';
|
2018-01-17 14:56:08 +00:00
|
|
|
|
type = with types; listOf (submodule {
|
|
|
|
|
options = {
|
|
|
|
|
users = mkOption {
|
2019-08-08 20:48:27 +00:00
|
|
|
|
type = with types; listOf (either str int);
|
2018-01-17 14:56:08 +00:00
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
The usernames / UIDs this rule should apply for.
|
|
|
|
|
'';
|
|
|
|
|
default = [];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
groups = mkOption {
|
2019-08-08 20:48:27 +00:00
|
|
|
|
type = with types; listOf (either str int);
|
2018-01-17 14:56:08 +00:00
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
The groups / GIDs this rule should apply for.
|
|
|
|
|
'';
|
|
|
|
|
default = [];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
host = mkOption {
|
2019-08-08 20:48:27 +00:00
|
|
|
|
type = types.str;
|
2018-01-17 14:56:08 +00:00
|
|
|
|
default = "ALL";
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
For what host this rule should apply.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
runAs = mkOption {
|
2019-08-08 20:48:27 +00:00
|
|
|
|
type = with types; str;
|
2018-01-17 14:56:08 +00:00
|
|
|
|
default = "ALL:ALL";
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Under which user/group the specified command is allowed to run.
|
|
|
|
|
|
|
|
|
|
A user can be specified using just the username: `"foo"`.
|
|
|
|
|
It is also possible to specify a user/group combination using `"foo:bar"`
|
|
|
|
|
or to only allow running as a specific group with `":bar"`.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
commands = mkOption {
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
The commands for which the rule should apply.
|
|
|
|
|
'';
|
2019-08-08 20:48:27 +00:00
|
|
|
|
type = with types; listOf (either str (submodule {
|
2018-01-17 14:56:08 +00:00
|
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
command = mkOption {
|
2019-08-08 20:48:27 +00:00
|
|
|
|
type = with types; str;
|
2022-08-29 17:33:50 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2018-01-17 14:56:08 +00:00
|
|
|
|
A command being either just a path to a binary to allow any arguments,
|
2022-08-29 17:33:50 +00:00
|
|
|
|
the full command with arguments pre-set or with `""` used as the argument,
|
2018-01-17 14:56:08 +00:00
|
|
|
|
not allowing arguments to the command at all.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
options = mkOption {
|
|
|
|
|
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
|
2022-08-29 17:33:50 +00:00
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
|
2018-01-17 14:56:08 +00:00
|
|
|
|
'';
|
|
|
|
|
default = [];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
}));
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
|
2023-09-07 11:57:20 +00:00
|
|
|
|
extraConfig = mkOption {
|
2014-10-30 12:59:21 +00:00
|
|
|
|
type = types.lines;
|
|
|
|
|
default = "";
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Extra configuration text appended to {file}`sudoers`.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2009-01-02 16:07:15 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
2009-08-16 14:49:14 +00:00
|
|
|
|
###### implementation
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2009-08-16 14:49:14 +00:00
|
|
|
|
config = mkIf cfg.enable {
|
2023-08-31 10:02:14 +00:00
|
|
|
|
assertions = [
|
|
|
|
|
{ assertion = cfg.package.pname != "sudo-rs";
|
|
|
|
|
message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
|
|
|
|
|
];
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2020-05-11 04:49:52 +00:00
|
|
|
|
# We `mkOrder 600` so that the default rule shows up first, but there is
|
|
|
|
|
# still enough room for a user to `mkBefore` it.
|
|
|
|
|
security.sudo.extraRules = mkOrder 600 [
|
2018-01-17 14:56:08 +00:00
|
|
|
|
{ groups = [ "wheel" ];
|
|
|
|
|
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
2023-09-04 21:01:09 +00:00
|
|
|
|
security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
|
2012-11-23 14:14:16 +00:00
|
|
|
|
''
|
2014-10-30 12:59:21 +00:00
|
|
|
|
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
|
2018-01-17 14:56:08 +00:00
|
|
|
|
# or ‘security.sudo.extraRules’ instead.
|
2023-08-31 10:33:11 +00:00
|
|
|
|
''
|
2023-09-04 21:06:12 +00:00
|
|
|
|
(optionalString enableSSHAgentAuth ''
|
2012-11-23 14:14:16 +00:00
|
|
|
|
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
|
|
|
|
Defaults env_keep+=SSH_AUTH_SOCK
|
2023-09-04 21:06:12 +00:00
|
|
|
|
'')
|
2023-08-31 10:33:11 +00:00
|
|
|
|
''
|
2012-11-23 14:14:16 +00:00
|
|
|
|
# "root" is allowed to do anything.
|
2016-09-13 13:15:56 +00:00
|
|
|
|
root ALL=(ALL:ALL) SETENV: ALL
|
2023-08-31 10:33:11 +00:00
|
|
|
|
''
|
2023-09-04 21:01:09 +00:00
|
|
|
|
(optionalString (cfg.extraRules != []) ''
|
2018-01-17 14:56:08 +00:00
|
|
|
|
# extraRules
|
|
|
|
|
${concatStringsSep "\n" (
|
|
|
|
|
lists.flatten (
|
|
|
|
|
map (
|
2023-06-25 09:47:43 +00:00
|
|
|
|
rule: optionals (length rule.commands != 0) [
|
2018-01-17 14:56:08 +00:00
|
|
|
|
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
|
|
|
|
|
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
|
2023-06-25 09:47:43 +00:00
|
|
|
|
]
|
2018-01-17 14:56:08 +00:00
|
|
|
|
) cfg.extraRules
|
|
|
|
|
)
|
|
|
|
|
)}
|
2023-09-04 21:01:09 +00:00
|
|
|
|
'')
|
|
|
|
|
(optionalString (cfg.extraConfig != "") ''
|
2023-08-31 10:33:11 +00:00
|
|
|
|
# extraConfig
|
2014-10-30 12:59:21 +00:00
|
|
|
|
${cfg.extraConfig}
|
2023-09-04 21:01:09 +00:00
|
|
|
|
'')
|
|
|
|
|
]);
|
2012-11-23 14:14:16 +00:00
|
|
|
|
|
2021-05-05 11:09:45 +00:00
|
|
|
|
security.wrappers = let
|
|
|
|
|
owner = "root";
|
|
|
|
|
group = if cfg.execWheelOnly then "wheel" else "root";
|
|
|
|
|
setuid = true;
|
|
|
|
|
permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
|
|
|
|
|
in {
|
|
|
|
|
sudo = {
|
|
|
|
|
source = "${cfg.package.out}/bin/sudo";
|
|
|
|
|
inherit owner group setuid permissions;
|
|
|
|
|
};
|
|
|
|
|
sudoedit = {
|
|
|
|
|
source = "${cfg.package.out}/bin/sudoedit";
|
|
|
|
|
inherit owner group setuid permissions;
|
|
|
|
|
};
|
2017-01-29 11:33:56 +00:00
|
|
|
|
};
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2009-08-16 14:49:14 +00:00
|
|
|
|
environment.systemPackages = [ sudo ];
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2022-03-13 17:20:23 +00:00
|
|
|
|
security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2019-09-14 17:51:29 +00:00
|
|
|
|
environment.etc.sudoers =
|
2014-06-08 20:54:13 +00:00
|
|
|
|
{ source =
|
|
|
|
|
pkgs.runCommand "sudoers"
|
2018-11-08 10:59:03 +00:00
|
|
|
|
{
|
|
|
|
|
src = pkgs.writeText "sudoers-in" cfg.configFile;
|
|
|
|
|
preferLocalBuild = true;
|
|
|
|
|
}
|
2009-01-02 16:07:15 +00:00
|
|
|
|
# Make sure that the sudoers file is syntactically valid.
|
|
|
|
|
# (currently disabled - NIXOS-66)
|
2018-02-28 19:37:26 +00:00
|
|
|
|
"${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out";
|
2009-01-02 16:07:15 +00:00
|
|
|
|
mode = "0440";
|
2009-08-16 14:49:14 +00:00
|
|
|
|
};
|
|
|
|
|
|
2009-01-02 16:07:15 +00:00
|
|
|
|
};
|
2009-08-16 14:49:14 +00:00
|
|
|
|
|
2009-01-02 16:07:15 +00:00
|
|
|
|
}
|