Merge pull request #263471 from nbraud/nixos/sudo-rs/cleanup

This commit is contained in:
Maciej Krüger 2023-11-26 19:57:31 +01:00 committed by GitHub
commit 3250f15338
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 40 additions and 64 deletions

View file

@ -22,16 +22,20 @@
- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
An experimental new module `security.sudo-rs` was added.
Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces
Switching to it (via ` security.sudo-rs.enable = true;`) introduces
slight changes in sudo behaviour, due to `sudo-rs`' current limitations:
- terminfo-related environment variables aren't preserved for `root` and `wheel`;
- `root` and `wheel` are not given the ability to set (or preserve)
arbitrary environment variables.
- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
**Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`,
and in particular does not automatically use previously-set rules; this could be
achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance.
[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
- `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`.
- Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.

View file

@ -943,6 +943,11 @@ let
value.source = pkgs.writeText "${name}.pam" service.text;
};
optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth ''
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
'';
in
{
@ -1532,9 +1537,7 @@ in
concatLines
]);
security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
'';
};
security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;
security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth;
};
}

View file

@ -4,16 +4,9 @@ with lib;
let
inherit (pkgs) sudo sudo-rs;
cfg = config.security.sudo-rs;
enableSSHAgentAuth =
with config.security;
pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
usingMillersSudo = cfg.package.pname == sudo.pname;
usingSudoRs = cfg.package.pname == sudo-rs.pname;
inherit (config.security.pam) enableSSHAgentAuth;
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
@ -41,33 +34,19 @@ in
defaultOptions = mkOption {
type = with types; listOf str;
default = optional usingMillersSudo "SETENV";
defaultText = literalMD ''
`[ "SETENV" ]` if using the default `sudo` implementation
'';
default = [];
description = mdDoc ''
Options used for the default rules, granting `root` and the
`wheel` group permission to run any command as any user.
'';
};
enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Whether to enable the {command}`sudo` command, which
allows non-root users to execute commands as root.
'';
};
enable = mkEnableOption (mdDoc ''
a memory-safe implementation of the {command}`sudo` command,
which allows non-root users to execute commands as root.
'');
package = mkOption {
type = types.package;
default = pkgs.sudo-rs;
defaultText = literalExpression "pkgs.sudo-rs";
description = mdDoc ''
Which package to use for `sudo`.
'';
};
package = mkPackageOption pkgs "sudo-rs" { };
wheelNeedsPassword = mkOption {
type = types.bool;
@ -208,6 +187,12 @@ in
###### implementation
config = mkIf cfg.enable {
assertions = [ {
assertion = ! config.security.sudo.enable;
message = "`security.sudo` and `security.sudo-rs` cannot both be enabled";
}];
security.sudo.enable = mkDefault false;
security.sudo-rs.extraRules =
let
defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
@ -235,20 +220,16 @@ in
# Don't edit this file. Set the NixOS options security.sudo-rs.configFile
# or security.sudo-rs.extraRules instead.
''
(optionalString enableSSHAgentAuth ''
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
'')
(concatStringsSep "\n" (
lists.flatten (
map (
rule: optionals (length rule.commands != 0) [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
]
) cfg.extraRules
)
) + "\n")
(pipe cfg.extraRules [
(filter (rule: length rule.commands != 0))
(map (rule: [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
]))
flatten
(concatStringsSep "\n")
])
"\n"
(optionalString (cfg.extraConfig != "") ''
# extraConfig
${cfg.extraConfig}
@ -265,18 +246,12 @@ in
source = "${cfg.package.out}/bin/sudo";
inherit owner group setuid permissions;
};
# sudo-rs does not yet ship a sudoedit (as of v0.2.0)
sudoedit = mkIf usingMillersSudo {
source = "${cfg.package.out}/bin/sudoedit";
inherit owner group setuid permissions;
};
};
environment.systemPackages = [ sudo ];
environment.systemPackages = [ cfg.package ];
security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
security.pam.services.sudo-i = mkIf usingSudoRs
{ sshAgentAuth = true; usshAuth = true; };
security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; };
environment.etc.sudoers =
{ source =
@ -285,7 +260,7 @@ in
src = pkgs.writeText "sudoers-in" cfg.configFile;
preferLocalBuild = true;
}
"${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out";
"${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out";
mode = "0440";
};

View file

@ -22,11 +22,8 @@ in
test5 = { isNormalUser = true; };
};
security.sudo.enable = false;
security.sudo-rs = {
enable = true;
package = pkgs.sudo-rs;
wheelNeedsPassword = false;
extraRules = [
@ -56,10 +53,7 @@ in
noadmin = { isNormalUser = true; };
};
security.sudo.enable = false;
security.sudo-rs = {
package = pkgs.sudo-rs;
enable = true;
wheelNeedsPassword = false;
execWheelOnly = true;