Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/sudo: default rule should be first #87579

Merged
merged 1 commit into from Jun 18, 2020
Merged

nixos/sudo: default rule should be first #87579

merged 1 commit into from Jun 18, 2020

Conversation

cole-h
Copy link
Member

@cole-h cole-h commented May 11, 2020

In /etc/sudoers, the last-matched rule will override all
previously-matched rules. Thus, make the default rule show up first (but
still allow some wiggle room for a user to mkBefore it), before any
user-defined rules.

Motivation for this change

Addresses #87555. I'll backport this to 20.03 after this gets merged (or whoever merges this can take care of that for me; I don't mind either way, but that might be easier than waiting for me to follow up).

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@cole-h cole-h mentioned this pull request May 11, 2020
Closed
@cole-h cole-h mentioned this pull request May 11, 2020
Merged
10 tasks
@lschuermann
Copy link
Member

@GrahamcOfBorg test sudo

@veprbl veprbl linked an issue May 11, 2020 that may be closed by this pull request
extraRules is overridden by default value #87555
Closed
@veprbl veprbl added the 9.needs: port to stable A PR needs a backport to the stable release. label May 11, 2020
lschuermann
lschuermann approved these changes May 13, 2020
View reviewed changes
Copy link
Member

@lschuermann lschuermann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Handling sudo rules is tricky, this achieves the expected behavior.

@emilazy
Copy link
Member

emilazy commented May 18, 2020

Could something be added to the test for this, say by setting extraRules to something that overrides the default and checking that sudo(1) behaves accordingly?

@cole-h
Copy link
Member Author

cole-h commented Jun 18, 2020
edited

If somebody more familiar with sudo and its configuration would like to write that test case in a follow-up, I'd be delighted. I tried my hand at it and failed, but I'd like to get this merged sooner rather than later so as to resolve the linked issue.

Sorry it took me so long to get back to this (and even sorrier that it was just to say "I can't do that").

@cole-h
nixos/sudo: default rule should be first
13e2c75 
In /etc/sudoers, the last-matched rule will override all
previously-matched rules. Thus, make the default rule show up first (but
still allow some wiggle room for a user to `mkBefore` it), before any
user-defined rules.
@worldofpeace worldofpeace merged commit d7122c3 into NixOS:master Jun 18, 2020
@cole-h cole-h deleted the sudo branch June 18, 2020 00:58
@cole-h cole-h mentioned this pull request Jun 18, 2020
Merged
10 tasks
@cole-h cole-h added 8.has: port to stable A PR already has a backport to the stable release. and removed 9.needs: port to stable A PR needs a backport to the stable release. labels Jun 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elohmeier elohmeier elohmeier approved these changes

@lschuermann lschuermann lschuermann approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

extraRules is overridden by default value
6 participants
@cole-h @lschuermann @emilazy @elohmeier @veprbl @worldofpeace