nixos/security: don't use sudo.extraRules for wheel rule #58396
Conversation
GrahamcOfBorg
added
6.topic: nixos
| @@ -171,12 +171,6 @@ in | |||
|
|
|||
| config = mkIf cfg.enable { | |||
|
|
|||
| security.sudo.extraRules = [ | |||
| { groups = [ "wheel" ]; | |||
There was a problem hiding this comment.
I think a [ (mkBefore { groups = ... }) ] might work
There was a problem hiding this comment.
I guess it should be mkBefore [ ... ], that is, mkBefore for the whole list. At least when I played around with these a bit, I needed to use it like that - thanks to an advise at IRC from @jD91mZM2.
|
Have there been any updates on this? I just ran into the issue that this solves and it's a pretty confusing problem until you stumble upon this. For my purposes, |
|
ping (triage) |
cmacrae
force-pushed
the
nixos-unstable/security_sudo_extraRules_fix
branch
2 times, most recently
from
59c154c to
23487c3
Compare
|
My sincere apologies for ghosting on this PR, people! 😬 I think it does need to be within the list, otherwise the resulting expression from the EDIT: Hmm, perhaps not (given the error from the hydra build). I'll try and get this working nicely |
ofborg
bot
added
10.rebuild-linux: 0
|
@cmacrae So you are sure it needs to be like: instead of ? Can't remember the details anymore and I'm not familiar with these, but when I was trying to make these work, I needed to use the latter one, otherwise there was no effect. So that's why I wanted to double-check. |
|
Thanks @jluttine! You're absolutely right 👍 Just testing this now |
Using security.sudo.extraRules to generate the resulting sudo expression for the 'wheel' group causes problems with other 'extraRules' definitions for the 'wheel' group (see NixOS#58276) These changes implement the same result, but ensure that the sudo expression for the 'wheel' group is placed before any 'extraRules' the user may define.
cmacrae
force-pushed
the
nixos-unstable/security_sudo_extraRules_fix
branch
from
23487c3 to
6870624
Compare
|
Why do not the tests pick this up? |
|
Hello, I'm a bot and I thank you in the name of the community for your contributions. Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human. If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do: If you received an approval by an unprivileged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list. If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past. If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments. Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel. |
stale
bot
added
the
2.status: stale
ryantm
added
the
2.status: merge conflict
stale
bot
removed
the
2.status: stale
ryantm
added
2.status: merge conflict
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
hi, is there some way I can help get this across the finish line? |
|
@mhuesch sounds like there is an unresolved question yet:
|
stale
bot
removed
the
2.status: stale
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
@mhuesch I'd like to help pick this up too, I'll be looking at the tests and hopefully PR a fix, and link this issue. |
|
it seems possible that this has been fixed independently / through some other mechanism? see 2 confirmations on #58276 |
stale
bot
removed
the
2.status: stale
Motivation for this change
Using
security.sudo.extraRulesto generate the resultingsudoexpression for the 'wheel' group causes problems with other
extraRulesdefinitions for the 'wheel' group (see #58276)Things done
These changes implement the same result, but ensure that the
sudoexpression for the 'wheel' group is placed before any
extraRulestheuser may define.
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)