Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/security.sudo: Document ordering of extraRules #42845

Merged
merged 1 commit into from Jul 2, 2018
Merged

nixos/security.sudo: Document ordering of extraRules #42845

merged 1 commit into from Jul 2, 2018

Conversation

ivanbrennan
Copy link
Member

Expand security.sudo.extraRules.description to document the impact that order has on rule precedence. Call out the fact that mkBefore/mkAfter can be used to ensure configuration options are merged in a way that yields the desired behavior.

Motivation for this change

The order of sudoers entries is significant. The man page for sudoers(5) notes:

Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

This module adds a rule for group "wheel" matching all commands. If you wanted to add a more specific rule allowing members of the "wheel" group to run command foo without a password, you'd need to use mkAfter to ensure your rule comes after the more general rule.

extraRules = lib.mkAfter [
  {
    groups = [ "wheel" ];
    commands = [
      {
        command = "${pkgs.foo}/bin/foo";
        options = [ "NOPASSWD" "SETENV" ];
      }
    ]
  }
];

Otherwise, when configuration options are merged, if the general rule ends up after the specific rule, it will dictate the behavior even when running the foo command.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@ivanbrennan
nixos/security.sudo: describe extraRules order
d08967a 
The order of sudoers entries is significant. The man page for sudoers(5)
notes:

  Where there are multiple matches, the last match is used (which is not
  necessarily the most specific match).

This module adds a rule for group "wheel" matching all commands. If you
wanted to add a more specific rule allowing members of the "wheel" group
to run command `foo` without a password, you'd need to use mkAfter to
ensure your rule comes after the more general rule.

  extraRules = lib.mkAfter [
    {
      groups = [ "wheel" ];
      commands = [
        {
          command = "${pkgs.foo}/bin/foo";
          options = [ "NOPASSWD" "SETENV" ];
        }
      ]
    }
  ];

Otherwise, when configuration options are merged, if the general rule
ends up after the specific rule, it will dictate the behavior even when
running the `foo` command.
@joachifm joachifm merged commit 3ea5b15 into NixOS:master Jul 2, 2018
@ivanbrennan ivanbrennan deleted the nixos-sudo-describe-rules-precedence branch July 3, 2018 12:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ivanbrennan @joachifm @GrahamcOfBorg