New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sudo: define extra rules in Nix language #33905
Conversation
nixos/modules/security/sudo.nix
Outdated
description = '' | ||
Define specifc rules to be in the <filename>sudoers</filename> file. | ||
''; | ||
default = []; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add also an example here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also has a minor typo (specifc
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@adisbladis Psst, fixed it in a new commit. :)
|
||
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. | ||
Defaults env_keep+=SSH_AUTH_SOCK | ||
|
||
# "root" is allowed to do anything. | ||
root ALL=(ALL:ALL) SETENV: ALL | ||
|
||
# Users in the "wheel" group can do anything. | ||
%wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It now generates this line:
wheel ALL=(ALL:ALL) : ALL
which misses the SETENV
prefix and is therefore invalid:
parse error in /nix/store/76iail0ygnc0f81xp4lr42jg2ac1vy92-sudoers-in near line 11
You can test this by running: nix-build nixos/tests/misc.nix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I actually didn't test it with a command in the options
syntax but with an empty list of options. Now it should work as expected and I even pass the SETENV
option.
Prior to this change, it generated
%wheel ALL=(ALL:ALL) NOPASSWD: ALL, SETENV: ALL
Now, the line looks like
%wheel ALL=(ALL:ALL) NOPASSWD:SETENV: ALL
which should have the exact same effect.
All the tests defined in nixos/tests/misc.nix
are succeeding too.
I just noticed, that i'm not in the maintainers list on master, but only in my other open PR #33861. So I guess it would make sense to merge that one first. |
Thanks! This is a nice improvement, for an otherwise scary configuration syntax. |
Motivation for this change
This change makes it possible to define extra sudo rules by using only the Nix language.
It has a few benefits over the current way of defining rules, mainly:
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)