Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sudo: define extra rules in Nix language #33905

Merged
merged 6 commits into from Jan 17, 2018
Merged

sudo: define extra rules in Nix language #33905

merged 6 commits into from Jan 17, 2018

Conversation

lschuermann
Copy link
Member

@lschuermann lschuermann commented Jan 15, 2018
edited

Motivation for this change

This change makes it possible to define extra sudo rules by using only the Nix language.
It has a few benefits over the current way of defining rules, mainly:

  • The rules are type-checked and it is harder to make syntax errors in the sudo file
  • One rule can conveniently be applied for multiple users & groups
  • Rules can now be defined in multiple Nix files and be merged
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Mic92
Mic92 reviewed Jan 15, 2018
View reviewed changes
nixos/modules/security/sudo.nix Outdated
description = ''
Define specifc rules to be in the <filename>sudoers</filename> file.
'';
default = [];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add also an example here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also has a minor typo (specifc)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adisbladis Psst, fixed it in a new commit. :)

Mic92
Mic92 reviewed Jan 16, 2018
View reviewed changes
nixos/modules/security/sudo.nix

# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK

# "root" is allowed to do anything.
root ALL=(ALL:ALL) SETENV: ALL

# Users in the "wheel" group can do anything.
%wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It now generates this line:

wheel  ALL=(ALL:ALL) : ALL

which misses the SETENV prefix and is therefore invalid:

parse error in /nix/store/76iail0ygnc0f81xp4lr42jg2ac1vy92-sudoers-in near line 11

You can test this by running: nix-build nixos/tests/misc.nix

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I actually didn't test it with a command in the options syntax but with an empty list of options. Now it should work as expected and I even pass the SETENV option.

Prior to this change, it generated

%wheel      ALL=(ALL:ALL) NOPASSWD: ALL, SETENV: ALL

Now, the line looks like

%wheel  ALL=(ALL:ALL)   NOPASSWD:SETENV: ALL

which should have the exact same effect.

All the tests defined in nixos/tests/misc.nix are succeeding too.

@lschuermann
Copy link
Member Author

I just noticed, that i'm not in the maintainers list on master, but only in my other open PR #33861. So I guess it would make sense to merge that one first.

@Mic92 Mic92 merged commit f297ddb into NixOS:master Jan 17, 2018
@Mic92
Copy link
Member

Mic92 commented Jan 17, 2018
edited

Thanks! This is a nice improvement, for an otherwise scary configuration syntax.

@lschuermann lschuermann deleted the sudo-extra-rules branch October 14, 2018 09:18
@FranklinYu FranklinYu mentioned this pull request May 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adisbladis adisbladis adisbladis left review comments

@Mic92 Mic92 Mic92 left review comments

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lschuermann @Mic92 @adisbladis @GrahamcOfBorg