nixos/modules/security/sudo.nix at 18.03-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / sudo.nix
at 18.03-beta 7.0 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6
  7  cfg = config.security.sudo;
  8
  9  inherit (pkgs) sudo;
 10
 11  toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
 12  toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
 13
 14  toCommandOptionsString = options:
 15    "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
 16
 17  toCommandsString = commands:
 18    concatStringsSep ", " (
 19      map (command:
 20        if (isString command) then
 21          command
 22        else
 23          "${toCommandOptionsString command.options}${command.command}"
 24      ) commands
 25    );
 26
 27in
 28
 29{
 30
 31  ###### interface
 32
 33  options = {
 34
 35    security.sudo.enable = mkOption {
 36      type = types.bool;
 37      default = true;
 38      description =
 39        ''
 40          Whether to enable the <command>sudo</command> command, which
 41          allows non-root users to execute commands as root.
 42        '';
 43    };
 44
 45    security.sudo.wheelNeedsPassword = mkOption {
 46      type = types.bool;
 47      default = true;
 48      description =
 49        ''
 50          Whether users of the <code>wheel</code> group can execute
 51          commands as super user without entering a password.
 52        '';
 53      };
 54
 55    security.sudo.configFile = mkOption {
 56      type = types.lines;
 57      # Note: if syntax errors are detected in this file, the NixOS
 58      # configuration will fail to build.
 59      description =
 60        ''
 61          This string contains the contents of the
 62          <filename>sudoers</filename> file.
 63        '';
 64    };
 65
 66    security.sudo.extraRules = mkOption {
 67      description = ''
 68        Define specific rules to be in the <filename>sudoers</filename> file.
 69      '';
 70      default = [];
 71      example = [
 72        # Allow execution of any command by all users in group sudo,
 73        # requiring a password.
 74        { groups = [ "sudo" ]; commands = [ "ALL" ]; }
 75
 76        # Allow execution of "/home/root/secret.sh" by user `backup`, `database`
 77        # and the group with GID `1006` without a password.
 78        { users = [ "backup" ]; groups = [ 1006 ];
 79          commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
 80
 81        # Allow all users of group `bar` to run two executables as user `foo`
 82        # with arguments being pre-set.
 83        { groups = [ "bar" ]; runAs = "foo";
 84          commands =
 85            [ "/home/baz/cmd1.sh hello-sudo"
 86              { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; }
 87      ];
 88      type = with types; listOf (submodule {
 89        options = {
 90          users = mkOption {
 91            type = with types; listOf (either string int);
 92            description = ''
 93              The usernames / UIDs this rule should apply for.
 94            '';
 95            default = [];
 96          };
 97
 98          groups = mkOption {
 99            type = with types; listOf (either string int);
100            description = ''
101              The groups / GIDs this rule should apply for.
102            '';
103            default = [];
104          };
105
106          host = mkOption {
107            type = types.string;
108            default = "ALL";
109            description = ''
110              For what host this rule should apply.
111            '';
112          };
113
114          runAs = mkOption {
115            type = with types; string;
116            default = "ALL:ALL";
117            description = ''
118              Under which user/group the specified command is allowed to run.
119
120              A user can be specified using just the username: <code>"foo"</code>.
121              It is also possible to specify a user/group combination using <code>"foo:bar"</code>
122              or to only allow running as a specific group with <code>":bar"</code>.
123            '';
124          };
125
126          commands = mkOption {
127            description = ''
128              The commands for which the rule should apply.
129            '';
130            type = with types; listOf (either string (submodule {
131
132              options = {
133                command = mkOption {
134                  type = with types; string;
135                  description = ''
136                    A command being either just a path to a binary to allow any arguments,
137                    the full command with arguments pre-set or with <code>""</code> used as the argument,
138                    not allowing arguments to the command at all.
139                  '';
140                };
141
142                options = mkOption {
143                  type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
144                  description = ''
145                    Options for running the command. Refer to the <a href="https://www.sudo.ws/man/1.7.10/sudoers.man.html">sudo manual</a>.
146                  '';
147                  default = [];
148                };
149              };
150
151            }));
152          };
153        };
154      });
155    };
156
157    security.sudo.extraConfig = mkOption {
158      type = types.lines;
159      default = "";
160      description = ''
161        Extra configuration text appended to <filename>sudoers</filename>.
162      '';
163    };
164  };
165
166
167  ###### implementation
168
169  config = mkIf cfg.enable {
170
171    security.sudo.extraRules = [
172      { groups = [ "wheel" ];
173        commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
174      }
175    ];
176
177    security.sudo.configFile =
178      ''
179        # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
180        # or ‘security.sudo.extraRules’ instead.
181
182        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
183        Defaults env_keep+=SSH_AUTH_SOCK
184
185        # "root" is allowed to do anything.
186        root        ALL=(ALL:ALL) SETENV: ALL
187
188        # extraRules
189        ${concatStringsSep "\n" (
190          lists.flatten (
191            map (
192              rule: if (length rule.commands != 0) then [
193                (map (user: "${toUserString user}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.users)
194                (map (group: "${toGroupString group}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.groups)
195              ] else []
196            ) cfg.extraRules
197          )
198        )}
199
200        ${cfg.extraConfig}
201      '';
202
203    security.wrappers = {
204      sudo.source = "${pkgs.sudo.out}/bin/sudo";
205      sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit";
206    };
207
208    environment.systemPackages = [ sudo ];
209
210    security.pam.services.sudo = { sshAgentAuth = true; };
211
212    environment.etc = singleton
213      { source =
214          pkgs.runCommand "sudoers"
215          { src = pkgs.writeText "sudoers-in" cfg.configFile; }
216          # Make sure that the sudoers file is syntactically valid.
217          # (currently disabled - NIXOS-66)
218          "${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
219        target = "sudoers";
220        mode = "0440";
221      };
222
223  };
224
225}