nixos/tests/sudo.nix at 18.03-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / sudo.nix
at 18.03-beta 3.6 kB view raw
 1# Some tests to ensure sudo is working properly.
 2
 3let
 4  password = "helloworld";
 5
 6in
 7  import ./make-test.nix ({ pkgs, ...} : {
 8    name = "sudo";
 9    meta = with pkgs.stdenv.lib.maintainers; {
10      maintainers = [ lschuermann ];
11    };
12
13    machine =
14      { config, lib, pkgs, ... }:
15      with lib;
16      {
17        users.extraGroups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };
18        users.users = {
19          test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };
20          test1 = { isNormalUser = true; password = password; };
21          test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };
22          test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
23          test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };
24          test5 = { isNormalUser = true; };
25        };
26
27        security.sudo = {
28          enable = true;
29          wheelNeedsPassword = false;
30
31          extraRules = [
32            # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
33            # errors being detected by the visudo checks.
34
35            # These should not create any entries
36            { users = [ "notest1" ]; commands = [ ]; }
37            { commands = [ { command = "ALL"; options = [ ]; } ]; }
38
39            # Test defining commands with the options syntax, though not setting any options
40            { users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }
41
42
43            # CONFIGURATION FOR TEST CASES
44            { users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
45            { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }
46            { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }
47          ];
48        };
49      };
50
51    testScript =
52      ''
53        subtest "users in wheel group should have passwordless sudo", sub {
54            $machine->succeed("su - test0 -c \"sudo -u root true\"");
55        };
56
57        subtest "test1 user should have sudo with password", sub {
58            $machine->succeed("su - test1 -c \"echo ${password} | sudo -S -u root true\"");
59        };
60
61        subtest "test1 user should not be able to use sudo without password", sub {
62            $machine->fail("su - test1 -c \"sudo -n -u root true\"");
63        };
64
65        subtest "users in group 'foobar' should be able to use sudo with password", sub {
66            $machine->succeed("sudo -u test2 echo ${password} | sudo -S -u root true");
67        };
68
69        subtest "users in group 'barfoo' should be able to use sudo without password", sub {
70            $machine->succeed("sudo -u test3 sudo -n -u root true");
71        };
72
73        subtest "users in group 'baz' (GID 1337) should be able to use sudo without password", sub {
74            $machine->succeed("sudo -u test4 sudo -n -u root echo true");
75        };
76
77        subtest "test5 user should be able to run commands under test1", sub {
78            $machine->succeed("sudo -u test5 sudo -n -u test1 true");
79        };
80
81        subtest "test5 user should not be able to run commands under root", sub {
82            $machine->fail("sudo -u test5 sudo -n -u root true");
83        };
84
85        subtest "test5 user should be able to keep his environment", sub {
86            $machine->succeed("sudo -u test5 sudo -n -E -u test1 true");
87        };
88
89        subtest "users in group 'barfoo' should not be able to keep their environment", sub {
90            $machine->fail("sudo -u test3 sudo -n -E -u root true");
91        };
92      '';
93  })