pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / sudo.nix
at 23.05-pre 4.1 kB view raw
1# Some tests to ensure sudo is working properly. 2 3let 4 password = "helloworld"; 5 6in 7 import ./make-test-python.nix ({ pkgs, ...} : { 8 name = "sudo"; 9 meta = with pkgs.lib.maintainers; { 10 maintainers = [ lschuermann ]; 11 }; 12 13 nodes.machine = 14 { lib, ... }: 15 with lib; 16 { 17 users.groups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; }; 18 users.users = { 19 test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; }; 20 test1 = { isNormalUser = true; password = password; }; 21 test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; }; 22 test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; }; 23 test4 = { isNormalUser = true; extraGroups = [ "baz" ]; }; 24 test5 = { isNormalUser = true; }; 25 }; 26 27 security.sudo = { 28 enable = true; 29 wheelNeedsPassword = false; 30 31 extraConfig = '' 32 Defaults lecture="never" 33 ''; 34 35 extraRules = [ 36 # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output; 37 # errors being detected by the visudo checks. 38 39 # These should not create any entries 40 { users = [ "notest1" ]; commands = [ ]; } 41 { commands = [ { command = "ALL"; options = [ ]; } ]; } 42 43 # Test defining commands with the options syntax, though not setting any options 44 { users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; } 45 46 47 # CONFIGURATION FOR TEST CASES 48 { users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; } 49 { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; } 50 { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; } 51 ]; 52 }; 53 }; 54 55 nodes.strict = { ... }: { 56 users.users = { 57 admin = { isNormalUser = true; extraGroups = [ "wheel" ]; }; 58 noadmin = { isNormalUser = true; }; 59 }; 60 61 security.sudo = { 62 enable = true; 63 wheelNeedsPassword = false; 64 execWheelOnly = true; 65 }; 66 }; 67 68 testScript = 69 '' 70 with subtest("users in wheel group should have passwordless sudo"): 71 machine.succeed('su - test0 -c "sudo -u root true"') 72 73 with subtest("test1 user should have sudo with password"): 74 machine.succeed('su - test1 -c "echo ${password} | sudo -S -u root true"') 75 76 with subtest("test1 user should not be able to use sudo without password"): 77 machine.fail('su - test1 -c "sudo -n -u root true"') 78 79 with subtest("users in group 'foobar' should be able to use sudo with password"): 80 machine.succeed('su - test2 -c "echo ${password} | sudo -S -u root true"') 81 82 with subtest("users in group 'barfoo' should be able to use sudo without password"): 83 machine.succeed("sudo -u test3 sudo -n -u root true") 84 85 with subtest("users in group 'baz' (GID 1337)"): 86 machine.succeed("sudo -u test4 sudo -n -u root echo true") 87 88 with subtest("test5 user should be able to run commands under test1"): 89 machine.succeed("sudo -u test5 sudo -n -u test1 true") 90 91 with subtest("test5 user should not be able to run commands under root"): 92 machine.fail("sudo -u test5 sudo -n -u root true") 93 94 with subtest("test5 user should be able to keep their environment"): 95 machine.succeed("sudo -u test5 sudo -n -E -u test1 true") 96 97 with subtest("users in group 'barfoo' should not be able to keep their environment"): 98 machine.fail("sudo -u test3 sudo -n -E -u root true") 99 100 with subtest("users in wheel should be able to run sudo despite execWheelOnly"): 101 strict.succeed('su - admin -c "sudo -u root true"') 102 103 with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"): 104 strict.fail('su - noadmin -c "sudo --help"') 105 ''; 106 })