pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / security / sudo.nix
at 23.11-pre 8.4 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 7 cfg = config.security.sudo; 8 9 inherit (pkgs) sudo; 10 11 toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; 12 toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; 13 14 toCommandOptionsString = options: 15 "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} "; 16 17 toCommandsString = commands: 18 concatStringsSep ", " ( 19 map (command: 20 if (isString command) then 21 command 22 else 23 "${toCommandOptionsString command.options}${command.command}" 24 ) commands 25 ); 26 27in 28 29{ 30 31 ###### interface 32 33 options = { 34 35 security.sudo.enable = mkOption { 36 type = types.bool; 37 default = true; 38 description = 39 lib.mdDoc '' 40 Whether to enable the {command}`sudo` command, which 41 allows non-root users to execute commands as root. 42 ''; 43 }; 44 45 security.sudo.package = mkOption { 46 type = types.package; 47 default = pkgs.sudo; 48 defaultText = literalExpression "pkgs.sudo"; 49 description = lib.mdDoc '' 50 Which package to use for `sudo`. 51 ''; 52 }; 53 54 security.sudo.wheelNeedsPassword = mkOption { 55 type = types.bool; 56 default = true; 57 description = 58 lib.mdDoc '' 59 Whether users of the `wheel` group must 60 provide a password to run commands as super user via {command}`sudo`. 61 ''; 62 }; 63 64 security.sudo.execWheelOnly = mkOption { 65 type = types.bool; 66 default = false; 67 description = lib.mdDoc '' 68 Only allow members of the `wheel` group to execute sudo by 69 setting the executable's permissions accordingly. 70 This prevents users that are not members of `wheel` from 71 exploiting vulnerabilities in sudo such as CVE-2021-3156. 72 ''; 73 }; 74 75 security.sudo.configFile = mkOption { 76 type = types.lines; 77 # Note: if syntax errors are detected in this file, the NixOS 78 # configuration will fail to build. 79 description = 80 lib.mdDoc '' 81 This string contains the contents of the 82 {file}`sudoers` file. 83 ''; 84 }; 85 86 security.sudo.extraRules = mkOption { 87 description = lib.mdDoc '' 88 Define specific rules to be in the {file}`sudoers` file. 89 More specific rules should come after more general ones in order to 90 yield the expected behavior. You can use mkBefore/mkAfter to ensure 91 this is the case when configuration options are merged. 92 ''; 93 default = []; 94 example = literalExpression '' 95 [ 96 # Allow execution of any command by all users in group sudo, 97 # requiring a password. 98 { groups = [ "sudo" ]; commands = [ "ALL" ]; } 99 100 # Allow execution of "/home/root/secret.sh" by user `backup`, `database` 101 # and the group with GID `1006` without a password. 102 { users = [ "backup" "database" ]; groups = [ 1006 ]; 103 commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; } 104 105 # Allow all users of group `bar` to run two executables as user `foo` 106 # with arguments being pre-set. 107 { groups = [ "bar" ]; runAs = "foo"; 108 commands = 109 [ "/home/baz/cmd1.sh hello-sudo" 110 { command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; } 111 ] 112 ''; 113 type = with types; listOf (submodule { 114 options = { 115 users = mkOption { 116 type = with types; listOf (either str int); 117 description = lib.mdDoc '' 118 The usernames / UIDs this rule should apply for. 119 ''; 120 default = []; 121 }; 122 123 groups = mkOption { 124 type = with types; listOf (either str int); 125 description = lib.mdDoc '' 126 The groups / GIDs this rule should apply for. 127 ''; 128 default = []; 129 }; 130 131 host = mkOption { 132 type = types.str; 133 default = "ALL"; 134 description = lib.mdDoc '' 135 For what host this rule should apply. 136 ''; 137 }; 138 139 runAs = mkOption { 140 type = with types; str; 141 default = "ALL:ALL"; 142 description = lib.mdDoc '' 143 Under which user/group the specified command is allowed to run. 144 145 A user can be specified using just the username: `"foo"`. 146 It is also possible to specify a user/group combination using `"foo:bar"` 147 or to only allow running as a specific group with `":bar"`. 148 ''; 149 }; 150 151 commands = mkOption { 152 description = lib.mdDoc '' 153 The commands for which the rule should apply. 154 ''; 155 type = with types; listOf (either str (submodule { 156 157 options = { 158 command = mkOption { 159 type = with types; str; 160 description = lib.mdDoc '' 161 A command being either just a path to a binary to allow any arguments, 162 the full command with arguments pre-set or with `""` used as the argument, 163 not allowing arguments to the command at all. 164 ''; 165 }; 166 167 options = mkOption { 168 type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]); 169 description = lib.mdDoc '' 170 Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html). 171 ''; 172 default = []; 173 }; 174 }; 175 176 })); 177 }; 178 }; 179 }); 180 }; 181 182 security.sudo.extraConfig = mkOption { 183 type = types.lines; 184 default = ""; 185 description = lib.mdDoc '' 186 Extra configuration text appended to {file}`sudoers`. 187 ''; 188 }; 189 }; 190 191 192 ###### implementation 193 194 config = mkIf cfg.enable { 195 196 # We `mkOrder 600` so that the default rule shows up first, but there is 197 # still enough room for a user to `mkBefore` it. 198 security.sudo.extraRules = mkOrder 600 [ 199 { groups = [ "wheel" ]; 200 commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ]; 201 } 202 ]; 203 204 security.sudo.configFile = 205 '' 206 # Don't edit this file. Set the NixOS options security.sudo.configFile 207 # or security.sudo.extraRules instead. 208 209 # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 210 Defaults env_keep+=SSH_AUTH_SOCK 211 212 # "root" is allowed to do anything. 213 root ALL=(ALL:ALL) SETENV: ALL 214 215 # extraRules 216 ${concatStringsSep "\n" ( 217 lists.flatten ( 218 map ( 219 rule: if (length rule.commands != 0) then [ 220 (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) 221 (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) 222 ] else [] 223 ) cfg.extraRules 224 ) 225 )} 226 227 ${cfg.extraConfig} 228 ''; 229 230 security.wrappers = let 231 owner = "root"; 232 group = if cfg.execWheelOnly then "wheel" else "root"; 233 setuid = true; 234 permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x"; 235 in { 236 sudo = { 237 source = "${cfg.package.out}/bin/sudo"; 238 inherit owner group setuid permissions; 239 }; 240 sudoedit = { 241 source = "${cfg.package.out}/bin/sudoedit"; 242 inherit owner group setuid permissions; 243 }; 244 }; 245 246 environment.systemPackages = [ sudo ]; 247 248 security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; 249 250 environment.etc.sudoers = 251 { source = 252 pkgs.runCommand "sudoers" 253 { 254 src = pkgs.writeText "sudoers-in" cfg.configFile; 255 preferLocalBuild = true; 256 } 257 # Make sure that the sudoers file is syntactically valid. 258 # (currently disabled - NIXOS-66) 259 "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out"; 260 mode = "0440"; 261 }; 262 263 }; 264 265}