pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / sudo.nix
at 23.11-pre 4.1 kB view raw
1# Some tests to ensure sudo is working properly. 2 3let 4 password = "helloworld"; 5in 6 import ./make-test-python.nix ({ lib, pkgs, ...} : { 7 name = "sudo"; 8 meta.maintainers = with lib.maintainers; [ lschuermann ]; 9 10 nodes.machine = 11 { lib, ... }: 12 { 13 users.groups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; }; 14 users.users = { 15 test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; }; 16 test1 = { isNormalUser = true; password = password; }; 17 test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; }; 18 test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; }; 19 test4 = { isNormalUser = true; extraGroups = [ "baz" ]; }; 20 test5 = { isNormalUser = true; }; 21 }; 22 23 security.sudo = { 24 enable = true; 25 wheelNeedsPassword = false; 26 27 extraConfig = '' 28 Defaults lecture="never" 29 ''; 30 31 extraRules = [ 32 # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output; 33 # errors being detected by the visudo checks. 34 35 # These should not create any entries 36 { users = [ "notest1" ]; commands = [ ]; } 37 { commands = [ { command = "ALL"; options = [ ]; } ]; } 38 39 # Test defining commands with the options syntax, though not setting any options 40 { users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; } 41 42 43 # CONFIGURATION FOR TEST CASES 44 { users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; } 45 { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; } 46 { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; } 47 ]; 48 }; 49 }; 50 51 nodes.strict = { ... }: { 52 users.users = { 53 admin = { isNormalUser = true; extraGroups = [ "wheel" ]; }; 54 noadmin = { isNormalUser = true; }; 55 }; 56 57 security.sudo = { 58 enable = true; 59 wheelNeedsPassword = false; 60 execWheelOnly = true; 61 }; 62 }; 63 64 testScript = 65 '' 66 with subtest("users in wheel group should have passwordless sudo"): 67 machine.succeed('su - test0 -c "sudo -u root true"') 68 69 with subtest("test1 user should have sudo with password"): 70 machine.succeed('su - test1 -c "echo ${password} | sudo -S -u root true"') 71 72 with subtest("test1 user should not be able to use sudo without password"): 73 machine.fail('su - test1 -c "sudo -n -u root true"') 74 75 with subtest("users in group 'foobar' should be able to use sudo with password"): 76 machine.succeed('su - test2 -c "echo ${password} | sudo -S -u root true"') 77 78 with subtest("users in group 'barfoo' should be able to use sudo without password"): 79 machine.succeed("sudo -u test3 sudo -n -u root true") 80 81 with subtest("users in group 'baz' (GID 1337)"): 82 machine.succeed("sudo -u test4 sudo -n -u root echo true") 83 84 with subtest("test5 user should be able to run commands under test1"): 85 machine.succeed("sudo -u test5 sudo -n -u test1 true") 86 87 with subtest("test5 user should not be able to run commands under root"): 88 machine.fail("sudo -u test5 sudo -n -u root true") 89 90 with subtest("test5 user should be able to keep their environment"): 91 machine.succeed("sudo -u test5 sudo -n -E -u test1 true") 92 93 with subtest("users in group 'barfoo' should not be able to keep their environment"): 94 machine.fail("sudo -u test3 sudo -n -E -u root true") 95 96 with subtest("users in wheel should be able to run sudo despite execWheelOnly"): 97 strict.succeed('su - admin -c "sudo -u root true"') 98 99 with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"): 100 strict.fail('su - noadmin -c "sudo --help"') 101 ''; 102 })