pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / doas.nix
at 25.11-pre 4.5 kB view raw
1# Some tests to ensure doas is working properly. 2{ lib, ... }: 3{ 4 name = "doas"; 5 meta.maintainers = with lib.maintainers; [ cole-h ]; 6 7 nodes.machine = 8 { ... }: 9 { 10 users.groups = { 11 foobar = { }; 12 barfoo = { }; 13 baz = { 14 gid = 1337; 15 }; 16 }; 17 users.users = { 18 test0 = { 19 isNormalUser = true; 20 extraGroups = [ "wheel" ]; 21 }; 22 test1 = { 23 isNormalUser = true; 24 }; 25 test2 = { 26 isNormalUser = true; 27 extraGroups = [ "foobar" ]; 28 }; 29 test3 = { 30 isNormalUser = true; 31 extraGroups = [ "barfoo" ]; 32 }; 33 test4 = { 34 isNormalUser = true; 35 extraGroups = [ "baz" ]; 36 }; 37 test5 = { 38 isNormalUser = true; 39 }; 40 test6 = { 41 isNormalUser = true; 42 }; 43 test7 = { 44 isNormalUser = true; 45 }; 46 }; 47 48 security.doas = { 49 enable = true; 50 wheelNeedsPassword = false; 51 52 extraRules = [ 53 { 54 users = [ "test1" ]; 55 groups = [ "foobar" ]; 56 } 57 { 58 users = [ "test2" ]; 59 noPass = true; 60 setEnv = [ 61 "CORRECT" 62 "HORSE=BATTERY" 63 ]; 64 } 65 { 66 groups = [ 67 "barfoo" 68 1337 69 ]; 70 noPass = true; 71 } 72 { 73 users = [ "test5" ]; 74 noPass = true; 75 keepEnv = true; 76 runAs = "test1"; 77 } 78 { 79 users = [ "test6" ]; 80 noPass = true; 81 keepEnv = true; 82 setEnv = [ "-STAPLE" ]; 83 } 84 { 85 users = [ "test7" ]; 86 noPass = true; 87 setEnv = [ "-SSH_AUTH_SOCK" ]; 88 } 89 ]; 90 }; 91 }; 92 93 testScript = '' 94 with subtest("users in wheel group should have passwordless doas"): 95 machine.succeed('su - test0 -c "doas -u root true"') 96 97 with subtest("test1 user should not be able to use doas without password"): 98 machine.fail('su - test1 -c "doas -n -u root true"') 99 100 with subtest("test2 user should be able to keep some env"): 101 if "CORRECT=1" not in machine.succeed('su - test2 -c "CORRECT=1 doas env"'): 102 raise Exception("failed to keep CORRECT") 103 104 if "HORSE=BATTERY" not in machine.succeed('su - test2 -c "doas env"'): 105 raise Exception("failed to setenv HORSE=BATTERY") 106 107 with subtest("users in group 'barfoo' shouldn't require password"): 108 machine.succeed("doas -u test3 doas -n -u root true") 109 110 with subtest("users in group 'baz' (GID 1337) shouldn't require password"): 111 machine.succeed("doas -u test4 doas -n -u root echo true") 112 113 with subtest("test5 user should be able to run commands under test1"): 114 machine.succeed("doas -u test5 doas -n -u test1 true") 115 116 with subtest("test5 user should not be able to run commands under root"): 117 machine.fail("doas -u test5 doas -n -u root true") 118 119 with subtest("test6 user should be able to keepenv"): 120 envs = ["BATTERY=HORSE", "CORRECT=false"] 121 out = machine.succeed( 122 'su - test6 -c "BATTERY=HORSE CORRECT=false STAPLE=Tr0ub4dor doas env"' 123 ) 124 125 if not all(env in out for env in envs): 126 raise Exception("failed to keep BATTERY or CORRECT") 127 if "STAPLE=Tr0ub4dor" in out: 128 raise Exception("failed to exclude STAPLE") 129 130 with subtest("test7 should not have access to SSH_AUTH_SOCK"): 131 if "SSH_AUTH_SOCK=HOLEY" in machine.succeed( 132 'su - test7 -c "SSH_AUTH_SOCK=HOLEY doas env"' 133 ): 134 raise Exception("failed to exclude SSH_AUTH_SOCK") 135 136 # Test that the doas setuid wrapper precedes the unwrapped version in PATH after 137 # calling doas. 138 # The PATH set by doas is defined in 139 # ../../pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch 140 with subtest("recursive calls to doas from subprocesses should succeed"): 141 machine.succeed('doas -u test0 sh -c "doas -u test0 true"') 142 143 with subtest("test0 should inherit TERMINFO_DIRS from the user environment"): 144 dirs = machine.succeed( 145 "su - test0 -c 'doas -u root $SHELL -c \"echo \$TERMINFO_DIRS\"'" 146 ) 147 148 if not "test0" in dirs: 149 raise Exception(f"user profile TERMINFO_DIRS is not preserved: {dirs}") 150 ''; 151}