pyrox.dev
1# Some tests to ensure sudo is working properly.
2
3let
4 password = "helloworld";
5in
6import ./make-test-python.nix (
7 { lib, pkgs, ... }:
8 {
9 name = "sudo";
10 meta.maintainers = pkgs.sudo.meta.maintainers;
11
12 nodes.machine =
13 { lib, ... }:
14 {
15 users.groups = {
16 foobar = { };
17 barfoo = { };
18 baz = {
19 gid = 1337;
20 };
21 };
22 users.users = {
23 test0 = {
24 isNormalUser = true;
25 extraGroups = [ "wheel" ];
26 };
27 test1 = {
28 isNormalUser = true;
29 password = password;
30 };
31 test2 = {
32 isNormalUser = true;
33 extraGroups = [ "foobar" ];
34 password = password;
35 };
36 test3 = {
37 isNormalUser = true;
38 extraGroups = [ "barfoo" ];
39 };
40 test4 = {
41 isNormalUser = true;
42 extraGroups = [ "baz" ];
43 };
44 test5 = {
45 isNormalUser = true;
46 };
47 };
48
49 security.sudo = {
50 # Explicitly _not_ defining 'enable = true;' here, to check that sudo is enabled by default
51
52 wheelNeedsPassword = false;
53
54 extraConfig = ''
55 Defaults lecture="never"
56 '';
57
58 extraRules = [
59 # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
60 # errors being detected by the visudo checks.
61
62 # These should not create any entries
63 {
64 users = [ "notest1" ];
65 commands = [ ];
66 }
67 {
68 commands = [
69 {
70 command = "ALL";
71 options = [ ];
72 }
73 ];
74 }
75
76 # Test defining commands with the options syntax, though not setting any options
77 {
78 users = [ "notest2" ];
79 commands = [
80 {
81 command = "ALL";
82 options = [ ];
83 }
84 ];
85 }
86
87 # CONFIGURATION FOR TEST CASES
88 {
89 users = [ "test1" ];
90 groups = [ "foobar" ];
91 commands = [ "ALL" ];
92 }
93 {
94 groups = [
95 "barfoo"
96 1337
97 ];
98 commands = [
99 {
100 command = "ALL";
101 options = [
102 "NOPASSWD"
103 "NOSETENV"
104 ];
105 }
106 ];
107 }
108 {
109 users = [ "test5" ];
110 commands = [
111 {
112 command = "ALL";
113 options = [
114 "NOPASSWD"
115 "SETENV"
116 ];
117 }
118 ];
119 runAs = "test1:barfoo";
120 }
121 ];
122 };
123 };
124
125 nodes.strict =
126 { ... }:
127 {
128 users.users = {
129 admin = {
130 isNormalUser = true;
131 extraGroups = [ "wheel" ];
132 };
133 noadmin = {
134 isNormalUser = true;
135 };
136 };
137
138 security.sudo = {
139 enable = true;
140 wheelNeedsPassword = false;
141 execWheelOnly = true;
142 };
143 };
144
145 testScript = ''
146 with subtest("users in wheel group should have passwordless sudo"):
147 machine.succeed('su - test0 -c "sudo -u root true"')
148
149 with subtest("test1 user should have sudo with password"):
150 machine.succeed('su - test1 -c "echo ${password} | sudo -S -u root true"')
151
152 with subtest("test1 user should not be able to use sudo without password"):
153 machine.fail('su - test1 -c "sudo -n -u root true"')
154
155 with subtest("users in group 'foobar' should be able to use sudo with password"):
156 machine.succeed('su - test2 -c "echo ${password} | sudo -S -u root true"')
157
158 with subtest("users in group 'barfoo' should be able to use sudo without password"):
159 machine.succeed("sudo -u test3 sudo -n -u root true")
160
161 with subtest("users in group 'baz' (GID 1337)"):
162 machine.succeed("sudo -u test4 sudo -n -u root echo true")
163
164 with subtest("test5 user should be able to run commands under test1"):
165 machine.succeed("sudo -u test5 sudo -n -u test1 true")
166
167 with subtest("test5 user should not be able to run commands under root"):
168 machine.fail("sudo -u test5 sudo -n -u root true")
169
170 with subtest("test5 user should be able to keep their environment"):
171 machine.succeed("sudo -u test5 sudo -n -E -u test1 true")
172
173 with subtest("users in group 'barfoo' should not be able to keep their environment"):
174 machine.fail("sudo -u test3 sudo -n -E -u root true")
175
176 with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
177 strict.succeed('su - admin -c "sudo -u root true"')
178
179 with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
180 strict.fail('su - noadmin -c "sudo --help"')
181 '';
182 }
183)