commit 5624aa9f812aeccc6b70de9812a28df28996545a · pyrox.dev/nixpkgs

+25 -3

nixos/modules/security/sudo.nix

···

       61
       61
        
               '';

     

       62
       62
        
             };

     

       63
       63
        
       

     

       64
       64
       +
           security.sudo.execWheelOnly = mkOption {

     

       65
       65
       +
             type = types.bool;

     

       66
       66
       +
             default = false;

     

       67
       67
       +
             description = ''

     

       68
       68
       +
               Only allow members of the <code>wheel</code> group to execute sudo by

     

       69
       69
       +
               setting the executable's permissions accordingly.

     

       70
       70
       +
               This prevents users that are not members of <code>wheel</code> from

     

       71
       71
       +
               exploiting vulnerabilities in sudo such as CVE-2021-3156.

     

       72
       72
       +
             '';

     

       73
       73
       +
           };

     

       74
       74
       +
       

     

       64
       75
        
           security.sudo.configFile = mkOption {

     

       65
       76
        
             type = types.lines;

     

       66
       77
        
             # Note: if syntax errors are detected in this file, the NixOS

     
···

       216
       227
        
               ${cfg.extraConfig}

     

       217
       228
        
             '';

     

       218
       229
        
       

     

       219
       219
       -
           security.wrappers = {

     

       220
       220
       -
             sudo.source = "${cfg.package.out}/bin/sudo";

     

       221
       221
       -
             sudoedit.source = "${cfg.package.out}/bin/sudoedit";

     

       230
       230
       +
           security.wrappers = let

     

       231
       231
       +
             owner = "root";

     

       232
       232
       +
             group = if cfg.execWheelOnly then "wheel" else "root";

     

       233
       233
       +
             setuid = true;

     

       234
       234
       +
             permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";

     

       235
       235
       +
           in {

     

       236
       236
       +
             sudo = {

     

       237
       237
       +
               source = "${cfg.package.out}/bin/sudo";

     

       238
       238
       +
               inherit owner group setuid permissions;

     

       239
       239
       +
             };

     

       240
       240
       +
             sudoedit = {

     

       241
       241
       +
               source = "${cfg.package.out}/bin/sudoedit";

     

       242
       242
       +
               inherit owner group setuid permissions;

     

       243
       243
       +
             };

     

       222
       244
        
           };

     

       223
       245
        
       

     

       224
       246
        
           environment.systemPackages = [ sudo ];

+20 -1

nixos/tests/sudo.nix

···

       10
       10
        
             maintainers = [ lschuermann ];

     

       11
       11
        
           };

     

       12
       12
        
       

     

       13
       13
       -
           machine =

     

       13
       13
       +
           nodes.machine =

     

       14
       14
        
             { lib, ... }:

     

       15
       15
        
             with lib;

     

       16
       16
        
             {

     
···

       48
       48
        
               };

     

       49
       49
        
             };

     

       50
       50
        
       

     

       51
       51
       +
           nodes.strict = { ... }: {

     

       52
       52
       +
             users.users = {

     

       53
       53
       +
               admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };

     

       54
       54
       +
               noadmin = { isNormalUser = true; };

     

       55
       55
       +
             };

     

       56
       56
       +
       

     

       57
       57
       +
             security.sudo = {

     

       58
       58
       +
               enable = true;

     

       59
       59
       +
               wheelNeedsPassword = false;

     

       60
       60
       +
               execWheelOnly = true;

     

       61
       61
       +
             };

     

       62
       62
       +
           };

     

       63
       63
       +
       

     

       51
       64
        
           testScript =

     

       52
       65
        
             ''

     

       53
       66
        
               with subtest("users in wheel group should have passwordless sudo"):

     
···

       79
       92
        
       

     

       80
       93
        
               with subtest("users in group 'barfoo' should not be able to keep their environment"):

     

       81
       94
        
                   machine.fail("sudo -u test3 sudo -n -E -u root true")

     

       95
       95
       +
       

     

       96
       96
       +
               with subtest("users in wheel should be able to run sudo despite execWheelOnly"):

     

       97
       97
       +
                   strict.succeed('su - admin -c "sudo -u root true"')

     

       98
       98
       +
       

     

       99
       99
       +
               with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):

     

       100
       100
       +
                   strict.fail('su - noadmin -c "sudo --help"')

     

       82
       101
        
             '';

     

       83
       102
        
         })