commit e04579e7cdce875453574a46123b73dfe6db046f · pyrox.dev/nixpkgs

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

···

       218
       218
        
             </listitem>

     

       219
       219
        
             <listitem>

     

       220
       220
        
               <para>

     

       221
       221
       +
                 <link xlink:href="https://github.com/edneville/please">Please</link>,

     

       222
       222
       +
                 a Sudo clone written in Rust. Available as

     

       223
       223
       +
                 <link linkend="opt-security.please.enable">security.please</link>

     

       224
       224
       +
               </para>

     

       225
       225
       +
             </listitem>

     

       226
       226
       +
             <listitem>

     

       227
       227
       +
               <para>

     

       221
       228
        
                 <link xlink:href="https://github.com/messagebird/sachet/">Sachet</link>,

     

       222
       229
        
                 an SMS alerting tool for the Prometheus Alertmanager.

     

       223
       230
        
                 Available as

nixos/doc/manual/release-notes/rl-2211.section.md

···

       79
       79
        
       

     

       80
       80
        
       - [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).

     

       81
       81
        
       

     

       82
       82
       +
       - [Please](https://github.com/edneville/please), a Sudo clone written in Rust. Available as [security.please](#opt-security.please.enable)

     

       83
       83
       +
       

     

       82
       84
        
       - [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable).

     

       83
       85
        
       

     

       84
       86
        
       - [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.

nixos/modules/module-list.nix

···

       263
       263
        
         ./security/pam.nix

     

       264
       264
        
         ./security/pam_usb.nix

     

       265
       265
        
         ./security/pam_mount.nix

     

       266
       266
       +
         ./security/please.nix

     

       266
       267
        
         ./security/polkit.nix

     

       267
       268
        
         ./security/rngd.nix

     

       268
       269
        
         ./security/rtkit.nix

+122

nixos/modules/security/please.nix

···

       1
       1
       +
       { config, lib, pkgs, ... }:

     

       2
       2
       +
       

     

       3
       3
       +
       with lib;

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         cfg = config.security.please;

     

       7
       7
       +
         ini = pkgs.formats.ini { };

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         options.security.please = {

     

       11
       11
       +
           enable = mkEnableOption (mdDoc ''

     

       12
       12
       +
             please, a Sudo clone which allows a users to execute a command or edit a

     

       13
       13
       +
             file as another user

     

       14
       14
       +
           '');

     

       15
       15
       +
       

     

       16
       16
       +
           package = mkOption {

     

       17
       17
       +
             type = types.package;

     

       18
       18
       +
             default = pkgs.please;

     

       19
       19
       +
             defaultText = literalExpression "pkgs.please";

     

       20
       20
       +
             description = mdDoc ''

     

       21
       21
       +
               Which package to use for {command}`please`.

     

       22
       22
       +
             '';

     

       23
       23
       +
           };

     

       24
       24
       +
       

     

       25
       25
       +
           wheelNeedsPassword = mkOption {

     

       26
       26
       +
             type = types.bool;

     

       27
       27
       +
             default = true;

     

       28
       28
       +
             description = lib.mdDoc ''

     

       29
       29
       +
               Whether users of the `wheel` group must provide a password to run

     

       30
       30
       +
               commands or edit files with {command}`please` and

     

       31
       31
       +
               {command}`pleaseedit` respectively.

     

       32
       32
       +
             '';

     

       33
       33
       +
           };

     

       34
       34
       +
       

     

       35
       35
       +
           settings = mkOption {

     

       36
       36
       +
             type = ini.type;

     

       37
       37
       +
             default = { };

     

       38
       38
       +
             example = {

     

       39
       39
       +
               jim_run_any_as_root = {

     

       40
       40
       +
                 name = "jim";

     

       41
       41
       +
                 type = "run";

     

       42
       42
       +
                 target = "root";

     

       43
       43
       +
                 rule = ".*";

     

       44
       44
       +
                 require_pass = false;

     

       45
       45
       +
               };

     

       46
       46
       +
               jim_edit_etc_hosts_as_root = {

     

       47
       47
       +
                 name = "jim";

     

       48
       48
       +
                 type = "edit";

     

       49
       49
       +
                 target = "root";

     

       50
       50
       +
                 rule = "/etc/hosts";

     

       51
       51
       +
                 editmode = 644;

     

       52
       52
       +
                 require_pass = true;

     

       53
       53
       +
               };

     

       54
       54
       +
             };

     

       55
       55
       +
             description = mdDoc ''

     

       56
       56
       +
               Please configuration. Refer to

     

       57
       57
       +
               <https://github.com/edneville/please/blob/master/please.ini.md> for

     

       58
       58
       +
               details.

     

       59
       59
       +
             '';

     

       60
       60
       +
           };

     

       61
       61
       +
         };

     

       62
       62
       +
       

     

       63
       63
       +
         config = mkIf cfg.enable {

     

       64
       64
       +
           security.wrappers =

     

       65
       65
       +
             let

     

       66
       66
       +
               owner = "root";

     

       67
       67
       +
               group = "root";

     

       68
       68
       +
               setuid = true;

     

       69
       69
       +
             in

     

       70
       70
       +
             {

     

       71
       71
       +
               please = {

     

       72
       72
       +
                 source = "${cfg.package}/bin/please";

     

       73
       73
       +
                 inherit owner group setuid;

     

       74
       74
       +
               };

     

       75
       75
       +
               pleaseedit = {

     

       76
       76
       +
                 source = "${cfg.package}/bin/pleaseedit";

     

       77
       77
       +
                 inherit owner group setuid;

     

       78
       78
       +
               };

     

       79
       79
       +
             };

     

       80
       80
       +
       

     

       81
       81
       +
           security.please.settings = rec {

     

       82
       82
       +
             # The "wheel" group is allowed to do anything by default but this can be

     

       83
       83
       +
             # overridden.

     

       84
       84
       +
             wheel_run_as_any = {

     

       85
       85
       +
               type = "run";

     

       86
       86
       +
               group = true;

     

       87
       87
       +
               name = "wheel";

     

       88
       88
       +
               target = ".*";

     

       89
       89
       +
               rule = ".*";

     

       90
       90
       +
               require_pass = cfg.wheelNeedsPassword;

     

       91
       91
       +
             };

     

       92
       92
       +
             wheel_edit_as_any = wheel_run_as_any // { type = "edit"; };

     

       93
       93
       +
             wheel_list_as_any = wheel_run_as_any // { type = "list"; };

     

       94
       94
       +
           };

     

       95
       95
       +
       

     

       96
       96
       +
           environment = {

     

       97
       97
       +
             systemPackages = [ cfg.package ];

     

       98
       98
       +
       

     

       99
       99
       +
             etc."please.ini".source = ini.generate "please.ini"

     

       100
       100
       +
               (cfg.settings // (rec {

     

       101
       101
       +
                 # The "root" user is allowed to do anything by default and this cannot

     

       102
       102
       +
                 # be overridden.

     

       103
       103
       +
                 root_run_as_any = {

     

       104
       104
       +
                   type = "run";

     

       105
       105
       +
                   name = "root";

     

       106
       106
       +
                   target = ".*";

     

       107
       107
       +
                   rule = ".*";

     

       108
       108
       +
                   require_pass = false;

     

       109
       109
       +
                 };

     

       110
       110
       +
                 root_edit_as_any = root_run_as_any // { type = "edit"; };

     

       111
       111
       +
                 root_list_as_any = root_run_as_any // { type = "list"; };

     

       112
       112
       +
               }));

     

       113
       113
       +
           };

     

       114
       114
       +
       

     

       115
       115
       +
           security.pam.services.please = {

     

       116
       116
       +
             sshAgentAuth = true;

     

       117
       117
       +
             usshAuth = true;

     

       118
       118
       +
           };

     

       119
       119
       +
       

     

       120
       120
       +
           meta.maintainers = with maintainers; [ azahi ];

     

       121
       121
       +
         };

     

       122
       122
       +
       }

nixos/tests/all-tests.nix

···

       491
       491
        
         plasma5 = handleTest ./plasma5.nix {};

     

       492
       492
        
         plasma5-systemd-start = handleTest ./plasma5-systemd-start.nix {};

     

       493
       493
        
         plausible = handleTest ./plausible.nix {};

     

       494
       494
       +
         please = handleTest ./please.nix {};

     

       494
       495
        
         pleroma = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./pleroma.nix {};

     

       495
       496
        
         plikd = handleTest ./plikd.nix {};

     

       496
       497
        
         plotinus = handleTest ./plotinus.nix {};

+66

nixos/tests/please.nix

···

       1
       1
       +
       import ./make-test-python.nix ({ lib, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         name = "please";

     

       4
       4
       +
         meta.maintainers = with lib.maintainers; [ azahi ];

     

       5
       5
       +
       

     

       6
       6
       +
         nodes.machine =

     

       7
       7
       +
           { ... }:

     

       8
       8
       +
           {

     

       9
       9
       +
             users.users = with lib; mkMerge [

     

       10
       10
       +
               (listToAttrs (map

     

       11
       11
       +
                 (n: nameValuePair n { isNormalUser = true; })

     

       12
       12
       +
                 (genList (x: "user${toString x}") 6)))

     

       13
       13
       +
               {

     

       14
       14
       +
                 user0.extraGroups = [ "wheel" ];

     

       15
       15
       +
               }

     

       16
       16
       +
             ];

     

       17
       17
       +
       

     

       18
       18
       +
             security.please = {

     

       19
       19
       +
               enable = true;

     

       20
       20
       +
               wheelNeedsPassword = false;

     

       21
       21
       +
               settings = {

     

       22
       22
       +
                 user2_run_true_as_root = {

     

       23
       23
       +
                   name = "user2";

     

       24
       24
       +
                   target = "root";

     

       25
       25
       +
                   rule = "/run/current-system/sw/bin/true";

     

       26
       26
       +
                   require_pass = false;

     

       27
       27
       +
                 };

     

       28
       28
       +
                 user4_edit_etc_hosts_as_root = {

     

       29
       29
       +
                   name = "user4";

     

       30
       30
       +
                   type = "edit";

     

       31
       31
       +
                   target = "root";

     

       32
       32
       +
                   rule = "/etc/hosts";

     

       33
       33
       +
                   editmode = 644;

     

       34
       34
       +
                   require_pass = false;

     

       35
       35
       +
                 };

     

       36
       36
       +
               };

     

       37
       37
       +
             };

     

       38
       38
       +
           };

     

       39
       39
       +
       

     

       40
       40
       +
         testScript = ''

     

       41
       41
       +
           with subtest("root: can run anything by default"):

     

       42
       42
       +
               machine.succeed('please true')

     

       43
       43
       +
           with subtest("root: can edit anything by default"):

     

       44
       44
       +
               machine.succeed('EDITOR=cat pleaseedit /etc/hosts')

     

       45
       45
       +
       

     

       46
       46
       +
           with subtest("user0: can run as root because it's in the wheel group"):

     

       47
       47
       +
               machine.succeed('su - user0 -c "please -u root true"')

     

       48
       48
       +
           with subtest("user1: cannot run as root because it's not in the wheel group"):

     

       49
       49
       +
               machine.fail('su - user1 -c "please -u root true"')

     

       50
       50
       +
       

     

       51
       51
       +
           with subtest("user0: can edit as root"):

     

       52
       52
       +
               machine.succeed('su - user0 -c "EDITOR=cat pleaseedit /etc/hosts"')

     

       53
       53
       +
           with subtest("user1: cannot edit as root"):

     

       54
       54
       +
               machine.fail('su - user1 -c "EDITOR=cat pleaseedit /etc/hosts"')

     

       55
       55
       +
       

     

       56
       56
       +
           with subtest("user2: can run 'true' as root"):

     

       57
       57
       +
               machine.succeed('su - user2 -c "please -u root true"')

     

       58
       58
       +
           with subtest("user3: cannot run 'true' as root"):

     

       59
       59
       +
               machine.fail('su - user3 -c "please -u root true"')

     

       60
       60
       +
       

     

       61
       61
       +
           with subtest("user4: can edit /etc/hosts"):

     

       62
       62
       +
               machine.succeed('su - user4 -c "EDITOR=cat pleaseedit /etc/hosts"')

     

       63
       63
       +
           with subtest("user5: cannot edit /etc/hosts"):

     

       64
       64
       +
               machine.fail('su - user5 -c "EDITOR=cat pleaseedit /etc/hosts"')

     

       65
       65
       +
         '';

     

       66
       66
       +
       })

pkgs/tools/security/please/default.nix

···

       29
       29
        
           installManPage man/*

     

       30
       30
        
         '';

     

       31
       31
        
       

     

       32
       32
       +
         passthru.tests = { inherit (nixosTests) please; };

     

       33
       33
       +
       

     

       32
       34
        
         meta = with lib; {

     

       33
       35
        
           description = "A polite regex-first sudo alternative";

     

       34
       36
        
           longDescription = ''