sudo: define extra rules in Nix language (#33905)
Leon Schuermann
Jörg Thalheim
parent
9844e027c4
commit
f297ddb5c9
|
|
@ -8,6 +8,22 @@ let
|
|||
|
||||
inherit (pkgs) sudo;
|
||||
|
||||
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
|
||||
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
|
||||
|
||||
toCommandOptionsString = options:
|
||||
"${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
|
||||
|
||||
toCommandsString = commands:
|
||||
concatStringsSep ", " (
|
||||
map (command:
|
||||
if (isString command) then
|
||||
command
|
||||
else
|
||||
"${toCommandOptionsString command.options}${command.command}"
|
||||
) commands
|
||||
);
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
|
|
@ -47,6 +63,97 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
security.sudo.extraRules = mkOption {
|
||||
description = ''
|
||||
Define specific rules to be in the <filename>sudoers</filename> file.
|
||||
'';
|
||||
default = [];
|
||||
example = [
|
||||
# Allow execution of any command by all users in group sudo,
|
||||
# requiring a password.
|
||||
{ groups = [ "sudo" ]; commands = [ "ALL" ]; }
|
||||
|
||||
# Allow execution of "/home/root/secret.sh" by user `backup`, `database`
|
||||
# and the group with GID `1006` without a password.
|
||||
{ users = [ "backup" ]; groups = [ 1006 ];
|
||||
commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
|
||||
|
||||
# Allow all users of group `bar` to run two executables as user `foo`
|
||||
# with arguments being pre-set.
|
||||
{ groups = [ "bar" ]; runAs = "foo";
|
||||
commands =
|
||||
[ "/home/baz/cmd1.sh hello-sudo"
|
||||
{ command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; }
|
||||
];
|
||||
type = with types; listOf (submodule {
|
||||
options = {
|
||||
users = mkOption {
|
||||
type = with types; listOf (either string int);
|
||||
description = ''
|
||||
The usernames / UIDs this rule should apply for.
|
||||
'';
|
||||
default = [];
|
||||
};
|
||||
|
||||
groups = mkOption {
|
||||
type = with types; listOf (either string int);
|
||||
description = ''
|
||||
The groups / GIDs this rule should apply for.
|
||||
'';
|
||||
default = [];
|
||||
};
|
||||
|
||||
host = mkOption {
|
||||
type = types.string;
|
||||
default = "ALL";
|
||||
description = ''
|
||||
For what host this rule should apply.
|
||||
'';
|
||||
};
|
||||
|
||||
runAs = mkOption {
|
||||
type = with types; string;
|
||||
default = "ALL:ALL";
|
||||
description = ''
|
||||
Under which user/group the specified command is allowed to run.
|
||||
|
||||
A user can be specified using just the username: <code>"foo"</code>.
|
||||
It is also possible to specify a user/group combination using <code>"foo:bar"</code>
|
||||
or to only allow running as a specific group with <code>":bar"</code>.
|
||||
'';
|
||||
};
|
||||
|
||||
commands = mkOption {
|
||||
description = ''
|
||||
The commands for which the rule should apply.
|
||||
'';
|
||||
type = with types; listOf (either string (submodule {
|
||||
|
||||
options = {
|
||||
command = mkOption {
|
||||
type = with types; string;
|
||||
description = ''
|
||||
A command being either just a path to a binary to allow any arguments,
|
||||
the full command with arguments pre-set or with <code>""</code> used as the argument,
|
||||
not allowing arguments to the command at all.
|
||||
'';
|
||||
};
|
||||
|
||||
options = mkOption {
|
||||
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
|
||||
description = ''
|
||||
Options for running the command. Refer to the <a href="https://www.sudo.ws/man/1.7.10/sudoers.man.html">sudo manual</a>.
|
||||
'';
|
||||
default = [];
|
||||
};
|
||||
};
|
||||
|
||||
}));
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
|
||||
security.sudo.extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
|
|
@ -61,10 +168,16 @@ in
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
security.sudo.extraRules = [
|
||||
{ groups = [ "wheel" ];
|
||||
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
|
||||
}
|
||||
];
|
||||
|
||||
security.sudo.configFile =
|
||||
''
|
||||
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
|
||||
# or ‘security.sudo.extraConfig’ instead.
|
||||
# or ‘security.sudo.extraRules’ instead.
|
||||
|
||||
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
||||
Defaults env_keep+=SSH_AUTH_SOCK
|
||||
|
|
@ -72,8 +185,18 @@ in
|
|||
# "root" is allowed to do anything.
|
||||
root ALL=(ALL:ALL) SETENV: ALL
|
||||
|
||||
# Users in the "wheel" group can do anything.
|
||||
%wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
|
||||
# extraRules
|
||||
${concatStringsSep "\n" (
|
||||
lists.flatten (
|
||||
map (
|
||||
rule: if (length rule.commands != 0) then [
|
||||
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
|
||||
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
|
||||
] else []
|
||||
) cfg.extraRules
|
||||
)
|
||||
)}
|
||||
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
|
||||
|
|
|
|||
|
|
@ -337,6 +337,7 @@ in rec {
|
|||
tests.smokeping = callTest tests/smokeping.nix {};
|
||||
tests.snapper = callTest tests/snapper.nix {};
|
||||
tests.statsd = callTest tests/statsd.nix {};
|
||||
tests.sudo = callTest tests/sudo.nix {};
|
||||
tests.switchTest = callTest tests/switch-test.nix {};
|
||||
tests.taskserver = callTest tests/taskserver.nix {};
|
||||
tests.tomcat = callTest tests/tomcat.nix {};
|
||||
|
|
|
|||
|
|
@ -115,11 +115,6 @@ import ./make-test.nix ({ pkgs, ...} : {
|
|||
$machine->succeed("nix-store -qR /run/current-system | grep nixos-");
|
||||
};
|
||||
|
||||
# Test sudo
|
||||
subtest "sudo", sub {
|
||||
$machine->succeed("su - sybil -c 'sudo true'");
|
||||
};
|
||||
|
||||
# Test sysctl
|
||||
subtest "sysctl", sub {
|
||||
$machine->waitForUnit("systemd-sysctl.service");
|
||||
|
|
|
|||
|
|
@ -0,0 +1,93 @@
|
|||
# Some tests to ensure sudo is working properly.
|
||||
|
||||
let
|
||||
password = "helloworld";
|
||||
|
||||
in
|
||||
import ./make-test.nix ({ pkgs, ...} : {
|
||||
name = "sudo";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ lschuermann ];
|
||||
};
|
||||
|
||||
machine =
|
||||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
{
|
||||
users.extraGroups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };
|
||||
users.users = {
|
||||
test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };
|
||||
test1 = { isNormalUser = true; password = password; };
|
||||
test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };
|
||||
test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
|
||||
test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };
|
||||
test5 = { isNormalUser = true; };
|
||||
};
|
||||
|
||||
security.sudo = {
|
||||
enable = true;
|
||||
wheelNeedsPassword = false;
|
||||
|
||||
extraRules = [
|
||||
# SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
|
||||
# errors being detected by the visudo checks.
|
||||
|
||||
# These should not create any entries
|
||||
{ users = [ "notest1" ]; commands = [ ]; }
|
||||
{ commands = [ { command = "ALL"; options = [ ]; } ]; }
|
||||
|
||||
# Test defining commands with the options syntax, though not setting any options
|
||||
{ users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }
|
||||
|
||||
|
||||
# CONFIGURATION FOR TEST CASES
|
||||
{ users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
|
||||
{ groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }
|
||||
{ users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
subtest "users in wheel group should have passwordless sudo", sub {
|
||||
$machine->succeed("su - test0 -c \"sudo -u root true\"");
|
||||
};
|
||||
|
||||
subtest "test1 user should have sudo with password", sub {
|
||||
$machine->succeed("su - test1 -c \"echo ${password} | sudo -S -u root true\"");
|
||||
};
|
||||
|
||||
subtest "test1 user should not be able to use sudo without password", sub {
|
||||
$machine->fail("su - test1 -c \"sudo -n -u root true\"");
|
||||
};
|
||||
|
||||
subtest "users in group 'foobar' should be able to use sudo with password", sub {
|
||||
$machine->succeed("sudo -u test2 echo ${password} | sudo -S -u root true");
|
||||
};
|
||||
|
||||
subtest "users in group 'barfoo' should be able to use sudo without password", sub {
|
||||
$machine->succeed("sudo -u test3 sudo -n -u root true");
|
||||
};
|
||||
|
||||
subtest "users in group 'baz' (GID 1337) should be able to use sudo without password", sub {
|
||||
$machine->succeed("sudo -u test4 sudo -n -u root echo true");
|
||||
};
|
||||
|
||||
subtest "test5 user should be able to run commands under test1", sub {
|
||||
$machine->succeed("sudo -u test5 sudo -n -u test1 true");
|
||||
};
|
||||
|
||||
subtest "test5 user should not be able to run commands under root", sub {
|
||||
$machine->fail("sudo -u test5 sudo -n -u root true");
|
||||
};
|
||||
|
||||
subtest "test5 user should be able to keep his environment", sub {
|
||||
$machine->succeed("sudo -u test5 sudo -n -E -u test1 true");
|
||||
};
|
||||
|
||||
subtest "users in group 'barfoo' should not be able to keep their environment", sub {
|
||||
$machine->fail("sudo -u test3 sudo -n -E -u root true");
|
||||
};
|
||||
'';
|
||||
})
|
||||
Loading…
Reference in New Issue