341 lines
10 KiB
Nix
341 lines
10 KiB
Nix
{
|
||
config,
|
||
lib,
|
||
pkgs,
|
||
...
|
||
}:
|
||
let
|
||
|
||
cfg = config.security.sudo;
|
||
|
||
toUserString = user: if (lib.isInt user) then "#${toString user}" else "${user}";
|
||
toGroupString = group: if (lib.isInt group) then "%#${toString group}" else "%${group}";
|
||
|
||
toCommandOptionsString =
|
||
options: "${lib.concatStringsSep ":" options}${lib.optionalString (lib.length options != 0) ":"} ";
|
||
|
||
toCommandsString =
|
||
commands:
|
||
lib.concatStringsSep ", " (
|
||
map (
|
||
command:
|
||
if (lib.isString command) then
|
||
command
|
||
else
|
||
"${toCommandOptionsString command.options}${command.command}"
|
||
) commands
|
||
);
|
||
|
||
in
|
||
|
||
{
|
||
|
||
###### interface
|
||
|
||
options.security.sudo = {
|
||
|
||
defaultOptions = lib.mkOption {
|
||
type = with lib.types; listOf str;
|
||
default = [ "SETENV" ];
|
||
description = ''
|
||
Options used for the default rules, granting `root` and the
|
||
`wheel` group permission to run any command as any user.
|
||
'';
|
||
};
|
||
|
||
enable = lib.mkOption {
|
||
type = lib.types.bool;
|
||
default = true;
|
||
description = ''
|
||
Whether to enable the {command}`sudo` command, which
|
||
allows non-root users to execute commands as root.
|
||
'';
|
||
};
|
||
|
||
package = lib.mkPackageOption pkgs "sudo" { };
|
||
|
||
wheelNeedsPassword = lib.mkOption {
|
||
type = lib.types.bool;
|
||
default = true;
|
||
description = ''
|
||
Whether users of the `wheel` group must
|
||
provide a password to run commands as super user via {command}`sudo`.
|
||
'';
|
||
};
|
||
|
||
execWheelOnly = lib.mkOption {
|
||
type = lib.types.bool;
|
||
default = false;
|
||
description = ''
|
||
Only allow members of the `wheel` group to execute sudo by
|
||
setting the executable's permissions accordingly.
|
||
This prevents users that are not members of `wheel` from
|
||
exploiting vulnerabilities in sudo such as CVE-2021-3156.
|
||
'';
|
||
};
|
||
|
||
configFile = lib.mkOption {
|
||
type = lib.types.lines;
|
||
# Note: if syntax errors are detected in this file, the NixOS
|
||
# configuration will fail to build.
|
||
description = ''
|
||
This string contains the contents of the
|
||
{file}`sudoers` file.
|
||
'';
|
||
};
|
||
|
||
extraRules = lib.mkOption {
|
||
description = ''
|
||
Define specific rules to be in the {file}`sudoers` file.
|
||
More specific rules should come after more general ones in order to
|
||
yield the expected behavior. You can use mkBefore/mkAfter to ensure
|
||
this is the case when configuration options are merged.
|
||
'';
|
||
default = [ ];
|
||
example = lib.literalExpression ''
|
||
[
|
||
# Allow execution of any command by all users in group sudo,
|
||
# requiring a password.
|
||
{ groups = [ "sudo" ]; commands = [ "ALL" ]; }
|
||
|
||
# Allow execution of "/home/root/secret.sh" by user `backup`, `database`
|
||
# and the group with GID `1006` without a password.
|
||
{ users = [ "backup" "database" ]; groups = [ 1006 ];
|
||
commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
|
||
|
||
# Allow all users of group `bar` to run two executables as user `foo`
|
||
# with arguments being pre-set.
|
||
{ groups = [ "bar" ]; runAs = "foo";
|
||
commands =
|
||
[ "/home/baz/cmd1.sh hello-sudo"
|
||
{ command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; }
|
||
]
|
||
'';
|
||
type =
|
||
with lib.types;
|
||
listOf (submodule {
|
||
options = {
|
||
users = lib.mkOption {
|
||
type = with types; listOf (either str int);
|
||
description = ''
|
||
The usernames / UIDs this rule should apply for.
|
||
'';
|
||
default = [ ];
|
||
};
|
||
|
||
groups = lib.mkOption {
|
||
type = with types; listOf (either str int);
|
||
description = ''
|
||
The groups / GIDs this rule should apply for.
|
||
'';
|
||
default = [ ];
|
||
};
|
||
|
||
host = lib.mkOption {
|
||
type = types.str;
|
||
default = "ALL";
|
||
description = ''
|
||
For what host this rule should apply.
|
||
'';
|
||
};
|
||
|
||
runAs = lib.mkOption {
|
||
type = with types; str;
|
||
default = "ALL:ALL";
|
||
description = ''
|
||
Under which user/group the specified command is allowed to run.
|
||
|
||
A user can be specified using just the username: `"foo"`.
|
||
It is also possible to specify a user/group combination using `"foo:bar"`
|
||
or to only allow running as a specific group with `":bar"`.
|
||
'';
|
||
};
|
||
|
||
commands = lib.mkOption {
|
||
description = ''
|
||
The commands for which the rule should apply.
|
||
'';
|
||
type =
|
||
with types;
|
||
listOf (
|
||
either str (submodule {
|
||
|
||
options = {
|
||
command = lib.mkOption {
|
||
type = with types; str;
|
||
description = ''
|
||
A command being either just a path to a binary to allow any arguments,
|
||
the full command with arguments pre-set or with `""` used as the argument,
|
||
not allowing arguments to the command at all.
|
||
'';
|
||
};
|
||
|
||
options = lib.mkOption {
|
||
type =
|
||
with types;
|
||
listOf (enum [
|
||
"NOPASSWD"
|
||
"PASSWD"
|
||
"NOEXEC"
|
||
"EXEC"
|
||
"SETENV"
|
||
"NOSETENV"
|
||
"LOG_INPUT"
|
||
"NOLOG_INPUT"
|
||
"LOG_OUTPUT"
|
||
"NOLOG_OUTPUT"
|
||
"MAIL"
|
||
"NOMAIL"
|
||
"FOLLOW"
|
||
"NOFLLOW"
|
||
"INTERCEPT"
|
||
"NOINTERCEPT"
|
||
]);
|
||
description = ''
|
||
Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/docs/man/1.9.15/sudoers.man/#Tag_Spec).
|
||
'';
|
||
default = [ ];
|
||
};
|
||
};
|
||
|
||
})
|
||
);
|
||
};
|
||
};
|
||
});
|
||
};
|
||
|
||
extraConfig = lib.mkOption {
|
||
type = lib.types.lines;
|
||
default = "";
|
||
description = ''
|
||
Extra configuration text appended to {file}`sudoers`.
|
||
'';
|
||
};
|
||
};
|
||
|
||
###### implementation
|
||
|
||
config = lib.mkIf cfg.enable {
|
||
assertions = [
|
||
{
|
||
assertion = cfg.package.pname != "sudo-rs";
|
||
message = ''
|
||
NixOS' `sudo` module does not support `sudo-rs`; see `security.sudo-rs` instead.
|
||
'';
|
||
}
|
||
];
|
||
|
||
security.sudo.extraRules =
|
||
let
|
||
defaultRule =
|
||
{
|
||
users ? [ ],
|
||
groups ? [ ],
|
||
opts ? [ ],
|
||
}:
|
||
[
|
||
{
|
||
inherit users groups;
|
||
commands = [
|
||
{
|
||
command = "ALL";
|
||
options = opts ++ cfg.defaultOptions;
|
||
}
|
||
];
|
||
}
|
||
];
|
||
in
|
||
lib.mkMerge [
|
||
# This is ordered before users' `mkBefore` rules,
|
||
# so as not to introduce unexpected changes.
|
||
(lib.mkOrder 400 (defaultRule {
|
||
users = [ "root" ];
|
||
}))
|
||
|
||
# This is ordered to show before (most) other rules, but
|
||
# late-enough for a user to `mkBefore` it.
|
||
(lib.mkOrder 600 (defaultRule {
|
||
groups = [ "wheel" ];
|
||
opts = (lib.optional (!cfg.wheelNeedsPassword) "NOPASSWD");
|
||
}))
|
||
];
|
||
|
||
security.sudo.configFile = lib.concatStringsSep "\n" (
|
||
lib.filter (s: s != "") [
|
||
''
|
||
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
|
||
# or ‘security.sudo.extraRules’ instead.
|
||
''
|
||
(lib.pipe cfg.extraRules [
|
||
(lib.filter (rule: lib.length rule.commands != 0))
|
||
(map (rule: [
|
||
(map (
|
||
user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}"
|
||
) rule.users)
|
||
(map (
|
||
group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}"
|
||
) rule.groups)
|
||
]))
|
||
lib.flatten
|
||
(lib.concatStringsSep "\n")
|
||
])
|
||
"\n"
|
||
(lib.optionalString (cfg.extraConfig != "") ''
|
||
# extraConfig
|
||
${cfg.extraConfig}
|
||
'')
|
||
]
|
||
);
|
||
|
||
security.wrappers =
|
||
let
|
||
owner = "root";
|
||
group = if cfg.execWheelOnly then "wheel" else "root";
|
||
setuid = true;
|
||
permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
|
||
in
|
||
{
|
||
sudo = {
|
||
source = "${cfg.package.out}/bin/sudo";
|
||
inherit
|
||
owner
|
||
group
|
||
setuid
|
||
permissions
|
||
;
|
||
};
|
||
sudoedit = {
|
||
source = "${cfg.package.out}/bin/sudoedit";
|
||
inherit
|
||
owner
|
||
group
|
||
setuid
|
||
permissions
|
||
;
|
||
};
|
||
};
|
||
|
||
environment.systemPackages = [ cfg.package ];
|
||
|
||
security.pam.services.sudo = {
|
||
sshAgentAuth = true;
|
||
usshAuth = true;
|
||
};
|
||
|
||
environment.etc.sudoers = {
|
||
source =
|
||
pkgs.runCommand "sudoers"
|
||
{
|
||
src = pkgs.writeText "sudoers-in" cfg.configFile;
|
||
preferLocalBuild = true;
|
||
}
|
||
# Make sure that the sudoers file is syntactically valid.
|
||
# (currently disabled - NIXOS-66)
|
||
"${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out";
|
||
mode = "0440";
|
||
};
|
||
|
||
};
|
||
|
||
}
|