Merge pull request #263471 from nbraud/nixos/sudo-rs/cleanup

2023-11-26 19:57:31 +01:00 · 2023-11-26 19:57:31 +01:00 · 3250f15338
commit 3250f15338
parent ecef65f019 bcc2d1238a
4 changed files with 40 additions and 64 deletions
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@ -22,16 +22,20 @@

 - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
  An experimental new module `security.sudo-rs` was added.
-  Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces
+  Switching to it (via ` security.sudo-rs.enable = true;`) introduces
  slight changes in sudo behaviour, due to `sudo-rs`' current limitations:
  - terminfo-related environment variables aren't preserved for `root` and `wheel`;
  - `root` and `wheel` are not given the ability to set (or preserve)
    arbitrary environment variables.

- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
+  **Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`,
+  and in particular does not automatically use previously-set rules; this could be
+  achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance.

 [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/

+- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
+
 - `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`.
  - Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released.

--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -943,6 +943,11 @@ let
      value.source = pkgs.writeText "${name}.pam" service.text;
    };

+  optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth ''
+    # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
+    Defaults env_keep+=SSH_AUTH_SOCK
+  '';
+
 in

 {
@ -1532,9 +1537,7 @@ in
        concatLines
      ]);

-    security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''
-      # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
-      Defaults env_keep+=SSH_AUTH_SOCK
-    '';
-    };
+    security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;
+    security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth;
+  };
 }
--- a/nixos/modules/security/sudo-rs.nix
+++ b/nixos/modules/security/sudo-rs.nix
@ -4,16 +4,9 @@ with lib;

 let

-  inherit (pkgs) sudo sudo-rs;
-
  cfg = config.security.sudo-rs;

-  enableSSHAgentAuth =
-    with config.security;
-    pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
-
-  usingMillersSudo = cfg.package.pname == sudo.pname;
-  usingSudoRs = cfg.package.pname == sudo-rs.pname;
+  inherit (config.security.pam) enableSSHAgentAuth;

  toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
  toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
@ -41,33 +34,19 @@ in

    defaultOptions = mkOption {
      type = with types; listOf str;
-      default = optional usingMillersSudo "SETENV";
-      defaultText = literalMD ''
-        `[ "SETENV" ]` if using the default `sudo` implementation
-      '';
+      default = [];
      description = mdDoc ''
        Options used for the default rules, granting `root` and the
        `wheel` group permission to run any command as any user.
      '';
    };

-    enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = mdDoc ''
-        Whether to enable the {command}`sudo` command, which
-        allows non-root users to execute commands as root.
-      '';
-    };
+    enable = mkEnableOption (mdDoc ''
+      a memory-safe implementation of the {command}`sudo` command,
+      which allows non-root users to execute commands as root.
+    '');

-    package = mkOption {
-      type = types.package;
-      default = pkgs.sudo-rs;
-      defaultText = literalExpression "pkgs.sudo-rs";
-      description = mdDoc ''
-        Which package to use for `sudo`.
-      '';
-    };
+    package = mkPackageOption pkgs "sudo-rs" { };

    wheelNeedsPassword = mkOption {
      type = types.bool;
@ -208,6 +187,12 @@ in
  ###### implementation

  config = mkIf cfg.enable {
+    assertions = [ {
+      assertion = ! config.security.sudo.enable;
+      message = "`security.sudo` and `security.sudo-rs` cannot both be enabled";
+    }];
+    security.sudo.enable = mkDefault false;
+
    security.sudo-rs.extraRules =
      let
        defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
@ -235,20 +220,16 @@ in
        # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’
        # or ‘security.sudo-rs.extraRules’ instead.
      ''
-      (optionalString enableSSHAgentAuth ''
-        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
-        Defaults env_keep+=SSH_AUTH_SOCK
-      '')
-      (concatStringsSep "\n" (
-        lists.flatten (
-          map (
-            rule: optionals (length rule.commands != 0) [
-              (map (user: "${toUserString user}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.users)
-              (map (group: "${toGroupString group}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.groups)
-            ]
-          ) cfg.extraRules
-        )
-      ) + "\n")
+      (pipe cfg.extraRules [
+        (filter (rule: length rule.commands != 0))
+        (map (rule: [
+          (map (user: "${toUserString user}     ${rule.host}=(${rule.runAs})    ${toCommandsString rule.commands}") rule.users)
+          (map (group: "${toGroupString group}  ${rule.host}=(${rule.runAs})    ${toCommandsString rule.commands}") rule.groups)
+        ]))
+        flatten
+        (concatStringsSep "\n")
+      ])
+      "\n"
      (optionalString (cfg.extraConfig != "") ''
        # extraConfig
        ${cfg.extraConfig}
@ -265,18 +246,12 @@ in
        source = "${cfg.package.out}/bin/sudo";
        inherit owner group setuid permissions;
      };
-      # sudo-rs does not yet ship a sudoedit (as of v0.2.0)
-      sudoedit = mkIf usingMillersSudo {
-        source = "${cfg.package.out}/bin/sudoedit";
-        inherit owner group setuid permissions;
-      };
    };

-    environment.systemPackages = [ sudo ];
+    environment.systemPackages = [ cfg.package ];

    security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
-    security.pam.services.sudo-i = mkIf usingSudoRs
-      { sshAgentAuth = true; usshAuth = true; };
+    security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; };

    environment.etc.sudoers =
      { source =
@ -285,7 +260,7 @@ in
            src = pkgs.writeText "sudoers-in" cfg.configFile;
            preferLocalBuild = true;
          }
-          "${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out";
+          "${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out";
        mode = "0440";
      };

--- a/nixos/tests/sudo-rs.nix
+++ b/nixos/tests/sudo-rs.nix
@ -22,11 +22,8 @@ in
          test5 = { isNormalUser = true; };
        };

-        security.sudo.enable = false;
-
        security.sudo-rs = {
          enable = true;
-          package = pkgs.sudo-rs;
          wheelNeedsPassword = false;

          extraRules = [
@ -56,10 +53,7 @@ in
        noadmin = { isNormalUser = true; };
      };

-      security.sudo.enable = false;
-
      security.sudo-rs = {
-        package = pkgs.sudo-rs;
        enable = true;
        wheelNeedsPassword = false;
        execWheelOnly = true;