From d08967a3a84281270180027b96e5d91924f4bec1 Mon Sep 17 00:00:00 2001 From: ivanbrennan Date: Sun, 1 Jul 2018 15:26:07 -0400 Subject: [PATCH] nixos/security.sudo: describe extraRules order The order of sudoers entries is significant. The man page for sudoers(5) notes: Where there are multiple matches, the last match is used (which is not necessarily the most specific match). This module adds a rule for group "wheel" matching all commands. If you wanted to add a more specific rule allowing members of the "wheel" group to run command `foo` without a password, you'd need to use mkAfter to ensure your rule comes after the more general rule. extraRules = lib.mkAfter [ { groups = [ "wheel" ]; commands = [ { command = "${pkgs.foo}/bin/foo"; options = [ "NOPASSWD" "SETENV" ]; } ] } ]; Otherwise, when configuration options are merged, if the general rule ends up after the specific rule, it will dictate the behavior even when running the `foo` command. --- nixos/modules/security/sudo.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 24283e1d6165..361a7e869602 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -66,6 +66,9 @@ in security.sudo.extraRules = mkOption { description = '' Define specific rules to be in the sudoers file. + More specific rules should come after more general ones in order to + yield the expected behavior. You can use mkBefore/mkAfter to ensure + this is the case when configuration options are merged. ''; default = []; example = [