sudo: define extra rules in Nix language (#33905)
This commit is contained in:
parent
9844e027c4
commit
f297ddb5c9
4 changed files with 220 additions and 8 deletions
|
@ -8,6 +8,22 @@ let
|
||||||
|
|
||||||
inherit (pkgs) sudo;
|
inherit (pkgs) sudo;
|
||||||
|
|
||||||
|
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
|
||||||
|
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
|
||||||
|
|
||||||
|
toCommandOptionsString = options:
|
||||||
|
"${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
|
||||||
|
|
||||||
|
toCommandsString = commands:
|
||||||
|
concatStringsSep ", " (
|
||||||
|
map (command:
|
||||||
|
if (isString command) then
|
||||||
|
command
|
||||||
|
else
|
||||||
|
"${toCommandOptionsString command.options}${command.command}"
|
||||||
|
) commands
|
||||||
|
);
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -47,6 +63,97 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.sudo.extraRules = mkOption {
|
||||||
|
description = ''
|
||||||
|
Define specific rules to be in the <filename>sudoers</filename> file.
|
||||||
|
'';
|
||||||
|
default = [];
|
||||||
|
example = [
|
||||||
|
# Allow execution of any command by all users in group sudo,
|
||||||
|
# requiring a password.
|
||||||
|
{ groups = [ "sudo" ]; commands = [ "ALL" ]; }
|
||||||
|
|
||||||
|
# Allow execution of "/home/root/secret.sh" by user `backup`, `database`
|
||||||
|
# and the group with GID `1006` without a password.
|
||||||
|
{ users = [ "backup" ]; groups = [ 1006 ];
|
||||||
|
commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
|
||||||
|
|
||||||
|
# Allow all users of group `bar` to run two executables as user `foo`
|
||||||
|
# with arguments being pre-set.
|
||||||
|
{ groups = [ "bar" ]; runAs = "foo";
|
||||||
|
commands =
|
||||||
|
[ "/home/baz/cmd1.sh hello-sudo"
|
||||||
|
{ command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; }
|
||||||
|
];
|
||||||
|
type = with types; listOf (submodule {
|
||||||
|
options = {
|
||||||
|
users = mkOption {
|
||||||
|
type = with types; listOf (either string int);
|
||||||
|
description = ''
|
||||||
|
The usernames / UIDs this rule should apply for.
|
||||||
|
'';
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
|
||||||
|
groups = mkOption {
|
||||||
|
type = with types; listOf (either string int);
|
||||||
|
description = ''
|
||||||
|
The groups / GIDs this rule should apply for.
|
||||||
|
'';
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
|
||||||
|
host = mkOption {
|
||||||
|
type = types.string;
|
||||||
|
default = "ALL";
|
||||||
|
description = ''
|
||||||
|
For what host this rule should apply.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
runAs = mkOption {
|
||||||
|
type = with types; string;
|
||||||
|
default = "ALL:ALL";
|
||||||
|
description = ''
|
||||||
|
Under which user/group the specified command is allowed to run.
|
||||||
|
|
||||||
|
A user can be specified using just the username: <code>"foo"</code>.
|
||||||
|
It is also possible to specify a user/group combination using <code>"foo:bar"</code>
|
||||||
|
or to only allow running as a specific group with <code>":bar"</code>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
commands = mkOption {
|
||||||
|
description = ''
|
||||||
|
The commands for which the rule should apply.
|
||||||
|
'';
|
||||||
|
type = with types; listOf (either string (submodule {
|
||||||
|
|
||||||
|
options = {
|
||||||
|
command = mkOption {
|
||||||
|
type = with types; string;
|
||||||
|
description = ''
|
||||||
|
A command being either just a path to a binary to allow any arguments,
|
||||||
|
the full command with arguments pre-set or with <code>""</code> used as the argument,
|
||||||
|
not allowing arguments to the command at all.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
options = mkOption {
|
||||||
|
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
|
||||||
|
description = ''
|
||||||
|
Options for running the command. Refer to the <a href="https://www.sudo.ws/man/1.7.10/sudoers.man.html">sudo manual</a>.
|
||||||
|
'';
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
security.sudo.extraConfig = mkOption {
|
security.sudo.extraConfig = mkOption {
|
||||||
type = types.lines;
|
type = types.lines;
|
||||||
default = "";
|
default = "";
|
||||||
|
@ -61,10 +168,16 @@ in
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
security.sudo.extraRules = [
|
||||||
|
{ groups = [ "wheel" ];
|
||||||
|
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
security.sudo.configFile =
|
security.sudo.configFile =
|
||||||
''
|
''
|
||||||
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
|
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
|
||||||
# or ‘security.sudo.extraConfig’ instead.
|
# or ‘security.sudo.extraRules’ instead.
|
||||||
|
|
||||||
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
||||||
Defaults env_keep+=SSH_AUTH_SOCK
|
Defaults env_keep+=SSH_AUTH_SOCK
|
||||||
|
@ -72,8 +185,18 @@ in
|
||||||
# "root" is allowed to do anything.
|
# "root" is allowed to do anything.
|
||||||
root ALL=(ALL:ALL) SETENV: ALL
|
root ALL=(ALL:ALL) SETENV: ALL
|
||||||
|
|
||||||
# Users in the "wheel" group can do anything.
|
# extraRules
|
||||||
%wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
|
${concatStringsSep "\n" (
|
||||||
|
lists.flatten (
|
||||||
|
map (
|
||||||
|
rule: if (length rule.commands != 0) then [
|
||||||
|
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
|
||||||
|
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
|
||||||
|
] else []
|
||||||
|
) cfg.extraRules
|
||||||
|
)
|
||||||
|
)}
|
||||||
|
|
||||||
${cfg.extraConfig}
|
${cfg.extraConfig}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|
|
@ -337,6 +337,7 @@ in rec {
|
||||||
tests.smokeping = callTest tests/smokeping.nix {};
|
tests.smokeping = callTest tests/smokeping.nix {};
|
||||||
tests.snapper = callTest tests/snapper.nix {};
|
tests.snapper = callTest tests/snapper.nix {};
|
||||||
tests.statsd = callTest tests/statsd.nix {};
|
tests.statsd = callTest tests/statsd.nix {};
|
||||||
|
tests.sudo = callTest tests/sudo.nix {};
|
||||||
tests.switchTest = callTest tests/switch-test.nix {};
|
tests.switchTest = callTest tests/switch-test.nix {};
|
||||||
tests.taskserver = callTest tests/taskserver.nix {};
|
tests.taskserver = callTest tests/taskserver.nix {};
|
||||||
tests.tomcat = callTest tests/tomcat.nix {};
|
tests.tomcat = callTest tests/tomcat.nix {};
|
||||||
|
|
|
@ -115,11 +115,6 @@ import ./make-test.nix ({ pkgs, ...} : {
|
||||||
$machine->succeed("nix-store -qR /run/current-system | grep nixos-");
|
$machine->succeed("nix-store -qR /run/current-system | grep nixos-");
|
||||||
};
|
};
|
||||||
|
|
||||||
# Test sudo
|
|
||||||
subtest "sudo", sub {
|
|
||||||
$machine->succeed("su - sybil -c 'sudo true'");
|
|
||||||
};
|
|
||||||
|
|
||||||
# Test sysctl
|
# Test sysctl
|
||||||
subtest "sysctl", sub {
|
subtest "sysctl", sub {
|
||||||
$machine->waitForUnit("systemd-sysctl.service");
|
$machine->waitForUnit("systemd-sysctl.service");
|
||||||
|
|
93
nixos/tests/sudo.nix
Normal file
93
nixos/tests/sudo.nix
Normal file
|
@ -0,0 +1,93 @@
|
||||||
|
# Some tests to ensure sudo is working properly.
|
||||||
|
|
||||||
|
let
|
||||||
|
password = "helloworld";
|
||||||
|
|
||||||
|
in
|
||||||
|
import ./make-test.nix ({ pkgs, ...} : {
|
||||||
|
name = "sudo";
|
||||||
|
meta = with pkgs.stdenv.lib.maintainers; {
|
||||||
|
maintainers = [ lschuermann ];
|
||||||
|
};
|
||||||
|
|
||||||
|
machine =
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
with lib;
|
||||||
|
{
|
||||||
|
users.extraGroups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };
|
||||||
|
users.users = {
|
||||||
|
test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };
|
||||||
|
test1 = { isNormalUser = true; password = password; };
|
||||||
|
test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };
|
||||||
|
test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
|
||||||
|
test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };
|
||||||
|
test5 = { isNormalUser = true; };
|
||||||
|
};
|
||||||
|
|
||||||
|
security.sudo = {
|
||||||
|
enable = true;
|
||||||
|
wheelNeedsPassword = false;
|
||||||
|
|
||||||
|
extraRules = [
|
||||||
|
# SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
|
||||||
|
# errors being detected by the visudo checks.
|
||||||
|
|
||||||
|
# These should not create any entries
|
||||||
|
{ users = [ "notest1" ]; commands = [ ]; }
|
||||||
|
{ commands = [ { command = "ALL"; options = [ ]; } ]; }
|
||||||
|
|
||||||
|
# Test defining commands with the options syntax, though not setting any options
|
||||||
|
{ users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }
|
||||||
|
|
||||||
|
|
||||||
|
# CONFIGURATION FOR TEST CASES
|
||||||
|
{ users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
|
||||||
|
{ groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }
|
||||||
|
{ users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript =
|
||||||
|
''
|
||||||
|
subtest "users in wheel group should have passwordless sudo", sub {
|
||||||
|
$machine->succeed("su - test0 -c \"sudo -u root true\"");
|
||||||
|
};
|
||||||
|
|
||||||
|
subtest "test1 user should have sudo with password", sub {
|
||||||
|
$machine->succeed("su - test1 -c \"echo ${password} | sudo -S -u root true\"");
|
||||||
|
};
|
||||||
|
|
||||||
|
subtest "test1 user should not be able to use sudo without password", sub {
|
||||||
|
$machine->fail("su - test1 -c \"sudo -n -u root true\"");
|
||||||
|
};
|
||||||
|
|
||||||
|
subtest "users in group 'foobar' should be able to use sudo with password", sub {
|
||||||
|
$machine->succeed("sudo -u test2 echo ${password} | sudo -S -u root true");
|
||||||
|
};
|
||||||
|
|
||||||
|
subtest "users in group 'barfoo' should be able to use sudo without password", sub {
|
||||||
|
$machine->succeed("sudo -u test3 sudo -n -u root true");
|
||||||
|
};
|
||||||
|
|
||||||
|
subtest "users in group 'baz' (GID 1337) should be able to use sudo without password", sub {
|
||||||
|
$machine->succeed("sudo -u test4 sudo -n -u root echo true");
|
||||||
|
};
|
||||||
|
|
||||||
|
subtest "test5 user should be able to run commands under test1", sub {
|
||||||
|
$machine->succeed("sudo -u test5 sudo -n -u test1 true");
|
||||||
|
};
|
||||||
|
|
||||||
|
subtest "test5 user should not be able to run commands under root", sub {
|
||||||
|
$machine->fail("sudo -u test5 sudo -n -u root true");
|
||||||
|
};
|
||||||
|
|
||||||
|
subtest "test5 user should be able to keep his environment", sub {
|
||||||
|
$machine->succeed("sudo -u test5 sudo -n -E -u test1 true");
|
||||||
|
};
|
||||||
|
|
||||||
|
subtest "users in group 'barfoo' should not be able to keep their environment", sub {
|
||||||
|
$machine->fail("sudo -u test3 sudo -n -E -u root true");
|
||||||
|
};
|
||||||
|
'';
|
||||||
|
})
|
Loading…
Reference in a new issue