sudo: define extra rules in Nix language (#33905)

This commit is contained in:
Leon Schuermann 2018-01-17 21:56:08 +07:00 committed by Jörg Thalheim
parent 9844e027c4
commit f297ddb5c9
4 changed files with 220 additions and 8 deletions

View file

@ -8,6 +8,22 @@ let
inherit (pkgs) sudo; inherit (pkgs) sudo;
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
toCommandOptionsString = options:
"${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
toCommandsString = commands:
concatStringsSep ", " (
map (command:
if (isString command) then
command
else
"${toCommandOptionsString command.options}${command.command}"
) commands
);
in in
{ {
@ -47,6 +63,97 @@ in
''; '';
}; };
security.sudo.extraRules = mkOption {
description = ''
Define specific rules to be in the <filename>sudoers</filename> file.
'';
default = [];
example = [
# Allow execution of any command by all users in group sudo,
# requiring a password.
{ groups = [ "sudo" ]; commands = [ "ALL" ]; }
# Allow execution of "/home/root/secret.sh" by user `backup`, `database`
# and the group with GID `1006` without a password.
{ users = [ "backup" ]; groups = [ 1006 ];
commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
# Allow all users of group `bar` to run two executables as user `foo`
# with arguments being pre-set.
{ groups = [ "bar" ]; runAs = "foo";
commands =
[ "/home/baz/cmd1.sh hello-sudo"
{ command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; }
];
type = with types; listOf (submodule {
options = {
users = mkOption {
type = with types; listOf (either string int);
description = ''
The usernames / UIDs this rule should apply for.
'';
default = [];
};
groups = mkOption {
type = with types; listOf (either string int);
description = ''
The groups / GIDs this rule should apply for.
'';
default = [];
};
host = mkOption {
type = types.string;
default = "ALL";
description = ''
For what host this rule should apply.
'';
};
runAs = mkOption {
type = with types; string;
default = "ALL:ALL";
description = ''
Under which user/group the specified command is allowed to run.
A user can be specified using just the username: <code>"foo"</code>.
It is also possible to specify a user/group combination using <code>"foo:bar"</code>
or to only allow running as a specific group with <code>":bar"</code>.
'';
};
commands = mkOption {
description = ''
The commands for which the rule should apply.
'';
type = with types; listOf (either string (submodule {
options = {
command = mkOption {
type = with types; string;
description = ''
A command being either just a path to a binary to allow any arguments,
the full command with arguments pre-set or with <code>""</code> used as the argument,
not allowing arguments to the command at all.
'';
};
options = mkOption {
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
description = ''
Options for running the command. Refer to the <a href="https://www.sudo.ws/man/1.7.10/sudoers.man.html">sudo manual</a>.
'';
default = [];
};
};
}));
};
};
});
};
security.sudo.extraConfig = mkOption { security.sudo.extraConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -61,10 +168,16 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
security.sudo.extraRules = [
{ groups = [ "wheel" ];
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
}
];
security.sudo.configFile = security.sudo.configFile =
'' ''
# Don't edit this file. Set the NixOS options security.sudo.configFile # Don't edit this file. Set the NixOS options security.sudo.configFile
# or security.sudo.extraConfig instead. # or security.sudo.extraRules instead.
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK Defaults env_keep+=SSH_AUTH_SOCK
@ -72,8 +185,18 @@ in
# "root" is allowed to do anything. # "root" is allowed to do anything.
root ALL=(ALL:ALL) SETENV: ALL root ALL=(ALL:ALL) SETENV: ALL
# Users in the "wheel" group can do anything. # extraRules
%wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL ${concatStringsSep "\n" (
lists.flatten (
map (
rule: if (length rule.commands != 0) then [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
] else []
) cfg.extraRules
)
)}
${cfg.extraConfig} ${cfg.extraConfig}
''; '';

View file

@ -337,6 +337,7 @@ in rec {
tests.smokeping = callTest tests/smokeping.nix {}; tests.smokeping = callTest tests/smokeping.nix {};
tests.snapper = callTest tests/snapper.nix {}; tests.snapper = callTest tests/snapper.nix {};
tests.statsd = callTest tests/statsd.nix {}; tests.statsd = callTest tests/statsd.nix {};
tests.sudo = callTest tests/sudo.nix {};
tests.switchTest = callTest tests/switch-test.nix {}; tests.switchTest = callTest tests/switch-test.nix {};
tests.taskserver = callTest tests/taskserver.nix {}; tests.taskserver = callTest tests/taskserver.nix {};
tests.tomcat = callTest tests/tomcat.nix {}; tests.tomcat = callTest tests/tomcat.nix {};

View file

@ -115,11 +115,6 @@ import ./make-test.nix ({ pkgs, ...} : {
$machine->succeed("nix-store -qR /run/current-system | grep nixos-"); $machine->succeed("nix-store -qR /run/current-system | grep nixos-");
}; };
# Test sudo
subtest "sudo", sub {
$machine->succeed("su - sybil -c 'sudo true'");
};
# Test sysctl # Test sysctl
subtest "sysctl", sub { subtest "sysctl", sub {
$machine->waitForUnit("systemd-sysctl.service"); $machine->waitForUnit("systemd-sysctl.service");

93
nixos/tests/sudo.nix Normal file
View file

@ -0,0 +1,93 @@
# Some tests to ensure sudo is working properly.
let
password = "helloworld";
in
import ./make-test.nix ({ pkgs, ...} : {
name = "sudo";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ lschuermann ];
};
machine =
{ config, lib, pkgs, ... }:
with lib;
{
users.extraGroups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };
users.users = {
test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };
test1 = { isNormalUser = true; password = password; };
test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };
test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };
test5 = { isNormalUser = true; };
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
extraRules = [
# SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
# errors being detected by the visudo checks.
# These should not create any entries
{ users = [ "notest1" ]; commands = [ ]; }
{ commands = [ { command = "ALL"; options = [ ]; } ]; }
# Test defining commands with the options syntax, though not setting any options
{ users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }
# CONFIGURATION FOR TEST CASES
{ users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
{ groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }
{ users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }
];
};
};
testScript =
''
subtest "users in wheel group should have passwordless sudo", sub {
$machine->succeed("su - test0 -c \"sudo -u root true\"");
};
subtest "test1 user should have sudo with password", sub {
$machine->succeed("su - test1 -c \"echo ${password} | sudo -S -u root true\"");
};
subtest "test1 user should not be able to use sudo without password", sub {
$machine->fail("su - test1 -c \"sudo -n -u root true\"");
};
subtest "users in group 'foobar' should be able to use sudo with password", sub {
$machine->succeed("sudo -u test2 echo ${password} | sudo -S -u root true");
};
subtest "users in group 'barfoo' should be able to use sudo without password", sub {
$machine->succeed("sudo -u test3 sudo -n -u root true");
};
subtest "users in group 'baz' (GID 1337) should be able to use sudo without password", sub {
$machine->succeed("sudo -u test4 sudo -n -u root echo true");
};
subtest "test5 user should be able to run commands under test1", sub {
$machine->succeed("sudo -u test5 sudo -n -u test1 true");
};
subtest "test5 user should not be able to run commands under root", sub {
$machine->fail("sudo -u test5 sudo -n -u root true");
};
subtest "test5 user should be able to keep his environment", sub {
$machine->succeed("sudo -u test5 sudo -n -E -u test1 true");
};
subtest "users in group 'barfoo' should not be able to keep their environment", sub {
$machine->fail("sudo -u test3 sudo -n -E -u root true");
};
'';
})