diff options
| author | nicoo <nicoo@mur.at> | 2023-09-07 14:55:33 +0000 |
|---|---|---|
| committer | nicoo <nicoo@mur.at> | 2023-09-18 17:36:15 +0000 |
| commit | 914bf5836974520e6cfd3e687dead3937f6d3db2 (patch) | |
| tree | db7a2858e2ec0788eee6203ed1d2f7070da0bf64 | |
| parent | f0107b4f63a70925050954f647d14f6e256362d8 (diff) | |
| download | nixpkgs-914bf5836974520e6cfd3e687dead3937f6d3db2.tar nixpkgs-914bf5836974520e6cfd3e687dead3937f6d3db2.tar.gz nixpkgs-914bf5836974520e6cfd3e687dead3937f6d3db2.tar.bz2 nixpkgs-914bf5836974520e6cfd3e687dead3937f6d3db2.tar.lz nixpkgs-914bf5836974520e6cfd3e687dead3937f6d3db2.tar.xz nixpkgs-914bf5836974520e6cfd3e687dead3937f6d3db2.tar.zst nixpkgs-914bf5836974520e6cfd3e687dead3937f6d3db2.zip | |
nixos/{sudo, terminfo}: Adjust defaults for compatibility with `sudo-rs`
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 10 | ||||
| -rw-r--r-- | nixos/modules/config/terminfo.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/security/sudo.nix | 10 |
3 files changed, 18 insertions, 7 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index b7df38e6715..dd75c8b517a 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -10,6 +10,16 @@ - The `nixos-rebuild` command has been given a `list-generations` subcommand. See `man nixos-rebuild` for more details. +- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported. + Switching to it (via `security.sudo.package = pkgs.sudo-rs;`) introduces + slight changes in default behaviour, due to `sudo-rs`' current limitations: + - terminfo-related environment variables aren't preserved for `root` and `wheel`; + - `root` and `wheel` are not given the ability to set (or preserve) + arbitrary environment variables. + +[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/ + + ## New Services {#sec-release-23.11-new-services} - [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable). diff --git a/nixos/modules/config/terminfo.nix b/nixos/modules/config/terminfo.nix index ebd1aaea8f0..d1dbc4e0d05 100644 --- a/nixos/modules/config/terminfo.nix +++ b/nixos/modules/config/terminfo.nix @@ -16,7 +16,10 @@ with lib; }; security.sudo.keepTerminfo = mkOption { - default = true; + default = config.security.sudo.package.pname != "sudo-rs"; + defaultText = literalMD '' + `true` unless using `sudo-rs` + ''; type = types.bool; description = lib.mdDoc '' Whether to preserve the `TERMINFO` and `TERMINFO_DIRS` diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 528c230686f..9a018b85746 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -40,7 +40,10 @@ in defaultOptions = mkOption { type = with types; listOf str; - default = [ "SETENV" ]; + default = optional usingMillersSudo "SETENV"; + defaultText = literalMD '' + `[ "SETENV" ]` if using the default `sudo` implementation + ''; description = mdDoc '' Options used for the default rules, granting `root` and the `wheel` group permission to run any command as any user. @@ -204,11 +207,6 @@ in ###### implementation config = mkIf cfg.enable { - assertions = [ - { assertion = usingMillersSudo; - message = "The NixOS `sudo` module does not yet work with other implementations."; } - ]; - security.sudo.extraRules = let defaultRule = { users ? [], groups ? [], opts ? [] }: [ { |