nixos/doas: fix recursive calls to doas

Previously, for processes launched by doas the unwrapped doas binary preceded the
setuid-wrapped doas binary in PATH.

This caused error `doas: not installed setuid` when running doas from
processes launched by doas.

doas seems to short-circuit the PATH lookup when called like
`doas -u myuser doas -u myuser ...` so the error doesn't appear in this case.

1 files changed, 7 insertions, 0 deletions

diff --git a/nixos/tests/doas.nix b/nixos/tests/doas.nix
index 9c0a4bdc756..5e9ce4b2c79 100644
--- a/nixos/tests/doas.nix
+++ b/nixos/tests/doas.nix
@@ -78,6 +78,13 @@ import ./make-test-python.nix (
               'su - test7 -c "SSH_AUTH_SOCK=HOLEY doas env"'
           ):
               raise Exception("failed to exclude SSH_AUTH_SOCK")
+
+      # Test that the doas setuid wrapper precedes the unwrapped version in PATH after
+      # calling doas.
+      # The PATH set by doas is defined in
+      # ../../pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch
+      with subtest("recursive calls to doas from subprocesses should succeed"):
+          machine.succeed('doas -u test0 sh -c "doas -u test0 true"')
     '';
   }
 )