Merge master into staging-next

2 files changed, 23 insertions, 1 deletions

diff --git a/nixos/tests/docker.nix b/nixos/tests/docker.nix
index 58e33535ed3..dee7480eb4a 100644
--- a/nixos/tests/docker.nix
+++ b/nixos/tests/docker.nix
@@ -45,5 +45,8 @@ import ./make-test-python.nix ({ pkgs, ...} : {
 
     # Must match version 4 times to ensure client and server git commits and versions are correct
     docker.succeed('[ $(docker version | grep ${pkgs.docker.version} | wc -l) = "4" ]')
+    docker.succeed("systemctl restart systemd-sysctl")
+    docker.succeed("grep 1 /proc/sys/net/ipv4/conf/all/forwarding")
+    docker.succeed("grep 1 /proc/sys/net/ipv4/conf/default/forwarding")
   '';
 })
diff --git a/nixos/tests/sudo.nix b/nixos/tests/sudo.nix
index 2a85c490665..4885d6e17b8 100644
--- a/nixos/tests/sudo.nix
+++ b/nixos/tests/sudo.nix
@@ -10,7 +10,7 @@ in
       maintainers = [ lschuermann ];
     };
 
-    machine =
+    nodes.machine =
       { lib, ... }:
       with lib;
       {
@@ -48,6 +48,19 @@ in
         };
       };
 
+    nodes.strict = { ... }: {
+      users.users = {
+        admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
+        noadmin = { isNormalUser = true; };
+      };
+
+      security.sudo = {
+        enable = true;
+        wheelNeedsPassword = false;
+        execWheelOnly = true;
+      };
+    };
+
     testScript =
       ''
         with subtest("users in wheel group should have passwordless sudo"):
@@ -79,5 +92,11 @@ in
 
         with subtest("users in group 'barfoo' should not be able to keep their environment"):
             machine.fail("sudo -u test3 sudo -n -E -u root true")
+
+        with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
+            strict.succeed('su - admin -c "sudo -u root true"')
+
+        with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
+            strict.fail('su - noadmin -c "sudo --help"')
       '';
   })