diff options
Diffstat (limited to 'nixos/modules/security/sudo.nix')
-rw-r--r-- | nixos/modules/security/sudo.nix | 37 |
1 files changed, 34 insertions, 3 deletions
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 1ed5269c5ae..2e73f8f4f31 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -42,6 +42,15 @@ in ''; }; + security.sudo.package = mkOption { + type = types.package; + default = pkgs.sudo; + defaultText = "pkgs.sudo"; + description = '' + Which package to use for `sudo`. + ''; + }; + security.sudo.wheelNeedsPassword = mkOption { type = types.bool; default = true; @@ -52,6 +61,17 @@ in ''; }; + security.sudo.execWheelOnly = mkOption { + type = types.bool; + default = false; + description = '' + Only allow members of the <code>wheel</code> group to execute sudo by + setting the executable's permissions accordingly. + This prevents users that are not members of <code>wheel</code> from + exploiting vulnerabilities in sudo such as CVE-2021-3156. + ''; + }; + security.sudo.configFile = mkOption { type = types.lines; # Note: if syntax errors are detected in this file, the NixOS @@ -207,9 +227,20 @@ in ${cfg.extraConfig} ''; - security.wrappers = { - sudo.source = "${pkgs.sudo.out}/bin/sudo"; - sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit"; + security.wrappers = let + owner = "root"; + group = if cfg.execWheelOnly then "wheel" else "root"; + setuid = true; + permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x"; + in { + sudo = { + source = "${cfg.package.out}/bin/sudo"; + inherit owner group setuid permissions; + }; + sudoedit = { + source = "${cfg.package.out}/bin/sudoedit"; + inherit owner group setuid permissions; + }; }; environment.systemPackages = [ sudo ]; |