From 5624aa9f812aeccc6b70de9812a28df28996545a Mon Sep 17 00:00:00 2001
From: Robert Schütz <dev@schuetz-co.de>
Date: Wed, 5 May 2021 13:09:45 +0200
Subject: nixos/sudo: add option execWheelOnly

By setting the executable's group to wheel and permissions to 4510, we
make sure that only members of the wheel group can execute sudo.
---
 nixos/tests/sudo.nix | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

(limited to 'nixos/tests')

diff --git a/nixos/tests/sudo.nix b/nixos/tests/sudo.nix
index 2a85c490665..4885d6e17b8 100644
--- a/nixos/tests/sudo.nix
+++ b/nixos/tests/sudo.nix
@@ -10,7 +10,7 @@ in
       maintainers = [ lschuermann ];
     };
 
-    machine =
+    nodes.machine =
       { lib, ... }:
       with lib;
       {
@@ -48,6 +48,19 @@ in
         };
       };
 
+    nodes.strict = { ... }: {
+      users.users = {
+        admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
+        noadmin = { isNormalUser = true; };
+      };
+
+      security.sudo = {
+        enable = true;
+        wheelNeedsPassword = false;
+        execWheelOnly = true;
+      };
+    };
+
     testScript =
       ''
         with subtest("users in wheel group should have passwordless sudo"):
@@ -79,5 +92,11 @@ in
 
         with subtest("users in group 'barfoo' should not be able to keep their environment"):
             machine.fail("sudo -u test3 sudo -n -E -u root true")
+
+        with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
+            strict.succeed('su - admin -c "sudo -u root true"')
+
+        with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
+            strict.fail('su - noadmin -c "sudo --help"')
       '';
   })
-- 
cgit 1.4.1