blob: 652f23c2938fb638c82cc1516918bbb5521b047c (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.sudo;
inherit (pkgs) sudo;
in
{
###### interface
options = {
security.sudo.enable = mkOption {
type = types.bool;
default = true;
description =
''
Whether to enable the <command>sudo</command> command, which
allows non-root users to execute commands as root.
'';
};
security.sudo.wheelNeedsPassword = mkOption {
type = types.bool;
default = true;
description =
''
Whether users of the <code>wheel</code> group can execute
commands as super user without entering a password.
'';
};
security.sudo.configFile = mkOption {
type = types.lines;
# Note: if syntax errors are detected in this file, the NixOS
# configuration will fail to build.
description =
''
This string contains the contents of the
<filename>sudoers</filename> file.
'';
};
security.sudo.extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration text appended to <filename>sudoers</filename>.
'';
};
};
###### implementation
config = mkIf cfg.enable {
security.sudo.configFile =
''
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
# or ‘security.sudo.extraConfig’ instead.
# Environment variables to keep for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFO
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
# "root" is allowed to do anything.
root ALL=(ALL:ALL) SETENV: ALL
# Users in the "wheel" group can do anything.
%wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
${cfg.extraConfig}
'';
security.permissionsWrappers.setuid =
[
{ program = "sudo";
source = "${pkgs.sudo.out}/bin/sudo";
owner = "root";
group = "root";
setuid = true;
}
{ program = "sudoedit";
source = "${pkgs.sudo.out}/bin/sudoedit";
owner = "root";
group = "root";
setuid = true;
}
];
environment.systemPackages = [ sudo ];
security.pam.services.sudo = { sshAgentAuth = true; };
environment.etc = singleton
{ source =
pkgs.runCommand "sudoers"
{ src = pkgs.writeText "sudoers-in" cfg.configFile; }
# Make sure that the sudoers file is syntactically valid.
# (currently disabled - NIXOS-66)
"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
target = "sudoers";
mode = "0440";
};
};
}
|