b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #256491 from mkg20001/mkg/sudo-rs-resolve

Browse source 
nixos/{sudo,-rs}: revert sudo-rs, make own module
This commit is contained in:
Maciej Krüger 2023-09-23 15:08:06 +02:00 committed by GitHub
parent d3c5631114 59a8959287
commit 9a914a7c52
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 380 additions and 103 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
nixos/doc/manual/release-notes/rl-2311.section.md
View file

@ -11,8 +11,9 @@
- The `nixos-rebuild` command has been given a `list-generations` subcommand. See `man nixos-rebuild` for more details.
- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
Switching to it (via `security.sudo.package = pkgs.sudo-rs;`) introduces
slight changes in default behaviour, due to `sudo-rs`' current limitations:
An experimental new module `security.sudo-rs` was added.
Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces
slight changes in sudo behaviour, due to `sudo-rs`' current limitations:
- terminfo-related environment variables aren't preserved for `root` and `wheel`;
- `root` and `wheel` are not given the ability to set (or preserve)
arbitrary environment variables.

4
nixos/lib/test-driver/test_driver/machine.py
View file

@ -582,7 +582,9 @@ class Machine:
# While sh is bash on NixOS, this is not the case for every distro.
# We explicitly call bash here to allow for the driver to boot other distros as well.
out_command = f"{timeout_str} bash -c {shlex.quote(command)} 2>/dev/null | (base64 -w 0; echo)\n"
out_command = (
f"{timeout_str} bash -c {shlex.quote(command)} | (base64 -w 0; echo)\n"
)
assert self.shell
self.shell.send(out_command.encode())

1
nixos/modules/module-list.nix
View file

@ -311,6 +311,7 @@
./security/rngd.nix
./security/rtkit.nix
./security/sudo.nix
./security/sudo-rs.nix
./security/systemd-confinement.nix
./security/tpm2.nix
./security/wrappers/default.nix

296
nixos/modules/security/sudo-rs.nix Normal file
View file

@ -0,0 +1,296 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (pkgs) sudo sudo-rs;
cfg = config.security.sudo-rs;
enableSSHAgentAuth =
with config.security;
pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
usingMillersSudo = cfg.package.pname == sudo.pname;
usingSudoRs = cfg.package.pname == sudo-rs.pname;
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
toCommandOptionsString = options:
"${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
toCommandsString = commands:
concatStringsSep ", " (
map (command:
if (isString command) then
command
else
"${toCommandOptionsString command.options}${command.command}"
) commands
);
in
{
###### interface
options.security.sudo-rs = {
defaultOptions = mkOption {
type = with types; listOf str;
default = optional usingMillersSudo "SETENV";
defaultText = literalMD ''
`[ "SETENV" ]` if using the default `sudo` implementation
'';
description = mdDoc ''
Options used for the default rules, granting `root` and the
`wheel` group permission to run any command as any user.
'';
};
enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Whether to enable the {command}`sudo` command, which
allows non-root users to execute commands as root.
'';
};
package = mkOption {
type = types.package;
default = pkgs.sudo-rs;
defaultText = literalExpression "pkgs.sudo-rs";
description = mdDoc ''
Which package to use for `sudo`.
'';
};
wheelNeedsPassword = mkOption {
type = types.bool;
default = true;
description = mdDoc ''
Whether users of the `wheel` group must
provide a password to run commands as super user via {command}`sudo`.
'';
};
execWheelOnly = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Only allow members of the `wheel` group to execute sudo by
setting the executable's permissions accordingly.
This prevents users that are not members of `wheel` from
exploiting vulnerabilities in sudo such as CVE-2021-3156.
'';
};
configFile = mkOption {
type = types.lines;
# Note: if syntax errors are detected in this file, the NixOS
# configuration will fail to build.
description = mdDoc ''
This string contains the contents of the
{file}`sudoers` file.
'';
};
extraRules = mkOption {
description = mdDoc ''
Define specific rules to be in the {file}`sudoers` file.
More specific rules should come after more general ones in order to
yield the expected behavior. You can use mkBefore/mkAfter to ensure
this is the case when configuration options are merged.
'';
default = [];
example = literalExpression ''
[
# Allow execution of any command by all users in group sudo,
# requiring a password.
{ groups = [ "sudo" ]; commands = [ "ALL" ]; }
# Allow execution of "/home/root/secret.sh" by user `backup`, `database`
# and the group with GID `1006` without a password.
{ users = [ "backup" "database" ]; groups = [ 1006 ];
commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
# Allow all users of group `bar` to run two executables as user `foo`
# with arguments being pre-set.
{ groups = [ "bar" ]; runAs = "foo";
commands =
[ "/home/baz/cmd1.sh hello-sudo"
{ command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; }
]
'';
type = with types; listOf (submodule {
options = {
users = mkOption {
type = with types; listOf (either str int);
description = mdDoc ''
The usernames / UIDs this rule should apply for.
'';
default = [];
};
groups = mkOption {
type = with types; listOf (either str int);
description = mdDoc ''
The groups / GIDs this rule should apply for.
'';
default = [];
};
host = mkOption {
type = types.str;
default = "ALL";
description = mdDoc ''
For what host this rule should apply.
'';
};
runAs = mkOption {
type = with types; str;
default = "ALL:ALL";
description = mdDoc ''
Under which user/group the specified command is allowed to run.
A user can be specified using just the username: `"foo"`.
It is also possible to specify a user/group combination using `"foo:bar"`
or to only allow running as a specific group with `":bar"`.
'';
};
commands = mkOption {
description = mdDoc ''
The commands for which the rule should apply.
'';
type = with types; listOf (either str (submodule {
options = {
command = mkOption {
type = with types; str;
description = mdDoc ''
A command being either just a path to a binary to allow any arguments,
the full command with arguments pre-set or with `""` used as the argument,
not allowing arguments to the command at all.
'';
};
options = mkOption {
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
description = mdDoc ''
Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
'';
default = [];
};
};
}));
};
};
});
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = mdDoc ''
Extra configuration text appended to {file}`sudoers`.
'';
};
};
###### implementation
config = mkIf cfg.enable {
security.sudo-rs.extraRules =
let
defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
inherit users groups;
commands = [ {
command = "ALL";
options = opts ++ cfg.defaultOptions;
} ];
} ];
in mkMerge [
# This is ordered before users' `mkBefore` rules,
# so as not to introduce unexpected changes.
(mkOrder 400 (defaultRule { users = [ "root" ]; }))
# This is ordered to show before (most) other rules, but
# late-enough for a user to `mkBefore` it.
(mkOrder 600 (defaultRule {
groups = [ "wheel" ];
opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
}))
];
security.sudo-rs.configFile = concatStringsSep "\n" (filter (s: s != "") [
''
# Don't edit this file. Set the NixOS options security.sudo-rs.configFile
# or security.sudo-rs.extraRules instead.
''
(optionalString enableSSHAgentAuth ''
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
'')
(concatStringsSep "\n" (
lists.flatten (
map (
rule: optionals (length rule.commands != 0) [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
]
) cfg.extraRules
)
) + "\n")
(optionalString (cfg.extraConfig != "") ''
# extraConfig
${cfg.extraConfig}
'')
]);
security.wrappers = let
owner = "root";
group = if cfg.execWheelOnly then "wheel" else "root";
setuid = true;
permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
in {
sudo = {
source = "${cfg.package.out}/bin/sudo";
inherit owner group setuid permissions;
};
# sudo-rs does not yet ship a sudoedit (as of v0.2.0)
sudoedit = mkIf usingMillersSudo {
source = "${cfg.package.out}/bin/sudoedit";
inherit owner group setuid permissions;
};
};
environment.systemPackages = [ sudo ];
security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
security.pam.services.sudo-i = mkIf usingSudoRs
{ sshAgentAuth = true; usshAuth = true; };
environment.etc.sudoers =
{ source =
pkgs.runCommand "sudoers"
{
src = pkgs.writeText "sudoers-in" cfg.configFile;
preferLocalBuild = true;
}
"${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out";
mode = "0440";
};
};
meta.maintainers = [ lib.maintainers.nicoo ];
}

165
nixos/modules/security/sudo.nix
View file

@ -4,16 +4,9 @@ with lib;
let
inherit (pkgs) sudo sudo-rs;
cfg = config.security.sudo;
enableSSHAgentAuth =
with config.security;
pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
usingMillersSudo = cfg.package.pname == sudo.pname;
usingSudoRs = cfg.package.pname == sudo-rs.pname;
inherit (pkgs) sudo;
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
@ -37,51 +30,41 @@ in
###### interface
options.security.sudo = {
options = {
defaultOptions = mkOption {
type = with types; listOf str;
default = optional usingMillersSudo "SETENV";
defaultText = literalMD ''
`[ "SETENV" ]` if using the default `sudo` implementation
'';
description = mdDoc ''
Options used for the default rules, granting `root` and the
`wheel` group permission to run any command as any user.
'';
};
enable = mkOption {
security.sudo.enable = mkOption {
type = types.bool;
default = true;
description = mdDoc ''
Whether to enable the {command}`sudo` command, which
allows non-root users to execute commands as root.
'';
description =
lib.mdDoc ''
Whether to enable the {command}`sudo` command, which
allows non-root users to execute commands as root.
'';
};
package = mkOption {
security.sudo.package = mkOption {
type = types.package;
default = pkgs.sudo;
defaultText = literalExpression "pkgs.sudo";
description = mdDoc ''
description = lib.mdDoc ''
Which package to use for `sudo`.
'';
};
wheelNeedsPassword = mkOption {
security.sudo.wheelNeedsPassword = mkOption {
type = types.bool;
default = true;
description = mdDoc ''
Whether users of the `wheel` group must
provide a password to run commands as super user via {command}`sudo`.
'';
description =
lib.mdDoc ''
Whether users of the `wheel` group must
provide a password to run commands as super user via {command}`sudo`.
'';
};
execWheelOnly = mkOption {
security.sudo.execWheelOnly = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
description = lib.mdDoc ''
Only allow members of the `wheel` group to execute sudo by
setting the executable's permissions accordingly.
This prevents users that are not members of `wheel` from
@ -89,18 +72,19 @@ in
'';
};
configFile = mkOption {
security.sudo.configFile = mkOption {
type = types.lines;
# Note: if syntax errors are detected in this file, the NixOS
# configuration will fail to build.
description = mdDoc ''
This string contains the contents of the
{file}`sudoers` file.
'';
description =
lib.mdDoc ''
This string contains the contents of the
{file}`sudoers` file.
'';
};
extraRules = mkOption {
description = mdDoc ''
security.sudo.extraRules = mkOption {
description = lib.mdDoc ''
Define specific rules to be in the {file}`sudoers` file.
More specific rules should come after more general ones in order to
yield the expected behavior. You can use mkBefore/mkAfter to ensure
@ -130,7 +114,7 @@ in
options = {
users = mkOption {
type = with types; listOf (either str int);
description = mdDoc ''
description = lib.mdDoc ''
The usernames / UIDs this rule should apply for.
'';
default = [];
@ -138,7 +122,7 @@ in
groups = mkOption {
type = with types; listOf (either str int);
description = mdDoc ''
description = lib.mdDoc ''
The groups / GIDs this rule should apply for.
'';
default = [];
@ -147,7 +131,7 @@ in
host = mkOption {
type = types.str;
default = "ALL";
description = mdDoc ''
description = lib.mdDoc ''
For what host this rule should apply.
'';
};
@ -155,7 +139,7 @@ in
runAs = mkOption {
type = with types; str;
default = "ALL:ALL";
description = mdDoc ''
description = lib.mdDoc ''
Under which user/group the specified command is allowed to run.
A user can be specified using just the username: `"foo"`.
@ -165,7 +149,7 @@ in
};
commands = mkOption {
description = mdDoc ''
description = lib.mdDoc ''
The commands for which the rule should apply.
'';
type = with types; listOf (either str (submodule {
@ -173,7 +157,7 @@ in
options = {
command = mkOption {
type = with types; str;
description = mdDoc ''
description = lib.mdDoc ''
A command being either just a path to a binary to allow any arguments,
the full command with arguments pre-set or with `""` used as the argument,
not allowing arguments to the command at all.
@ -182,7 +166,7 @@ in
options = mkOption {
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
description = mdDoc ''
description = lib.mdDoc ''
Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
'';
default = [];
@ -195,10 +179,10 @@ in
});
};
extraConfig = mkOption {
security.sudo.extraConfig = mkOption {
type = types.lines;
default = "";
description = mdDoc ''
description = lib.mdDoc ''
Extra configuration text appended to {file}`sudoers`.
'';
};
@ -208,52 +192,44 @@ in
###### implementation
config = mkIf cfg.enable {
security.sudo.extraRules =
let
defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
inherit users groups;
commands = [ {
command = "ALL";
options = opts ++ cfg.defaultOptions;
} ];
} ];
in mkMerge [
# This is ordered before users' `mkBefore` rules,
# so as not to introduce unexpected changes.
(mkOrder 400 (defaultRule { users = [ "root" ]; }))
assertions = [
{ assertion = cfg.package.pname != "sudo-rs";
message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
];
# This is ordered to show before (most) other rules, but
# late-enough for a user to `mkBefore` it.
(mkOrder 600 (defaultRule {
groups = [ "wheel" ];
opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
}))
];
# We `mkOrder 600` so that the default rule shows up first, but there is
# still enough room for a user to `mkBefore` it.
security.sudo.extraRules = mkOrder 600 [
{ groups = [ "wheel" ];
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
}
];
security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
security.sudo.configFile =
''
# Don't edit this file. Set the NixOS options security.sudo.configFile
# or security.sudo.extraRules instead.
''
(optionalString enableSSHAgentAuth ''
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
'')
(concatStringsSep "\n" (
lists.flatten (
map (
rule: optionals (length rule.commands != 0) [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
]
) cfg.extraRules
)
) + "\n")
(optionalString (cfg.extraConfig != "") ''
# extraConfig
# "root" is allowed to do anything.
root ALL=(ALL:ALL) SETENV: ALL
# extraRules
${concatStringsSep "\n" (
lists.flatten (
map (
rule: optionals (length rule.commands != 0) [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
]
) cfg.extraRules
)
)}
${cfg.extraConfig}
'')
]);
'';
security.wrappers = let
owner = "root";
@ -265,8 +241,7 @@ in
source = "${cfg.package.out}/bin/sudo";
inherit owner group setuid permissions;
};
# sudo-rs does not yet ship a sudoedit (as of v0.2.0)
sudoedit = mkIf usingMillersSudo {
sudoedit = {
source = "${cfg.package.out}/bin/sudoedit";
inherit owner group setuid permissions;
};
@ -275,8 +250,6 @@ in
environment.systemPackages = [ sudo ];
security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
security.pam.services.sudo-i = mkIf usingSudoRs
{ sshAgentAuth = true; usshAuth = true; };
environment.etc.sudoers =
{ source =
@ -285,12 +258,12 @@ in
src = pkgs.writeText "sudoers-in" cfg.configFile;
preferLocalBuild = true;
}
"${cfg.package}/bin/visudo -f $src -c && cp $src $out";
# Make sure that the sudoers file is syntactically valid.
# (currently disabled - NIXOS-66)
"${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out";
mode = "0440";
};
};
meta.maintainers = [ lib.maintainers.nicoo ];
}

12
nixos/tests/sudo-rs.nix
View file

@ -5,7 +5,7 @@ let
password = "helloworld";
in
import ./make-test-python.nix ({ lib, pkgs, ...} : {
name = "sudo";
name = "sudo-rs";
meta.maintainers = pkgs.sudo-rs.meta.maintainers;
nodes.machine =
@ -22,7 +22,9 @@ in
test5 = { isNormalUser = true; };
};
security.sudo = {
security.sudo.enable = false;
security.sudo-rs = {
enable = true;
package = pkgs.sudo-rs;
wheelNeedsPassword = false;
@ -54,7 +56,9 @@ in
noadmin = { isNormalUser = true; };
};
security.sudo = {
security.sudo.enable = false;
security.sudo-rs = {
package = pkgs.sudo-rs;
enable = true;
wheelNeedsPassword = false;
@ -86,7 +90,7 @@ in
machine.succeed("sudo -u test5 sudo -n -u test1 true")
with subtest("test5 user should not be able to run commands under root"):
machine.fail("sudo -u test5 sudo -n -u root true")
machine.fail("sudo -u test5 sudo -n -u root true 2>/dev/null")
with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
strict.succeed('faketty -- su - admin -c "sudo -u root true"')