2014-04-14 15:26:48 +01:00
|
|
|
|
{ config, lib, pkgs, ... }:
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2014-04-14 15:26:48 +01:00
|
|
|
|
with lib;
|
2009-08-16 15:49:14 +01:00
|
|
|
|
|
2009-01-02 16:07:15 +00:00
|
|
|
|
let
|
2009-08-16 15:49:14 +01:00
|
|
|
|
|
|
|
|
|
cfg = config.security.sudo;
|
2011-09-14 19:20:50 +01:00
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
inherit (pkgs) sudo;
|
|
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
###### interface
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
security.sudo.enable = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
|
type = types.bool;
|
2009-08-16 15:49:14 +01:00
|
|
|
|
default = true;
|
|
|
|
|
description =
|
|
|
|
|
''
|
|
|
|
|
Whether to enable the <command>sudo</command> command, which
|
|
|
|
|
allows non-root users to execute commands as root.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2012-08-13 13:37:32 +01:00
|
|
|
|
security.sudo.wheelNeedsPassword = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
|
type = types.bool;
|
2012-08-13 13:37:32 +01:00
|
|
|
|
default = true;
|
|
|
|
|
description =
|
|
|
|
|
''
|
|
|
|
|
Whether users of the <code>wheel</code> group can execute
|
|
|
|
|
commands as super user without entering a password.
|
2013-04-03 11:54:40 +01:00
|
|
|
|
'';
|
2012-08-13 13:37:32 +01:00
|
|
|
|
};
|
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
security.sudo.configFile = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
|
type = types.lines;
|
2009-08-16 15:49:14 +01:00
|
|
|
|
# Note: if syntax errors are detected in this file, the NixOS
|
|
|
|
|
# configuration will fail to build.
|
|
|
|
|
description =
|
|
|
|
|
''
|
|
|
|
|
This string contains the contents of the
|
|
|
|
|
<filename>sudoers</filename> file.
|
|
|
|
|
'';
|
2009-01-02 16:07:15 +00:00
|
|
|
|
};
|
2014-10-30 12:59:21 +00:00
|
|
|
|
|
|
|
|
|
security.sudo.extraConfig = mkOption {
|
|
|
|
|
type = types.lines;
|
|
|
|
|
default = "";
|
|
|
|
|
description = ''
|
|
|
|
|
Extra configuration text appended to <filename>sudoers</filename>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2009-01-02 16:07:15 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
###### implementation
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
config = mkIf cfg.enable {
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2012-11-23 14:14:16 +00:00
|
|
|
|
security.sudo.configFile =
|
|
|
|
|
''
|
2014-10-30 12:59:21 +00:00
|
|
|
|
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
|
2014-12-18 10:51:08 +00:00
|
|
|
|
# or ‘security.sudo.extraConfig’ instead.
|
2012-11-23 14:14:16 +00:00
|
|
|
|
|
|
|
|
|
# Environment variables to keep for root and %wheel.
|
|
|
|
|
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
|
2014-05-04 13:42:16 +01:00
|
|
|
|
Defaults:root,%wheel env_keep+=TERMINFO
|
2012-11-23 14:14:16 +00:00
|
|
|
|
|
|
|
|
|
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
|
|
|
|
Defaults env_keep+=SSH_AUTH_SOCK
|
|
|
|
|
|
|
|
|
|
# "root" is allowed to do anything.
|
2016-09-13 14:15:56 +01:00
|
|
|
|
root ALL=(ALL:ALL) SETENV: ALL
|
2012-11-23 14:14:16 +00:00
|
|
|
|
|
|
|
|
|
# Users in the "wheel" group can do anything.
|
2015-03-30 23:50:45 +01:00
|
|
|
|
%wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
|
2014-10-30 12:59:21 +00:00
|
|
|
|
${cfg.extraConfig}
|
2012-11-23 14:14:16 +00:00
|
|
|
|
'';
|
|
|
|
|
|
2016-07-16 01:10:48 +01:00
|
|
|
|
security.permissionsWrappers.setuid =
|
|
|
|
|
[
|
|
|
|
|
{ program = "sudo";
|
|
|
|
|
source = "${pkgs.sudo.out}/bin/sudo";
|
2016-09-02 01:06:21 +01:00
|
|
|
|
owner = "root";
|
2016-07-16 01:10:48 +01:00
|
|
|
|
group = "root";
|
|
|
|
|
setuid = true;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-02 01:06:21 +01:00
|
|
|
|
{ program = "sudoedit";
|
|
|
|
|
source = "${pkgs.sudo.out}/bin/sudoedit";
|
|
|
|
|
owner = "root";
|
2016-07-16 01:10:48 +01:00
|
|
|
|
group = "root";
|
|
|
|
|
setuid = true;
|
|
|
|
|
}
|
|
|
|
|
];
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
environment.systemPackages = [ sudo ];
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
security.pam.services.sudo = { sshAgentAuth = true; };
|
2009-01-02 16:07:15 +00:00
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
environment.etc = singleton
|
2014-06-08 21:54:13 +01:00
|
|
|
|
{ source =
|
|
|
|
|
pkgs.runCommand "sudoers"
|
2014-12-18 10:51:08 +00:00
|
|
|
|
{ src = pkgs.writeText "sudoers-in" cfg.configFile; }
|
2009-01-02 16:07:15 +00:00
|
|
|
|
# Make sure that the sudoers file is syntactically valid.
|
|
|
|
|
# (currently disabled - NIXOS-66)
|
2014-12-18 10:51:08 +00:00
|
|
|
|
"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
|
2009-01-02 16:07:15 +00:00
|
|
|
|
target = "sudoers";
|
|
|
|
|
mode = "0440";
|
2009-08-16 15:49:14 +01:00
|
|
|
|
};
|
|
|
|
|
|
2009-01-02 16:07:15 +00:00
|
|
|
|
};
|
2009-08-16 15:49:14 +01:00
|
|
|
|
|
2009-01-02 16:07:15 +00:00
|
|
|
|
}
|