* make-etc / activate-configuration: allow /etc files to be installed

as regular files instead of symlinks to the store. * Sudo configuration, enabled through security.sudo.enable (on by default). The contents of the sudoers file is specified in security.sudo.configFile. The default sudoers file allows members of the new "wheel" group to run any command. svn path=/nixos/trunk/; revision=9138
2007-08-16 15:09:06 +00:00 · 2007-08-16 15:09:06 +00:00 · 2a4417d637
commit 2a4417d637
parent ad22e587ab
10 changed files with 78 additions and 10 deletions
--- a/configuration/rescue-cd.nix
+++ b/configuration/rescue-cd.nix
@ -76,6 +76,11 @@ rec {
      nixpkgsURL = http://nix.cs.uu.nl/dist/nix/ + nixpkgsRel;
    };

+    security = {
+      sudo = {
+        enable = false;
+      };
+    };
  };


--- a/etc/default.nix
+++ b/etc/default.nix
@ -140,6 +140,17 @@ import ../helpers/make-etc.nix {
    target = "ldap.conf";
  })
    
+  # "sudo" configuration.
+  ++ (optional ["security" "sudo" "enable"] {
+    source = pkgs.runCommand "sudoers"
+      { src = pkgs.writeText "sudoers-in" (config.get ["security" "sudo" "configFile"]);
+      }
+      # Make sure that the sudoers file is syntactically valid.
+      "${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
+    target = "sudoers";
+    mode = "0440";
+  })
+    
  # A bunch of PAM configuration files for various programs.
  ++ (map
    (program:
--- a/helpers/make-etc.nix
+++ b/helpers/make-etc.nix
@ -8,4 +8,5 @@ stdenv.mkDerivation {
  /* !!! Use toXML. */
  sources = map (x: x.source) configFiles;
  targets = map (x: x.target) configFiles;
+  modes = map (x: if x ? mode then x.mode else "symlink") configFiles;
 }
--- a/helpers/make-etc.sh
+++ b/helpers/make-etc.sh
@ -4,7 +4,11 @@ ensureDir $out/etc

 sources_=($sources)
 targets_=($targets)
+modes_=($modes)
 for ((i = 0; i < ${#targets_[@]}; i++)); do
    ensureDir $out/etc/$(dirname ${targets_[$i]})
    ln -s ${sources_[$i]} $out/etc/${targets_[$i]}
+    if test "${modes_[$i]}" != symlink; then
+        echo "${modes_[$i]}" > $out/etc/${targets_[$i]}.mode
+    fi
 done
--- a/installer/nixos-rebuild.sh
+++ b/installer/nixos-rebuild.sh
@ -30,15 +30,17 @@ if test -z "$NIXOS_CONFIG"; then NIXOS_CONFIG=/etc/nixos/configuration.nix; fi

 # Pull the manifests defined in the configuration (the "manifests"
 # attribute).  Wonderfully hacky.
-manifests=$(nix-instantiate --eval-only --xml --strict \
+if test -z "$NIXOS_NO_PULL"; then
+    manifests=$(nix-instantiate --eval-only --xml --strict \
        $NIXOS/system/system.nix \
        --arg configuration "import $NIXOS_CONFIG" \
        -A manifests \
        | grep '<string'  | sed 's^.*"\(.*\)".*^\1^g')
    
-for i in $manifests; do
+    for i in $manifests; do
        NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache nix-pull $i || true
-done
+    done
+fi


 # Either upgrade the configuration in the system profile (for "switch"
--- a/system/activate-configuration.sh
+++ b/system/activate-configuration.sh
@ -20,7 +20,15 @@ ln -s @etc@/etc $staticEtc
 for i in $(cd $staticEtc && find * -type l); do
    mkdir -p /etc/$(dirname $i)
    rm -f /etc/$i
+    if test -e "$staticEtc/$i.mode"; then
+        # Create a regular file in /etc.
+        cp $staticEtc/$i /etc/$i
+        chown root.root /etc/$i
+        chmod "$(cat "$staticEtc/$i.mode")" /etc/$i
+    else
+        # Create a symlink in /etc.
        ln -s $staticEtc/$i /etc/$i
+    fi
 done


--- a/system/ids.nix
+++ b/system/ids.nix
@ -13,6 +13,7 @@

  gids = {
    root = 0;
+    wheel = 1;
    haldaemon = 5;
    audio = 17;
    users = 100;
--- a/system/options.nix
+++ b/system/options.nix
@ -969,6 +969,37 @@
  }


+  {
+    name = ["security" "sudo" "enable"];
+    default = true;
+    description = "
+      Whether to enable the <command>sudo</command> command, which
+      allows non-root users to execute commands as root.
+    ";
+  }
+
+
+  {
+    name = ["security" "sudo" "configFile"];
+    default = "
+# WARNING: do not edit this file directly or with \"visudo\".  Instead,
+# edit the source file in /etc/nixos/nixos/etc/sudoers.
+
+# \"root\" is allowed to do anything.
+root        ALL=(ALL) SETENV: ALL
+
+# Users in the \"wheel\" group can do anything.
+%wheel      ALL=(ALL) SETENV: ALL
+    ";
+    description = "
+      This string contains the contents of the
+      <filename>sudoers</filename> file.  If syntax errors are
+      detected in this file, the NixOS configuration will fail to
+      build. 
+    ";
+  }
+
+
  {
    name = ["users" "ldap" "enable"];
    default = false;
--- a/system/system.nix
+++ b/system/system.nix
@ -225,6 +225,7 @@ rec {
    nixosCheckout
    setuidWrapper
  ]
+  ++ pkgs.lib.optional (config.get ["security" "sudo" "enable"]) pkgs.sudo
  ++ pkgs.lib.concatLists (map (job: job.extraPath) upstartJobs.jobs)
  ++ (config.get ["environment" "extraPackages"]) pkgs;

@ -260,7 +261,8 @@ rec {
    hostName = config.get ["networking" "hostName"];
    setuidPrograms =
      config.get ["security" "setuidPrograms"] ++
-      config.get ["security" "extraSetuidPrograms"];
+      config.get ["security" "extraSetuidPrograms"] ++
+      pkgs.lib.optional (config.get ["security" "sudo" "enable"]) "sudo";
    maxJobs = config.get ["nix" "maxJobs"];
    extraNixOptions = config.get ["nix" "extraOptions"];

--- a/system/users-groups.nix
+++ b/system/users-groups.nix
@ -56,6 +56,9 @@ rec {
          { name = "root";
            gid = ids.gids.root;
          }
+          { name = "wheel";
+            gid = ids.gids.wheel;
+          }
          { name = "nogroup";
            gid = ids.gids.nogroup;
          }