* make-etc / activate-configuration: allow /etc files to be installed

as regular files instead of symlinks to the store.
* Sudo configuration, enabled through security.sudo.enable (on by
  default).  The contents of the sudoers file is specified in
  security.sudo.configFile.  The default sudoers file allows members
  of the new "wheel" group to run any command.

svn path=/nixos/trunk/; revision=9138
This commit is contained in:
Eelco Dolstra 2007-08-16 15:09:06 +00:00
parent ad22e587ab
commit 2a4417d637
10 changed files with 78 additions and 10 deletions

View File

@ -76,6 +76,11 @@ rec {
nixpkgsURL = http://nix.cs.uu.nl/dist/nix/ + nixpkgsRel;
};
security = {
sudo = {
enable = false;
};
};
};

View File

@ -140,6 +140,17 @@ import ../helpers/make-etc.nix {
target = "ldap.conf";
})
# "sudo" configuration.
++ (optional ["security" "sudo" "enable"] {
source = pkgs.runCommand "sudoers"
{ src = pkgs.writeText "sudoers-in" (config.get ["security" "sudo" "configFile"]);
}
# Make sure that the sudoers file is syntactically valid.
"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
target = "sudoers";
mode = "0440";
})
# A bunch of PAM configuration files for various programs.
++ (map
(program:

View File

@ -8,4 +8,5 @@ stdenv.mkDerivation {
/* !!! Use toXML. */
sources = map (x: x.source) configFiles;
targets = map (x: x.target) configFiles;
modes = map (x: if x ? mode then x.mode else "symlink") configFiles;
}

View File

@ -4,7 +4,11 @@ ensureDir $out/etc
sources_=($sources)
targets_=($targets)
modes_=($modes)
for ((i = 0; i < ${#targets_[@]}; i++)); do
ensureDir $out/etc/$(dirname ${targets_[$i]})
ln -s ${sources_[$i]} $out/etc/${targets_[$i]}
if test "${modes_[$i]}" != symlink; then
echo "${modes_[$i]}" > $out/etc/${targets_[$i]}.mode
fi
done

View File

@ -30,15 +30,17 @@ if test -z "$NIXOS_CONFIG"; then NIXOS_CONFIG=/etc/nixos/configuration.nix; fi
# Pull the manifests defined in the configuration (the "manifests"
# attribute). Wonderfully hacky.
manifests=$(nix-instantiate --eval-only --xml --strict \
$NIXOS/system/system.nix \
--arg configuration "import $NIXOS_CONFIG" \
-A manifests \
| grep '<string' | sed 's^.*"\(.*\)".*^\1^g')
if test -z "$NIXOS_NO_PULL"; then
manifests=$(nix-instantiate --eval-only --xml --strict \
$NIXOS/system/system.nix \
--arg configuration "import $NIXOS_CONFIG" \
-A manifests \
| grep '<string' | sed 's^.*"\(.*\)".*^\1^g')
for i in $manifests; do
NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache nix-pull $i || true
done
for i in $manifests; do
NIX_DOWNLOAD_CACHE=/nix/var/nix/channel-cache nix-pull $i || true
done
fi
# Either upgrade the configuration in the system profile (for "switch"

View File

@ -20,7 +20,15 @@ ln -s @etc@/etc $staticEtc
for i in $(cd $staticEtc && find * -type l); do
mkdir -p /etc/$(dirname $i)
rm -f /etc/$i
ln -s $staticEtc/$i /etc/$i
if test -e "$staticEtc/$i.mode"; then
# Create a regular file in /etc.
cp $staticEtc/$i /etc/$i
chown root.root /etc/$i
chmod "$(cat "$staticEtc/$i.mode")" /etc/$i
else
# Create a symlink in /etc.
ln -s $staticEtc/$i /etc/$i
fi
done

View File

@ -13,6 +13,7 @@
gids = {
root = 0;
wheel = 1;
haldaemon = 5;
audio = 17;
users = 100;

View File

@ -969,6 +969,37 @@
}
{
name = ["security" "sudo" "enable"];
default = true;
description = "
Whether to enable the <command>sudo</command> command, which
allows non-root users to execute commands as root.
";
}
{
name = ["security" "sudo" "configFile"];
default = "
# WARNING: do not edit this file directly or with \"visudo\". Instead,
# edit the source file in /etc/nixos/nixos/etc/sudoers.
# \"root\" is allowed to do anything.
root ALL=(ALL) SETENV: ALL
# Users in the \"wheel\" group can do anything.
%wheel ALL=(ALL) SETENV: ALL
";
description = "
This string contains the contents of the
<filename>sudoers</filename> file. If syntax errors are
detected in this file, the NixOS configuration will fail to
build.
";
}
{
name = ["users" "ldap" "enable"];
default = false;

View File

@ -225,6 +225,7 @@ rec {
nixosCheckout
setuidWrapper
]
++ pkgs.lib.optional (config.get ["security" "sudo" "enable"]) pkgs.sudo
++ pkgs.lib.concatLists (map (job: job.extraPath) upstartJobs.jobs)
++ (config.get ["environment" "extraPackages"]) pkgs;
@ -260,7 +261,8 @@ rec {
hostName = config.get ["networking" "hostName"];
setuidPrograms =
config.get ["security" "setuidPrograms"] ++
config.get ["security" "extraSetuidPrograms"];
config.get ["security" "extraSetuidPrograms"] ++
pkgs.lib.optional (config.get ["security" "sudo" "enable"]) "sudo";
maxJobs = config.get ["nix" "maxJobs"];
extraNixOptions = config.get ["nix" "extraOptions"];

View File

@ -56,6 +56,9 @@ rec {
{ name = "root";
gid = ids.gids.root;
}
{ name = "wheel";
gid = ids.gids.wheel;
}
{ name = "nogroup";
gid = ids.gids.nogroup;
}