Extra sudo configuration file from:
- system/options.nix - system/system.nix - etc/default.nix svn path=/nixos/branches/fix-style/; revision=13681
This commit is contained in:
parent
79bfab0e07
commit
44f1d9f0bf
@ -192,19 +192,6 @@ let
|
||||
target = "ldap.conf";
|
||||
}
|
||||
|
||||
# "sudo" configuration.
|
||||
++ optional config.security.sudo.enable {
|
||||
source = pkgs.runCommand "sudoers"
|
||||
{ src = pkgs.writeText "sudoers-in" (config.security.sudo.configFile);
|
||||
}
|
||||
# Make sure that the sudoers file is syntactically valid.
|
||||
# (currently disabled - NIXOS-66)
|
||||
#"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
|
||||
"cp $src $out";
|
||||
target = "sudoers";
|
||||
mode = "0440";
|
||||
}
|
||||
|
||||
# A bunch of PAM configuration files for various programs.
|
||||
++ (map
|
||||
(program:
|
||||
@ -227,7 +214,6 @@ let
|
||||
"login"
|
||||
"slim"
|
||||
"su"
|
||||
"sudo"
|
||||
"other"
|
||||
"passwd"
|
||||
"shadow"
|
||||
|
@ -2608,37 +2608,6 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
sudo = {
|
||||
|
||||
enable = mkOption {
|
||||
default = true;
|
||||
description = "
|
||||
Whether to enable the <command>sudo</command> command, which
|
||||
allows non-root users to execute commands as root.
|
||||
";
|
||||
};
|
||||
|
||||
configFile = mkOption {
|
||||
default = "
|
||||
# WARNING: do not edit this file directly or with \"visudo\". Instead,
|
||||
# edit the source file in /etc/nixos/nixos/etc/sudoers.
|
||||
|
||||
# \"root\" is allowed to do anything.
|
||||
root ALL=(ALL) SETENV: ALL
|
||||
|
||||
# Users in the \"wheel\" group can do anything.
|
||||
%wheel ALL=(ALL) SETENV: ALL
|
||||
";
|
||||
description = "
|
||||
This string contains the contents of the
|
||||
<filename>sudoers</filename> file. If syntax errors are
|
||||
detected in this file, the NixOS configuration will fail to
|
||||
build.
|
||||
";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
@ -2853,6 +2822,9 @@ root ALL=(ALL) SETENV: ALL
|
||||
(import ../system/activate-configuration.nix)
|
||||
(import ../upstart-jobs/default.nix)
|
||||
|
||||
# security
|
||||
(import ../system/sudo.nix)
|
||||
|
||||
# environment
|
||||
(import ../etc/default.nix)
|
||||
|
||||
|
87
system/sudo.nix
Normal file
87
system/sudo.nix
Normal file
@ -0,0 +1,87 @@
|
||||
{pkgs, config, ...}:
|
||||
|
||||
###### interface
|
||||
let
|
||||
inherit (pkgs.lib) mkOption;
|
||||
|
||||
options = {
|
||||
security = {
|
||||
sudo = {
|
||||
|
||||
enable = mkOption {
|
||||
default = true;
|
||||
description = "
|
||||
Whether to enable the <command>sudo</command> command, which
|
||||
allows non-root users to execute commands as root.
|
||||
";
|
||||
};
|
||||
|
||||
configFile = mkOption {
|
||||
default = "
|
||||
# WARNING: do not edit this file directly or with \"visudo\". Instead,
|
||||
# edit the source file in /etc/nixos/nixos/etc/sudoers.
|
||||
|
||||
# \"root\" is allowed to do anything.
|
||||
root ALL=(ALL) SETENV: ALL
|
||||
|
||||
# Users in the \"wheel\" group can do anything.
|
||||
%wheel ALL=(ALL) SETENV: ALL
|
||||
";
|
||||
description = "
|
||||
This string contains the contents of the
|
||||
<filename>sudoers</filename> file.
|
||||
";
|
||||
# If syntax errors are detected in this file, the NixOS
|
||||
# configuration will fail to build.
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
|
||||
###### implementation
|
||||
let
|
||||
cfg = config.security.sudo;
|
||||
inherit (pkgs.lib) mkIf;
|
||||
inherit (pkgs) sudo;
|
||||
in
|
||||
|
||||
mkIf cfg.enable {
|
||||
require = [
|
||||
options
|
||||
|
||||
# config.environment.etc
|
||||
(import ../etc/default.nix)
|
||||
|
||||
# (import ?) # config.environment.extraPackages
|
||||
# (import ?) # config.security.extraSetuidPrograms
|
||||
];
|
||||
|
||||
security = {
|
||||
extraSetuidPrograms = [
|
||||
"sudo"
|
||||
];
|
||||
};
|
||||
|
||||
environment = {
|
||||
extraPackages = [ sudo ];
|
||||
|
||||
etc = [
|
||||
{
|
||||
source = ../etc/pam.d/sudo;
|
||||
target = "pam.d/sudo";
|
||||
}
|
||||
{
|
||||
source = pkgs.runCommand "sudoers"
|
||||
{ src = pkgs.writeText "sudoers-in" cfg.configFile; }
|
||||
# Make sure that the sudoers file is syntactically valid.
|
||||
# (currently disabled - NIXOS-66)
|
||||
#"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
|
||||
"cp $src $out";
|
||||
target = "sudoers";
|
||||
mode = "0440";
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
@ -158,7 +158,6 @@ rec {
|
||||
pkgs.utillinux
|
||||
pkgs.wirelesstools
|
||||
]
|
||||
++ pkgs.lib.optional config.security.sudo.enable pkgs.sudo
|
||||
++ pkgs.lib.optional config.services.bitlbee.enable pkgs.bitlbee
|
||||
++ pkgs.lib.optional config.networking.defaultMailServer.directDelivery pkgs.ssmtp
|
||||
++ config.environment.extraPackages
|
||||
@ -199,7 +198,6 @@ rec {
|
||||
setuidPrograms =
|
||||
config.security.setuidPrograms ++
|
||||
config.security.extraSetuidPrograms ++
|
||||
pkgs.lib.optional config.security.sudo.enable "sudo" ++
|
||||
pkgs.lib.optional (config.services.xserver.sessionType == "kde") "kcheckpass" ++
|
||||
map ( x : x.program ) config.security.setuidOwners;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user