nixos/sudo: add option execWheelOnly

By setting the executable's group to wheel and permissions to 4510, we
make sure that only members of the wheel group can execute sudo.
This commit is contained in:
Robert Schütz 2021-05-05 13:09:45 +02:00
parent 39e6bf7647
commit 5624aa9f81
2 changed files with 45 additions and 4 deletions

View File

@ -61,6 +61,17 @@ in
'';
};
security.sudo.execWheelOnly = mkOption {
type = types.bool;
default = false;
description = ''
Only allow members of the <code>wheel</code> group to execute sudo by
setting the executable's permissions accordingly.
This prevents users that are not members of <code>wheel</code> from
exploiting vulnerabilities in sudo such as CVE-2021-3156.
'';
};
security.sudo.configFile = mkOption {
type = types.lines;
# Note: if syntax errors are detected in this file, the NixOS
@ -216,9 +227,20 @@ in
${cfg.extraConfig}
'';
security.wrappers = {
sudo.source = "${cfg.package.out}/bin/sudo";
sudoedit.source = "${cfg.package.out}/bin/sudoedit";
security.wrappers = let
owner = "root";
group = if cfg.execWheelOnly then "wheel" else "root";
setuid = true;
permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
in {
sudo = {
source = "${cfg.package.out}/bin/sudo";
inherit owner group setuid permissions;
};
sudoedit = {
source = "${cfg.package.out}/bin/sudoedit";
inherit owner group setuid permissions;
};
};
environment.systemPackages = [ sudo ];

View File

@ -10,7 +10,7 @@ in
maintainers = [ lschuermann ];
};
machine =
nodes.machine =
{ lib, ... }:
with lib;
{
@ -48,6 +48,19 @@ in
};
};
nodes.strict = { ... }: {
users.users = {
admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
noadmin = { isNormalUser = true; };
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
execWheelOnly = true;
};
};
testScript =
''
with subtest("users in wheel group should have passwordless sudo"):
@ -79,5 +92,11 @@ in
with subtest("users in group 'barfoo' should not be able to keep their environment"):
machine.fail("sudo -u test3 sudo -n -E -u root true")
with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
strict.succeed('su - admin -c "sudo -u root true"')
with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
strict.fail('su - noadmin -c "sudo --help"')
'';
})