| blob | 1fe478f0bff14bd9db149868c97d5f9bcdfde332 |
1 # Some tests to ensure sudo is working properly.
3 let
4 password = "helloworld";
5 in
6 import ./make-test-python.nix ({ lib, pkgs, ...} : {
7 name = "sudo";
8 meta.maintainers = pkgs.sudo.meta.maintainers;
10 nodes.machine =
11 { lib, ... }:
12 {
13 users.groups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };
14 users.users = {
15 test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };
16 test1 = { isNormalUser = true; password = password; };
17 test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };
18 test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
19 test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };
20 test5 = { isNormalUser = true; };
21 };
23 security.sudo = {
24 # Explicitly _not_ defining 'enable = true;' here, to check that sudo is enabled by default
26 wheelNeedsPassword = false;
28 extraConfig = ''
29 Defaults lecture="never"
30 '';
32 extraRules = [
33 # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
34 # errors being detected by the visudo checks.
36 # These should not create any entries
37 { users = [ "notest1" ]; commands = [ ]; }
38 { commands = [ { command = "ALL"; options = [ ]; } ]; }
40 # Test defining commands with the options syntax, though not setting any options
41 { users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }
44 # CONFIGURATION FOR TEST CASES
45 { users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
46 { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }
47 { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }
48 ];
49 };
50 };
52 nodes.strict = { ... }: {
53 users.users = {
54 admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
55 noadmin = { isNormalUser = true; };
56 };
58 security.sudo = {
59 enable = true;
60 wheelNeedsPassword = false;
61 execWheelOnly = true;
62 };
63 };
65 testScript =
66 ''
67 with subtest("users in wheel group should have passwordless sudo"):
68 machine.succeed('su - test0 -c "sudo -u root true"')
70 with subtest("test1 user should have sudo with password"):
71 machine.succeed('su - test1 -c "echo ${password} | sudo -S -u root true"')
73 with subtest("test1 user should not be able to use sudo without password"):
74 machine.fail('su - test1 -c "sudo -n -u root true"')
76 with subtest("users in group 'foobar' should be able to use sudo with password"):
77 machine.succeed('su - test2 -c "echo ${password} | sudo -S -u root true"')
79 with subtest("users in group 'barfoo' should be able to use sudo without password"):
80 machine.succeed("sudo -u test3 sudo -n -u root true")
82 with subtest("users in group 'baz' (GID 1337)"):
83 machine.succeed("sudo -u test4 sudo -n -u root echo true")
85 with subtest("test5 user should be able to run commands under test1"):
86 machine.succeed("sudo -u test5 sudo -n -u test1 true")
88 with subtest("test5 user should not be able to run commands under root"):
89 machine.fail("sudo -u test5 sudo -n -u root true")
91 with subtest("test5 user should be able to keep their environment"):
92 machine.succeed("sudo -u test5 sudo -n -E -u test1 true")
94 with subtest("users in group 'barfoo' should not be able to keep their environment"):
95 machine.fail("sudo -u test3 sudo -n -E -u root true")
97 with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
98 strict.succeed('su - admin -c "sudo -u root true"')
100 with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
101 strict.fail('su - noadmin -c "sudo --help"')
102 '';
103 })