| blob | 2959efd050919003040d1ba456cd4efe9eadadd7 |
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
7 cfg = config.security.sudo;
9 toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
10 toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
12 toCommandOptionsString = options:
13 "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
15 toCommandsString = commands:
16 concatStringsSep ", " (
17 map (command:
18 if (isString command) then
19 command
20 else
21 "${toCommandOptionsString command.options}${command.command}"
22 ) commands
23 );
25 in
27 {
29 ###### interface
31 options.security.sudo = {
33 defaultOptions = mkOption {
34 type = with types; listOf str;
35 default = [ "SETENV" ];
36 description = ''
37 Options used for the default rules, granting `root` and the
38 `wheel` group permission to run any command as any user.
39 '';
40 };
42 enable = mkOption {
43 type = types.bool;
44 default = true;
45 description = ''
46 Whether to enable the {command}`sudo` command, which
47 allows non-root users to execute commands as root.
48 '';
49 };
51 package = mkPackageOption pkgs "sudo" { };
53 wheelNeedsPassword = mkOption {
54 type = types.bool;
55 default = true;
56 description = ''
57 Whether users of the `wheel` group must
58 provide a password to run commands as super user via {command}`sudo`.
59 '';
60 };
62 execWheelOnly = mkOption {
63 type = types.bool;
64 default = false;
65 description = ''
66 Only allow members of the `wheel` group to execute sudo by
67 setting the executable's permissions accordingly.
68 This prevents users that are not members of `wheel` from
69 exploiting vulnerabilities in sudo such as CVE-2021-3156.
70 '';
71 };
73 configFile = mkOption {
74 type = types.lines;
75 # Note: if syntax errors are detected in this file, the NixOS
76 # configuration will fail to build.
77 description = ''
78 This string contains the contents of the
79 {file}`sudoers` file.
80 '';
81 };
83 extraRules = mkOption {
84 description = ''
85 Define specific rules to be in the {file}`sudoers` file.
86 More specific rules should come after more general ones in order to
87 yield the expected behavior. You can use mkBefore/mkAfter to ensure
88 this is the case when configuration options are merged.
89 '';
90 default = [];
91 example = literalExpression ''
92 [
93 # Allow execution of any command by all users in group sudo,
94 # requiring a password.
95 { groups = [ "sudo" ]; commands = [ "ALL" ]; }
97 # Allow execution of "/home/root/secret.sh" by user `backup`, `database`
98 # and the group with GID `1006` without a password.
99 { users = [ "backup" "database" ]; groups = [ 1006 ];
100 commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
102 # Allow all users of group `bar` to run two executables as user `foo`
103 # with arguments being pre-set.
104 { groups = [ "bar" ]; runAs = "foo";
105 commands =
106 [ "/home/baz/cmd1.sh hello-sudo"
107 { command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; }
108 ]
109 '';
110 type = with types; listOf (submodule {
111 options = {
112 users = mkOption {
113 type = with types; listOf (either str int);
114 description = ''
115 The usernames / UIDs this rule should apply for.
116 '';
117 default = [];
118 };
120 groups = mkOption {
121 type = with types; listOf (either str int);
122 description = ''
123 The groups / GIDs this rule should apply for.
124 '';
125 default = [];
126 };
128 host = mkOption {
129 type = types.str;
130 default = "ALL";
131 description = ''
132 For what host this rule should apply.
133 '';
134 };
136 runAs = mkOption {
137 type = with types; str;
138 default = "ALL:ALL";
139 description = ''
140 Under which user/group the specified command is allowed to run.
142 A user can be specified using just the username: `"foo"`.
143 It is also possible to specify a user/group combination using `"foo:bar"`
144 or to only allow running as a specific group with `":bar"`.
145 '';
146 };
148 commands = mkOption {
149 description = ''
150 The commands for which the rule should apply.
151 '';
152 type = with types; listOf (either str (submodule {
154 options = {
155 command = mkOption {
156 type = with types; str;
157 description = ''
158 A command being either just a path to a binary to allow any arguments,
159 the full command with arguments pre-set or with `""` used as the argument,
160 not allowing arguments to the command at all.
161 '';
162 };
164 options = mkOption {
165 type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" "MAIL" "NOMAIL" "FOLLOW" "NOFLLOW" "INTERCEPT" "NOINTERCEPT"]);
166 description = ''
167 Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/docs/man/1.9.15/sudoers.man/#Tag_Spec).
168 '';
169 default = [];
170 };
171 };
173 }));
174 };
175 };
176 });
177 };
179 extraConfig = mkOption {
180 type = types.lines;
181 default = "";
182 description = ''
183 Extra configuration text appended to {file}`sudoers`.
184 '';
185 };
186 };
189 ###### implementation
191 config = mkIf cfg.enable {
192 assertions = [ {
193 assertion = cfg.package.pname != "sudo-rs";
194 message = ''
195 NixOS' `sudo` module does not support `sudo-rs`; see `security.sudo-rs` instead.
196 '';
197 } ];
199 security.sudo.extraRules =
200 let
201 defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
202 inherit users groups;
203 commands = [ {
204 command = "ALL";
205 options = opts ++ cfg.defaultOptions;
206 } ];
207 } ];
208 in mkMerge [
209 # This is ordered before users' `mkBefore` rules,
210 # so as not to introduce unexpected changes.
211 (mkOrder 400 (defaultRule { users = [ "root" ]; }))
213 # This is ordered to show before (most) other rules, but
214 # late-enough for a user to `mkBefore` it.
215 (mkOrder 600 (defaultRule {
216 groups = [ "wheel" ];
217 opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
218 }))
219 ];
221 security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
222 ''
223 # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
224 # or ‘security.sudo.extraRules’ instead.
225 ''
226 (pipe cfg.extraRules [
227 (filter (rule: length rule.commands != 0))
228 (map (rule: [
229 (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
230 (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
231 ]))
232 flatten
233 (concatStringsSep "\n")
234 ])
235 "\n"
236 (optionalString (cfg.extraConfig != "") ''
237 # extraConfig
238 ${cfg.extraConfig}
239 '')
240 ]);
242 security.wrappers = let
243 owner = "root";
244 group = if cfg.execWheelOnly then "wheel" else "root";
245 setuid = true;
246 permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
247 in {
248 sudo = {
249 source = "${cfg.package.out}/bin/sudo";
250 inherit owner group setuid permissions;
251 };
252 sudoedit = {
253 source = "${cfg.package.out}/bin/sudoedit";
254 inherit owner group setuid permissions;
255 };
256 };
258 environment.systemPackages = [ cfg.package ];
260 security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
262 environment.etc.sudoers =
263 { source =
264 pkgs.runCommand "sudoers"
265 {
266 src = pkgs.writeText "sudoers-in" cfg.configFile;
267 preferLocalBuild = true;
268 }
269 # Make sure that the sudoers file is syntactically valid.
270 # (currently disabled - NIXOS-66)
271 "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out";
272 mode = "0440";
273 };
275 };
277 }