public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #121791 from dotlambda/sudo-execWheelOnly

Browse Source 
nixos/sudo: add option execWheelOnly
This commit is contained in:
Michele Guerini Rocco 2021-05-09 10:04:15 +02:00 committed by GitHub
commit e5452226af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
nixos/modules/security/sudo.nix
View File

@ -61,6 +61,17 @@ in
''; '';
}; };
security.sudo.execWheelOnly = mkOption {
type = types.bool;
default = false;
description = ''
Only allow members of the <code>wheel</code> group to execute sudo by
setting the executable's permissions accordingly.
This prevents users that are not members of <code>wheel</code> from
exploiting vulnerabilities in sudo such as CVE-2021-3156.
'';
};
security.sudo.configFile = mkOption { security.sudo.configFile = mkOption {
type = types.lines; type = types.lines;
# Note: if syntax errors are detected in this file, the NixOS # Note: if syntax errors are detected in this file, the NixOS
@ -216,9 +227,20 @@ in
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
security.wrappers = { security.wrappers = let
sudo.source = "${cfg.package.out}/bin/sudo"; owner = "root";
sudoedit.source = "${cfg.package.out}/bin/sudoedit"; group = if cfg.execWheelOnly then "wheel" else "root";
setuid = true;
permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
in {
sudo = {
source = "${cfg.package.out}/bin/sudo";
inherit owner group setuid permissions;
};
sudoedit = {
source = "${cfg.package.out}/bin/sudoedit";
inherit owner group setuid permissions;
};
}; };
environment.systemPackages = [ sudo ]; environment.systemPackages = [ sudo ];

21
nixos/tests/sudo.nix
View File

@ -10,7 +10,7 @@ in
maintainers = [ lschuermann ]; maintainers = [ lschuermann ];
}; };
machine = nodes.machine =
{ lib, ... }: { lib, ... }:
with lib; with lib;
{ {
@ -48,6 +48,19 @@ in
}; };
}; };
nodes.strict = { ... }: {
users.users = {
admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
noadmin = { isNormalUser = true; };
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
execWheelOnly = true;
};
};
testScript = testScript =
'' ''
with subtest("users in wheel group should have passwordless sudo"): with subtest("users in wheel group should have passwordless sudo"):
@ -79,5 +92,11 @@ in
with subtest("users in group 'barfoo' should not be able to keep their environment"): with subtest("users in group 'barfoo' should not be able to keep their environment"):
machine.fail("sudo -u test3 sudo -n -E -u root true") machine.fail("sudo -u test3 sudo -n -E -u root true")
with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
strict.succeed('su - admin -c "sudo -u root true"')
with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
strict.fail('su - noadmin -c "sudo --help"')
''; '';
}) })