mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-12 20:55:31 +03:00
nixos/sudo: Handle root's default rule through extraRules
This makes things more uniform, and simplifies compatibility with sudo-rs. Moreover, users can not inject rules before this if they need to.
This commit is contained in:
nicoo
parent
3a95964fd5
commit
b1eab8ca53
2 changed files with 27 additions and 11 deletions
|
|
@ -200,6 +200,12 @@
|
||||||
|
|
||||||
- Package `pash` was removed due to being archived upstream. Use `powershell` as an alternative.
|
- Package `pash` was removed due to being archived upstream. Use `powershell` as an alternative.
|
||||||
|
|
||||||
|
- `security.sudo.extraRules` now includes `root`'s default rule, with ordering
|
||||||
|
priority 400. This is functionally identical for users not specifying rule
|
||||||
|
order, or relying on `mkBefore` and `mkAfter`, but may impact users calling
|
||||||
|
`mkOrder n` with n ≤ 400.
|
||||||
|
|
||||||
|
|
||||||
## Other Notable Changes {#sec-release-23.11-notable-changes}
|
## Other Notable Changes {#sec-release-23.11-notable-changes}
|
||||||
|
|
||||||
- The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.
|
- The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.
|
||||||
|
|
|
||||||
|
|
@ -200,13 +200,27 @@ in
|
||||||
message = "The NixOS `sudo` module does not yet work with other implementations."; }
|
message = "The NixOS `sudo` module does not yet work with other implementations."; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# We `mkOrder 600` so that the default rule shows up first, but there is
|
security.sudo.extraRules =
|
||||||
# still enough room for a user to `mkBefore` it.
|
let
|
||||||
security.sudo.extraRules = mkOrder 600 [
|
defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
|
||||||
{ groups = [ "wheel" ];
|
inherit users groups;
|
||||||
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
|
commands = [ {
|
||||||
}
|
command = "ALL";
|
||||||
];
|
options = opts ++ [ "SETENV" ];
|
||||||
|
} ];
|
||||||
|
} ];
|
||||||
|
in mkMerge [
|
||||||
|
# This is ordered before users' `mkBefore` rules,
|
||||||
|
# so as not to introduce unexpected changes.
|
||||||
|
(mkOrder 400 (defaultRule { users = [ "root" ]; }))
|
||||||
|
|
||||||
|
# This is ordered to show before (most) other rules, but
|
||||||
|
# late-enough for a user to `mkBefore` it.
|
||||||
|
(mkOrder 600 (defaultRule {
|
||||||
|
groups = [ "wheel" ];
|
||||||
|
opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
|
||||||
|
}))
|
||||||
|
];
|
||||||
|
|
||||||
security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
|
security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
|
||||||
''
|
''
|
||||||
|
|
@ -217,10 +231,6 @@ in
|
||||||
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
||||||
Defaults env_keep+=SSH_AUTH_SOCK
|
Defaults env_keep+=SSH_AUTH_SOCK
|
||||||
'')
|
'')
|
||||||
''
|
|
||||||
# "root" is allowed to do anything.
|
|
||||||
root ALL=(ALL:ALL) SETENV: ALL
|
|
||||||
''
|
|
||||||
(optionalString (cfg.extraRules != []) ''
|
(optionalString (cfg.extraRules != []) ''
|
||||||
# extraRules
|
# extraRules
|
||||||
${concatStringsSep "\n" (
|
${concatStringsSep "\n" (
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue