From be7f104502cf6c6e5ae95f3af8c624cb436c7fd1 Mon Sep 17 00:00:00 2001 From: obadz Date: Mon, 30 Mar 2015 23:50:45 +0100 Subject: [PATCH] sg: add setuid wrapper. (newgrp is a symlink to sg and was already setuid). sudo: add ability for wheel users to change group (as well as user) --- nixos/modules/programs/shadow.nix | 2 +- nixos/modules/security/sudo.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 5c2ea07c5549..895ecb122cb6 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -100,7 +100,7 @@ in chgpasswd = { rootOK = true; }; }; - security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" + security.setuidPrograms = [ "passwd" "chfn" "su" "sg" "newgrp" "newuidmap" "newgidmap" # new in shadow 4.2.x ]; diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index d42a8c7f7d29..bced2a6ed757 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -77,7 +77,7 @@ in root ALL=(ALL) SETENV: ALL # Users in the "wheel" group can do anything. - %wheel ALL=(ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL + %wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL ${cfg.extraConfig} '';