forked from mirrors/nixpkgs
nixos/security.sudo: describe extraRules order
The order of sudoers entries is significant. The man page for sudoers(5) notes: Where there are multiple matches, the last match is used (which is not necessarily the most specific match). This module adds a rule for group "wheel" matching all commands. If you wanted to add a more specific rule allowing members of the "wheel" group to run command `foo` without a password, you'd need to use mkAfter to ensure your rule comes after the more general rule. extraRules = lib.mkAfter [ { groups = [ "wheel" ]; commands = [ { command = "${pkgs.foo}/bin/foo"; options = [ "NOPASSWD" "SETENV" ]; } ] } ]; Otherwise, when configuration options are merged, if the general rule ends up after the specific rule, it will dictate the behavior even when running the `foo` command.
This commit is contained in:
parent
bc7c7b2b09
commit
d08967a3a8
|
@ -66,6 +66,9 @@ in
|
|||
security.sudo.extraRules = mkOption {
|
||||
description = ''
|
||||
Define specific rules to be in the <filename>sudoers</filename> file.
|
||||
More specific rules should come after more general ones in order to
|
||||
yield the expected behavior. You can use mkBefore/mkAfter to ensure
|
||||
this is the case when configuration options are merged.
|
||||
'';
|
||||
default = [];
|
||||
example = [
|
||||
|
|
Loading…
Reference in a new issue