3
0
Fork 0
forked from mirrors/nixpkgs

Merge pull request #121791 from dotlambda/sudo-execWheelOnly

nixos/sudo: add option execWheelOnly
This commit is contained in:
Michele Guerini Rocco 2021-05-09 10:04:15 +02:00 committed by GitHub
commit e5452226af
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 4 deletions

View file

@ -61,6 +61,17 @@ in
'';
};
security.sudo.execWheelOnly = mkOption {
type = types.bool;
default = false;
description = ''
Only allow members of the <code>wheel</code> group to execute sudo by
setting the executable's permissions accordingly.
This prevents users that are not members of <code>wheel</code> from
exploiting vulnerabilities in sudo such as CVE-2021-3156.
'';
};
security.sudo.configFile = mkOption {
type = types.lines;
# Note: if syntax errors are detected in this file, the NixOS
@ -216,9 +227,20 @@ in
${cfg.extraConfig}
'';
security.wrappers = {
sudo.source = "${cfg.package.out}/bin/sudo";
sudoedit.source = "${cfg.package.out}/bin/sudoedit";
security.wrappers = let
owner = "root";
group = if cfg.execWheelOnly then "wheel" else "root";
setuid = true;
permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
in {
sudo = {
source = "${cfg.package.out}/bin/sudo";
inherit owner group setuid permissions;
};
sudoedit = {
source = "${cfg.package.out}/bin/sudoedit";
inherit owner group setuid permissions;
};
};
environment.systemPackages = [ sudo ];

View file

@ -10,7 +10,7 @@ in
maintainers = [ lschuermann ];
};
machine =
nodes.machine =
{ lib, ... }:
with lib;
{
@ -48,6 +48,19 @@ in
};
};
nodes.strict = { ... }: {
users.users = {
admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
noadmin = { isNormalUser = true; };
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
execWheelOnly = true;
};
};
testScript =
''
with subtest("users in wheel group should have passwordless sudo"):
@ -79,5 +92,11 @@ in
with subtest("users in group 'barfoo' should not be able to keep their environment"):
machine.fail("sudo -u test3 sudo -n -E -u root true")
with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
strict.succeed('su - admin -c "sudo -u root true"')
with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
strict.fail('su - noadmin -c "sudo --help"')
'';
})