nixpkgs/nixos/tests/sudo.nix

# Some tests to ensure sudo is working properly.

let
  password = "helloworld";
in
  import ./make-test-python.nix ({ lib, pkgs, ...} : {
    name = "sudo";
    meta.maintainers = pkgs.sudo.meta.maintainers;

    nodes.machine =
      { lib, ... }:
      {
        users.groups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };
        users.users = {
          test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };
          test1 = { isNormalUser = true; password = password; };
          test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };
          test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
          test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };
          test5 = { isNormalUser = true; };
        };

        security.sudo = {
          # Explicitly _not_ defining 'enable = true;' here, to check that sudo is enabled by default

          wheelNeedsPassword = false;

          extraConfig = ''
            Defaults lecture="never"
          '';

          extraRules = [
            # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
            # errors being detected by the visudo checks.

            # These should not create any entries
            { users = [ "notest1" ]; commands = [ ]; }
            { commands = [ { command = "ALL"; options = [ ]; } ]; }

            # Test defining commands with the options syntax, though not setting any options
            { users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }


            # CONFIGURATION FOR TEST CASES
            { users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
            { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }
            { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }
          ];
        };
      };

    nodes.strict = { ... }: {
      users.users = {
        admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
        noadmin = { isNormalUser = true; };
      };

      security.sudo = {
        enable = true;
        wheelNeedsPassword = false;
        execWheelOnly = true;
      };
    };

    testScript =
      ''
        with subtest("users in wheel group should have passwordless sudo"):
            machine.succeed('su - test0 -c "sudo -u root true"')

        with subtest("test1 user should have sudo with password"):
            machine.succeed('su - test1 -c "echo ${password} | sudo -S -u root true"')

        with subtest("test1 user should not be able to use sudo without password"):
            machine.fail('su - test1 -c "sudo -n -u root true"')

        with subtest("users in group 'foobar' should be able to use sudo with password"):
            machine.succeed('su - test2 -c "echo ${password} | sudo -S -u root true"')

        with subtest("users in group 'barfoo' should be able to use sudo without password"):
            machine.succeed("sudo -u test3 sudo -n -u root true")

        with subtest("users in group 'baz' (GID 1337)"):
            machine.succeed("sudo -u test4 sudo -n -u root echo true")

        with subtest("test5 user should be able to run commands under test1"):
            machine.succeed("sudo -u test5 sudo -n -u test1 true")

        with subtest("test5 user should not be able to run commands under root"):
            machine.fail("sudo -u test5 sudo -n -u root true")

        with subtest("test5 user should be able to keep their environment"):
            machine.succeed("sudo -u test5 sudo -n -E -u test1 true")

        with subtest("users in group 'barfoo' should not be able to keep their environment"):
            machine.fail("sudo -u test3 sudo -n -E -u root true")

        with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
            strict.succeed('su - admin -c "sudo -u root true"')

        with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
            strict.fail('su - noadmin -c "sudo --help"')
      '';
  })
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00			`# Some tests to ensure sudo is working properly.`

			`let`
			`password = "helloworld";`
			`in`
nixos/tests/sudo.nix: get rid of `with lib` 2023-04-30 14:26:19 +00:00			`import ./make-test-python.nix ({ lib, pkgs, ...} : {`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00			`name = "sudo";`
nixosTests.sudo: use same maintainers as the package 2023-09-08 12:47:13 +00:00			`meta.maintainers = pkgs.sudo.meta.maintainers;`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
nixos/sudo: add option execWheelOnly By setting the executable's group to wheel and permissions to 4510, we make sure that only members of the wheel group can execute sudo. 2021-05-05 11:09:45 +00:00			`nodes.machine =`
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ lib, ... }:`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00			`{`
nixos/tests: users.(extraUsers\|extraGroup->users\|group) 2018-06-29 23:55:42 +00:00			`users.groups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00			`users.users = {`
			`test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };`
			`test1 = { isNormalUser = true; password = password; };`
			`test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };`
			`test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };`
			`test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };`
			`test5 = { isNormalUser = true; };`
			`};`

			`security.sudo = {`
nixos/tests/sudo: check that sudo is enabled by default 2023-11-10 02:32:26 +00:00			`# Explicitly _not_ defining 'enable = true;' here, to check that sudo is enabled by default`

sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00			`wheelNeedsPassword = false;`

nixos/sudo: fix test for 1.9.9 The test failed with > Test "test5 user should not be able to run commands under root" failed with > error: "invalid literal for int() with base 10: ''" since 2492da88ea018c067c2dee5b6eef5b65c5283597. The reason for this is that `sudo(8)` writes the lecture to the tty[1] and only as a fallback to stdout[2]. This means that the `base64 --wrap 0` executed by `machine.execute()` doesn't affect the text written to the terminal, however the lecture is part of the string that's read from the VM via `shell.recv()`. I confirmed the problem in an interactive test session[3]: >>> command = "sudo -u test5 sudo -n -u root true" >>> out_command = f"( set -euo pipefail; {command} ) \| (base64 --wrap 0; echo)\n" >>> machine.shell.send(out_command.encode()) 84 >>> machine # [ 99.015512] sudo[877]: root : TTY=hvc0 ; PWD=/tmp ; USER=test5 ; COMMAND=/run/wrappers/bin/sudo -n -u root true machine # [ 99.019373] sudo[877]: pam_unix(sudo:session): session opened for user test5(uid=1005) by (uid=0) machine # [ 99.038692] sudo[879]: pam_unix(sudo:auth): conversation failed machine # sudo: a password is required machine # [ 99.041860] sudo[879]: pam_unix(sudo:auth): auth could not identify password for [test5] machine # [ 99.046901] sudo[877]: pam_unix(sudo:session): session closed for user test5 >>> >>> x=machine._next_newline_closed_block_from_shell() >>> print(x) <newline> We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: <newline> #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. <newline> <newline> <newline> >>> Since the lecture isn't strictly necessary to confirm that `security.sudo` works as expected, I decided to disable lecturing inside the test, however we may want to fix the underlying problem in the test-driver at some point. [1] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/plugins/sudoers/check.c#L275-L283 [2] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/src/conversation.c#L95-L120 [3] I replaced each empty line with `<newline>` to make sure these aren't swallowed by git. 2022-02-01 11:39:00 +00:00			`extraConfig = ''`
			`Defaults lecture="never"`
			`'';`

sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00			`extraRules = [`
			`# SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;`
			`# errors being detected by the visudo checks.`

			`# These should not create any entries`
			`{ users = [ "notest1" ]; commands = [ ]; }`
			`{ commands = [ { command = "ALL"; options = [ ]; } ]; }`

			`# Test defining commands with the options syntax, though not setting any options`
			`{ users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }`


			`# CONFIGURATION FOR TEST CASES`
			`{ users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }`
			`{ groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }`
			`{ users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }`
			`];`
			`};`
			`};`

nixos/sudo: add option execWheelOnly By setting the executable's group to wheel and permissions to 4510, we make sure that only members of the wheel group can execute sudo. 2021-05-05 11:09:45 +00:00			`nodes.strict = { ... }: {`
			`users.users = {`
			`admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };`
			`noadmin = { isNormalUser = true; };`
			`};`

			`security.sudo = {`
			`enable = true;`
			`wheelNeedsPassword = false;`
			`execWheelOnly = true;`
			`};`
			`};`

sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00			`testScript =`
			`''`
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`with subtest("users in wheel group should have passwordless sudo"):`
			`machine.succeed('su - test0 -c "sudo -u root true"')`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`with subtest("test1 user should have sudo with password"):`
			`machine.succeed('su - test1 -c "echo ${password} \| sudo -S -u root true"')`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`with subtest("test1 user should not be able to use sudo without password"):`
			`machine.fail('su - test1 -c "sudo -n -u root true"')`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`with subtest("users in group 'foobar' should be able to use sudo with password"):`
nixosTests.sudo: fix test flakiness One of the subtests in the sudo NixOS test suite was broken: instead of running the sudo invocation as user 'test2', it was running it as root. Since root doesn't require a password to use sudo, this was causing random "broken pipe" errors when trying to pass it a password via stdin. 2022-01-02 23:37:26 +00:00			`machine.succeed('su - test2 -c "echo ${password} \| sudo -S -u root true"')`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`with subtest("users in group 'barfoo' should be able to use sudo without password"):`
			`machine.succeed("sudo -u test3 sudo -n -u root true")`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`with subtest("users in group 'baz' (GID 1337)"):`
			`machine.succeed("sudo -u test4 sudo -n -u root echo true")`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`with subtest("test5 user should be able to run commands under test1"):`
			`machine.succeed("sudo -u test5 sudo -n -u test1 true")`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`with subtest("test5 user should not be able to run commands under root"):`
			`machine.fail("sudo -u test5 sudo -n -u root true")`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
small treewide: his -> theirs/its SJW brigade represent. ;) Co-authored-by: Jan Tojnar <jtojnar@gmail.com> 2020-06-23 13:59:14 +00:00			`with subtest("test5 user should be able to keep their environment"):`
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`machine.succeed("sudo -u test5 sudo -n -E -u test1 true")`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00
nixosTests.sudo: port to python 2019-11-24 20:06:36 +00:00			`with subtest("users in group 'barfoo' should not be able to keep their environment"):`
			`machine.fail("sudo -u test3 sudo -n -E -u root true")`
nixos/sudo: add option execWheelOnly By setting the executable's group to wheel and permissions to 4510, we make sure that only members of the wheel group can execute sudo. 2021-05-05 11:09:45 +00:00
			`with subtest("users in wheel should be able to run sudo despite execWheelOnly"):`
			`strict.succeed('su - admin -c "sudo -u root true"')`

			`with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):`
			`strict.fail('su - noadmin -c "sudo --help"')`
sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00			`'';`
			`})`