From 572413151ae4710a9258c18e758fccce2b650cce Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 22 Oct 2023 18:05:14 +0000 Subject: [PATCH 01/11] nixos/release-notes: Tidy-up location of `sudo-rs` link definition Presumably introduced when reverting #253876 --- nixos/doc/manual/release-notes/rl-2311.section.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index bfeca488d089..16ac84aee82a 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -28,10 +28,10 @@ - `root` and `wheel` are not given the ability to set (or preserve) arbitrary environment variables. -- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed. - [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/ +- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed. + - `linuxPackages_testing_bcachefs` is now soft-deprecated by `linuxPackages_testing`. - Please consider changing your NixOS configuration's `boot.kernelPackages` to `linuxPackages_testing` until a stable kernel with bcachefs support is released. From b05648b541f6747ab68a2b245d453ed2f8a5da85 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 22 Oct 2023 18:58:12 +0000 Subject: [PATCH 02/11] nixos/sudo-rs: Simplify activation --- nixos/doc/manual/release-notes/rl-2311.section.md | 2 +- nixos/modules/security/sudo-rs.nix | 6 ++++++ nixos/tests/sudo-rs.nix | 4 ---- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 16ac84aee82a..3e4f2cf69517 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -22,7 +22,7 @@ - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported. An experimental new module `security.sudo-rs` was added. - Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces + Switching to it (via ` security.sudo-rs.enable = true;`) introduces slight changes in sudo behaviour, due to `sudo-rs`' current limitations: - terminfo-related environment variables aren't preserved for `root` and `wheel`; - `root` and `wheel` are not given the ability to set (or preserve) diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 6b8f09a8d3d0..3f872e76df2c 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -208,6 +208,12 @@ in ###### implementation config = mkIf cfg.enable { + assertions = [ { + assertion = ! config.security.sudo.enable; + message = "`security.sudo` and `security.sudo-rs` cannot both be enabled"; + }]; + security.sudo.enable = mkDefault false; + security.sudo-rs.extraRules = let defaultRule = { users ? [], groups ? [], opts ? [] }: [ { diff --git a/nixos/tests/sudo-rs.nix b/nixos/tests/sudo-rs.nix index 6006863217b6..59a9280d862a 100644 --- a/nixos/tests/sudo-rs.nix +++ b/nixos/tests/sudo-rs.nix @@ -22,8 +22,6 @@ in test5 = { isNormalUser = true; }; }; - security.sudo.enable = false; - security.sudo-rs = { enable = true; package = pkgs.sudo-rs; @@ -56,8 +54,6 @@ in noadmin = { isNormalUser = true; }; }; - security.sudo.enable = false; - security.sudo-rs = { package = pkgs.sudo-rs; enable = true; From c1b5226cd49c931361a570e25575559d7982b223 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 22 Oct 2023 19:08:06 +0000 Subject: [PATCH 03/11] nixos/release-notes: Document pitfall when switching to sudo-rs --- nixos/doc/manual/release-notes/rl-2311.section.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 3e4f2cf69517..8c56fe57a7f6 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -28,6 +28,10 @@ - `root` and `wheel` are not given the ability to set (or preserve) arbitrary environment variables. + **Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`, + and in particular does not automatically use previously-set rules; this could be + achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance. + [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/ - [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed. From cd42b18a2c16f9bceaa282f693d24c6d5b30d7b8 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 22 Oct 2023 19:19:56 +0000 Subject: [PATCH 04/11] nixos/sudo-rs: uniformize ssh-agent auth behaviour with `security.sudo` --- nixos/modules/security/sudo-rs.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 3f872e76df2c..2ef9cae8caf8 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -4,13 +4,10 @@ with lib; let - inherit (pkgs) sudo sudo-rs; - cfg = config.security.sudo-rs; - enableSSHAgentAuth = - with config.security; - pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth; + inherit (config.security.pam) enableSSHAgentAuth; + inherit (pkgs) sudo sudo-rs; usingMillersSudo = cfg.package.pname == sudo.pname; usingSudoRs = cfg.package.pname == sudo-rs.pname; From 165b600f01f1d6fc2cde701a50bd033a817912e6 Mon Sep 17 00:00:00 2001 From: nicoo Date: Sun, 22 Oct 2023 19:22:44 +0000 Subject: [PATCH 05/11] nixos/sudo-rs: Drop checks for sudo implementation --- nixos/modules/security/sudo-rs.nix | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 2ef9cae8caf8..dcbbc2da6441 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -9,9 +9,6 @@ let inherit (config.security.pam) enableSSHAgentAuth; inherit (pkgs) sudo sudo-rs; - usingMillersSudo = cfg.package.pname == sudo.pname; - usingSudoRs = cfg.package.pname == sudo-rs.pname; - toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; @@ -38,10 +35,7 @@ in defaultOptions = mkOption { type = with types; listOf str; - default = optional usingMillersSudo "SETENV"; - defaultText = literalMD '' - `[ "SETENV" ]` if using the default `sudo` implementation - ''; + default = []; description = mdDoc '' Options used for the default rules, granting `root` and the `wheel` group permission to run any command as any user. @@ -268,18 +262,12 @@ in source = "${cfg.package.out}/bin/sudo"; inherit owner group setuid permissions; }; - # sudo-rs does not yet ship a sudoedit (as of v0.2.0) - sudoedit = mkIf usingMillersSudo { - source = "${cfg.package.out}/bin/sudoedit"; - inherit owner group setuid permissions; - }; }; environment.systemPackages = [ sudo ]; security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; - security.pam.services.sudo-i = mkIf usingSudoRs - { sshAgentAuth = true; usshAuth = true; }; + security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; }; environment.etc.sudoers = { source = @@ -288,7 +276,7 @@ in src = pkgs.writeText "sudoers-in" cfg.configFile; preferLocalBuild = true; } - "${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out"; + "${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out"; mode = "0440"; }; From 9b0a63c2fe2c5a83a6c4b4dcd9172d0968e9da18 Mon Sep 17 00:00:00 2001 From: nicoo Date: Wed, 25 Oct 2023 23:37:14 +0000 Subject: [PATCH 06/11] nixos/sudo-rs: Fix bug putting the wrong version of sudo in `environment.systemPackages` --- nixos/modules/security/sudo-rs.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index dcbbc2da6441..1351734c1f93 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -7,7 +7,7 @@ let cfg = config.security.sudo-rs; inherit (config.security.pam) enableSSHAgentAuth; - inherit (pkgs) sudo sudo-rs; + inherit (pkgs) sudo-rs; toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; @@ -264,7 +264,7 @@ in }; }; - environment.systemPackages = [ sudo ]; + environment.systemPackages = [ cfg.package ]; security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; }; From 211c4b0545309a8a95a4026dca49793a61b0719e Mon Sep 17 00:00:00 2001 From: nicoo Date: Wed, 25 Oct 2023 23:39:24 +0000 Subject: [PATCH 07/11] nixos/tests/sudo-rs: cleanup --- nixos/tests/sudo-rs.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixos/tests/sudo-rs.nix b/nixos/tests/sudo-rs.nix index 59a9280d862a..753e00686e95 100644 --- a/nixos/tests/sudo-rs.nix +++ b/nixos/tests/sudo-rs.nix @@ -24,7 +24,6 @@ in security.sudo-rs = { enable = true; - package = pkgs.sudo-rs; wheelNeedsPassword = false; extraRules = [ @@ -55,7 +54,6 @@ in }; security.sudo-rs = { - package = pkgs.sudo-rs; enable = true; wheelNeedsPassword = false; execWheelOnly = true; From 03db94319af0d0c9bab329f9db33e62d916127c8 Mon Sep 17 00:00:00 2001 From: nicoo Date: Wed, 25 Oct 2023 22:24:04 +0000 Subject: [PATCH 08/11] nixos/sudo-rs: refactor processing of `cfg.extraRules` --- nixos/modules/security/sudo-rs.nix | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 1351734c1f93..1c1cc32fa79e 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -7,7 +7,6 @@ let cfg = config.security.sudo-rs; inherit (config.security.pam) enableSSHAgentAuth; - inherit (pkgs) sudo-rs; toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; @@ -236,16 +235,16 @@ in # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. Defaults env_keep+=SSH_AUTH_SOCK '') - (concatStringsSep "\n" ( - lists.flatten ( - map ( - rule: optionals (length rule.commands != 0) [ - (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) - (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) - ] - ) cfg.extraRules - ) - ) + "\n") + (pipe cfg.extraRules [ + (filter (rule: length rule.commands != 0)) + (map (rule: [ + (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) + (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) + ])) + flatten + (concatStringsSep "\n") + ]) + "\n" (optionalString (cfg.extraConfig != "") '' # extraConfig ${cfg.extraConfig} From 46aaa5be70b55a8cf2a8599338e67a841a1d3763 Mon Sep 17 00:00:00 2001 From: nicoo Date: Thu, 26 Oct 2023 01:16:35 +0000 Subject: [PATCH 09/11] nixos/sudo-rs: Refactor option definitions --- nixos/modules/security/sudo-rs.nix | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 1c1cc32fa79e..48fb56a046af 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -41,23 +41,11 @@ in ''; }; - enable = mkOption { - type = types.bool; - default = false; - description = mdDoc '' - Whether to enable the {command}`sudo` command, which - allows non-root users to execute commands as root. - ''; - }; + enable = mkEnableOption (mdDoc '' + the {command}`sudo` command, which allows non-root users to execute commands as root. + ''); - package = mkOption { - type = types.package; - default = pkgs.sudo-rs; - defaultText = literalExpression "pkgs.sudo-rs"; - description = mdDoc '' - Which package to use for `sudo`. - ''; - }; + package = mkPackageOption pkgs "sudo-rs" { }; wheelNeedsPassword = mkOption { type = types.bool; From f5d059b1f5f7aae83a3dfc292367961152cce6c4 Mon Sep 17 00:00:00 2001 From: nicoo Date: Thu, 26 Oct 2023 01:18:05 +0000 Subject: [PATCH 10/11] nixos/sudo-rs: Clarify `security.sudo-rs.enable`'s description --- nixos/modules/security/sudo-rs.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 48fb56a046af..0c97b9e1d79a 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -42,7 +42,8 @@ in }; enable = mkEnableOption (mdDoc '' - the {command}`sudo` command, which allows non-root users to execute commands as root. + a memory-safe implementation of the {command}`sudo` command, + which allows non-root users to execute commands as root. ''); package = mkPackageOption pkgs "sudo-rs" { }; From bcc2d1238a1c97347518812f224921d29aa3b3f8 Mon Sep 17 00:00:00 2001 From: nicoo Date: Mon, 4 Sep 2023 21:06:12 +0000 Subject: [PATCH 11/11] nixos/sudo-rs: Move support for `pam_ssh_agent_auth(8)` to PAM's NixOS module Similar to delroth's suggestion in #262790. --- nixos/modules/security/pam.nix | 13 ++++++++----- nixos/modules/security/sudo-rs.nix | 4 ---- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index b7e1ea526535..c99615d5a636 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -943,6 +943,11 @@ let value.source = pkgs.writeText "${name}.pam" service.text; }; + optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth '' + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + ''; + in { @@ -1532,9 +1537,7 @@ in concatLines ]); - security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. - Defaults env_keep+=SSH_AUTH_SOCK - ''; - }; + security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth; + security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth; + }; } diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 0c97b9e1d79a..f991675827ef 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -220,10 +220,6 @@ in # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’ # or ‘security.sudo-rs.extraRules’ instead. '' - (optionalString enableSSHAgentAuth '' - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. - Defaults env_keep+=SSH_AUTH_SOCK - '') (pipe cfg.extraRules [ (filter (rule: length rule.commands != 0)) (map (rule: [