diff options
author | Cole Helbling <cole.e.helbling@outlook.com> | 2020-05-10 21:49:52 -0700 |
---|---|---|
committer | Cole Helbling <cole.e.helbling@outlook.com> | 2020-06-17 17:48:51 -0700 |
commit | 13e2c75c932adac6a198e35b04e2cb9a1eaf86cf (patch) | |
tree | 55a6e1c81bc2b815d0b41371a7108f7b8add6d37 | |
parent | 02ff18c7963071d19d76bc4d52fc92d8827a1720 (diff) | |
download | nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.gz nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.bz2 nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.lz nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.xz nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.zst nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.zip |
nixos/sudo: default rule should be first
In /etc/sudoers, the last-matched rule will override all previously-matched rules. Thus, make the default rule show up first (but still allow some wiggle room for a user to `mkBefore` it), before any user-defined rules.
-rw-r--r-- | nixos/modules/security/sudo.nix | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index e3e43177def3..1ed5269c5ae7 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -173,7 +173,9 @@ in config = mkIf cfg.enable { - security.sudo.extraRules = [ + # We `mkOrder 600` so that the default rule shows up first, but there is + # still enough room for a user to `mkBefore` it. + security.sudo.extraRules = mkOrder 600 [ { groups = [ "wheel" ]; commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ]; } |