about summary refs log tree commit diff
diff options
context:
space:
mode:
authorCole Helbling <cole.e.helbling@outlook.com>2020-05-10 21:49:52 -0700
committerCole Helbling <cole.e.helbling@outlook.com>2020-06-17 17:48:51 -0700
commit13e2c75c932adac6a198e35b04e2cb9a1eaf86cf (patch)
tree55a6e1c81bc2b815d0b41371a7108f7b8add6d37
parent02ff18c7963071d19d76bc4d52fc92d8827a1720 (diff)
downloadnixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar
nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.gz
nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.bz2
nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.lz
nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.xz
nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.tar.zst
nixlib-13e2c75c932adac6a198e35b04e2cb9a1eaf86cf.zip
nixos/sudo: default rule should be first
In /etc/sudoers, the last-matched rule will override all
previously-matched rules. Thus, make the default rule show up first (but
still allow some wiggle room for a user to `mkBefore` it), before any
user-defined rules.
-rw-r--r--nixos/modules/security/sudo.nix4
1 files changed, 3 insertions, 1 deletions
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index e3e43177def3..1ed5269c5ae7 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -173,7 +173,9 @@ in
 
   config = mkIf cfg.enable {
 
-    security.sudo.extraRules = [
+    # We `mkOrder 600` so that the default rule shows up first, but there is
+    # still enough room for a user to `mkBefore` it.
+    security.sudo.extraRules = mkOrder 600 [
       { groups = [ "wheel" ];
         commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
       }