diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-10 13:28:20 +0200 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-10 13:28:20 +0200 |
| commit | 5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010 (patch) | |
| tree | a6c0f605be6de3f372ae69905b331f9f75452da7 /nixos/modules/security/sudo.nix | |
| parent | 6070bc016bd2fd945b04347e25cfd3738622d2ac (diff) | |
| download | nixlib-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar nixlib-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.gz nixlib-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.bz2 nixlib-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.lz nixlib-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.xz nixlib-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.tar.zst nixlib-5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010.zip | |
Move all of NixOS to nixos/ in preparation of the repository merge
Diffstat (limited to 'nixos/modules/security/sudo.nix')
| -rw-r--r-- | nixos/modules/security/sudo.nix | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix new file mode 100644 index 000000000000..cd548f4a4fe0 --- /dev/null +++ b/nixos/modules/security/sudo.nix @@ -0,0 +1,90 @@ +{pkgs, config, ...}: + +with pkgs.lib; + +let + + cfg = config.security.sudo; + + inherit (pkgs) sudo; + +in + +{ + + ###### interface + + options = { + + security.sudo.enable = mkOption { + default = true; + description = + '' + Whether to enable the <command>sudo</command> command, which + allows non-root users to execute commands as root. + ''; + }; + + security.sudo.wheelNeedsPassword = mkOption { + default = true; + description = + '' + Whether users of the <code>wheel</code> group can execute + commands as super user without entering a password. + ''; + }; + + security.sudo.configFile = mkOption { + # Note: if syntax errors are detected in this file, the NixOS + # configuration will fail to build. + description = + '' + This string contains the contents of the + <filename>sudoers</filename> file. + ''; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + security.sudo.configFile = + '' + # Don't edit this file. Set the NixOS option ‘security.sudo.configFile’ instead. + + # Environment variables to keep for root and %wheel. + Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE + Defaults:root,%wheel env_keep+=NIX_CONF_DIR + Defaults:root,%wheel env_keep+=NIX_PATH + Defaults:root,%wheel env_keep+=TERMINFO_DIRS + + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + + # "root" is allowed to do anything. + root ALL=(ALL) SETENV: ALL + + # Users in the "wheel" group can do anything. + %wheel ALL=(ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL + ''; + + security.setuidPrograms = [ "sudo" "sudoedit" ]; + + environment.systemPackages = [ sudo ]; + + security.pam.services = [ { name = "sudo"; sshAgentAuth = true; } ]; + + environment.etc = singleton + { source = pkgs.writeText "sudoers-in" cfg.configFile; + # Make sure that the sudoers file is syntactically valid. + # (currently disabled - NIXOS-66) + #"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out"; + target = "sudoers"; + mode = "0440"; + }; + + }; + +} |