diff options
author | Alyssa Ross <hi@alyssa.is> | 2021-06-22 15:01:47 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2021-06-22 16:57:59 +0000 |
commit | 633cab0ecb07627706c6b523e219490f019eaab5 (patch) | |
tree | 4fb472bdfe2723037dad53dc1b8a87c939015f5e /nixpkgs/nixos/modules/security/sudo.nix | |
parent | ffb691c199e7e0cbc4e45e5310779c9e3f7c2a73 (diff) | |
parent | 432fc2d9a67f92e05438dff5fdc2b39d33f77997 (diff) | |
download | nixlib-633cab0ecb07627706c6b523e219490f019eaab5.tar nixlib-633cab0ecb07627706c6b523e219490f019eaab5.tar.gz nixlib-633cab0ecb07627706c6b523e219490f019eaab5.tar.bz2 nixlib-633cab0ecb07627706c6b523e219490f019eaab5.tar.lz nixlib-633cab0ecb07627706c6b523e219490f019eaab5.tar.xz nixlib-633cab0ecb07627706c6b523e219490f019eaab5.tar.zst nixlib-633cab0ecb07627706c6b523e219490f019eaab5.zip |
Merge commit '432fc2d9a67f92e05438dff5fdc2b39d33f77997'
# Conflicts: # nixpkgs/pkgs/applications/editors/emacs/elisp-packages/elpa-generated.nix # nixpkgs/pkgs/applications/networking/mailreaders/thunderbird/default.nix # nixpkgs/pkgs/applications/window-managers/sway/default.nix # nixpkgs/pkgs/build-support/rust/default.nix # nixpkgs/pkgs/development/go-modules/generic/default.nix
Diffstat (limited to 'nixpkgs/nixos/modules/security/sudo.nix')
-rw-r--r-- | nixpkgs/nixos/modules/security/sudo.nix | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/nixpkgs/nixos/modules/security/sudo.nix b/nixpkgs/nixos/modules/security/sudo.nix index cc3ff3d11b91..2e73f8f4f311 100644 --- a/nixpkgs/nixos/modules/security/sudo.nix +++ b/nixpkgs/nixos/modules/security/sudo.nix @@ -61,6 +61,17 @@ in ''; }; + security.sudo.execWheelOnly = mkOption { + type = types.bool; + default = false; + description = '' + Only allow members of the <code>wheel</code> group to execute sudo by + setting the executable's permissions accordingly. + This prevents users that are not members of <code>wheel</code> from + exploiting vulnerabilities in sudo such as CVE-2021-3156. + ''; + }; + security.sudo.configFile = mkOption { type = types.lines; # Note: if syntax errors are detected in this file, the NixOS @@ -216,9 +227,20 @@ in ${cfg.extraConfig} ''; - security.wrappers = { - sudo.source = "${cfg.package.out}/bin/sudo"; - sudoedit.source = "${cfg.package.out}/bin/sudoedit"; + security.wrappers = let + owner = "root"; + group = if cfg.execWheelOnly then "wheel" else "root"; + setuid = true; + permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x"; + in { + sudo = { + source = "${cfg.package.out}/bin/sudo"; + inherit owner group setuid permissions; + }; + sudoedit = { + source = "${cfg.package.out}/bin/sudoedit"; + inherit owner group setuid permissions; + }; }; environment.systemPackages = [ sudo ]; |