diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security/sudo.nix')
-rw-r--r-- | nixpkgs/nixos/modules/security/sudo.nix | 48 |
1 files changed, 24 insertions, 24 deletions
diff --git a/nixpkgs/nixos/modules/security/sudo.nix b/nixpkgs/nixos/modules/security/sudo.nix index 99e578f8adae..faa99a31a6d6 100644 --- a/nixpkgs/nixos/modules/security/sudo.nix +++ b/nixpkgs/nixos/modules/security/sudo.nix @@ -36,8 +36,8 @@ in type = types.bool; default = true; description = - '' - Whether to enable the <command>sudo</command> command, which + lib.mdDoc '' + Whether to enable the {command}`sudo` command, which allows non-root users to execute commands as root. ''; }; @@ -55,19 +55,19 @@ in type = types.bool; default = true; description = - '' - Whether users of the <code>wheel</code> group must - provide a password to run commands as super user via <command>sudo</command>. + lib.mdDoc '' + Whether users of the `wheel` group must + provide a password to run commands as super user via {command}`sudo`. ''; }; security.sudo.execWheelOnly = mkOption { type = types.bool; default = false; - description = '' - Only allow members of the <code>wheel</code> group to execute sudo by + description = lib.mdDoc '' + Only allow members of the `wheel` group to execute sudo by setting the executable's permissions accordingly. - This prevents users that are not members of <code>wheel</code> from + This prevents users that are not members of `wheel` from exploiting vulnerabilities in sudo such as CVE-2021-3156. ''; }; @@ -77,15 +77,15 @@ in # Note: if syntax errors are detected in this file, the NixOS # configuration will fail to build. description = - '' + lib.mdDoc '' This string contains the contents of the - <filename>sudoers</filename> file. + {file}`sudoers` file. ''; }; security.sudo.extraRules = mkOption { - description = '' - Define specific rules to be in the <filename>sudoers</filename> file. + description = lib.mdDoc '' + Define specific rules to be in the {file}`sudoers` file. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore/mkAfter to ensure this is the case when configuration options are merged. @@ -114,7 +114,7 @@ in options = { users = mkOption { type = with types; listOf (either str int); - description = '' + description = lib.mdDoc '' The usernames / UIDs this rule should apply for. ''; default = []; @@ -122,7 +122,7 @@ in groups = mkOption { type = with types; listOf (either str int); - description = '' + description = lib.mdDoc '' The groups / GIDs this rule should apply for. ''; default = []; @@ -131,7 +131,7 @@ in host = mkOption { type = types.str; default = "ALL"; - description = '' + description = lib.mdDoc '' For what host this rule should apply. ''; }; @@ -139,17 +139,17 @@ in runAs = mkOption { type = with types; str; default = "ALL:ALL"; - description = '' + description = lib.mdDoc '' Under which user/group the specified command is allowed to run. - A user can be specified using just the username: <code>"foo"</code>. - It is also possible to specify a user/group combination using <code>"foo:bar"</code> - or to only allow running as a specific group with <code>":bar"</code>. + A user can be specified using just the username: `"foo"`. + It is also possible to specify a user/group combination using `"foo:bar"` + or to only allow running as a specific group with `":bar"`. ''; }; commands = mkOption { - description = '' + description = lib.mdDoc '' The commands for which the rule should apply. ''; type = with types; listOf (either str (submodule { @@ -159,7 +159,7 @@ in type = with types; str; description = '' A command being either just a path to a binary to allow any arguments, - the full command with arguments pre-set or with <code>""</code> used as the argument, + the full command with arguments pre-set or with <literal>""</literal> used as the argument, not allowing arguments to the command at all. ''; }; @@ -182,8 +182,8 @@ in security.sudo.extraConfig = mkOption { type = types.lines; default = ""; - description = '' - Extra configuration text appended to <filename>sudoers</filename>. + description = lib.mdDoc '' + Extra configuration text appended to {file}`sudoers`. ''; }; }; @@ -245,7 +245,7 @@ in environment.systemPackages = [ sudo ]; - security.pam.services.sudo = { sshAgentAuth = true; }; + security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; environment.etc.sudoers = { source = |