diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security')
-rw-r--r-- | nixpkgs/nixos/modules/security/lock-kernel-modules.nix | 4 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/security/pam.nix | 13 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/security/please.nix | 9 | ||||
-rw-r--r-- | nixpkgs/nixos/modules/security/sudo-rs.nix | 77 |
4 files changed, 37 insertions, 66 deletions
diff --git a/nixpkgs/nixos/modules/security/lock-kernel-modules.nix b/nixpkgs/nixos/modules/security/lock-kernel-modules.nix index 333b64801426..461b9ffe7ee0 100644 --- a/nixpkgs/nixos/modules/security/lock-kernel-modules.nix +++ b/nixpkgs/nixos/modules/security/lock-kernel-modules.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, lib, ... }: with lib; @@ -49,7 +49,7 @@ with lib; }; script = '' - ${pkgs.udev}/bin/udevadm settle + ${config.systemd.package}/bin/udevadm settle echo -n 1 >/proc/sys/kernel/modules_disabled ''; }; diff --git a/nixpkgs/nixos/modules/security/pam.nix b/nixpkgs/nixos/modules/security/pam.nix index b7e1ea526535..c99615d5a636 100644 --- a/nixpkgs/nixos/modules/security/pam.nix +++ b/nixpkgs/nixos/modules/security/pam.nix @@ -943,6 +943,11 @@ let value.source = pkgs.writeText "${name}.pam" service.text; }; + optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth '' + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + ''; + in { @@ -1532,9 +1537,7 @@ in concatLines ]); - security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. - Defaults env_keep+=SSH_AUTH_SOCK - ''; - }; + security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth; + security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth; + }; } diff --git a/nixpkgs/nixos/modules/security/please.nix b/nixpkgs/nixos/modules/security/please.nix index 88bb9cba2bfc..ff4bfc9f1be1 100644 --- a/nixpkgs/nixos/modules/security/please.nix +++ b/nixpkgs/nixos/modules/security/please.nix @@ -13,14 +13,7 @@ in file as another user ''); - package = mkOption { - type = types.package; - default = pkgs.please; - defaultText = literalExpression "pkgs.please"; - description = mdDoc '' - Which package to use for {command}`please`. - ''; - }; + package = mkPackageOption pkgs "please" { }; wheelNeedsPassword = mkOption { type = types.bool; diff --git a/nixpkgs/nixos/modules/security/sudo-rs.nix b/nixpkgs/nixos/modules/security/sudo-rs.nix index 6b8f09a8d3d0..f991675827ef 100644 --- a/nixpkgs/nixos/modules/security/sudo-rs.nix +++ b/nixpkgs/nixos/modules/security/sudo-rs.nix @@ -4,16 +4,9 @@ with lib; let - inherit (pkgs) sudo sudo-rs; - cfg = config.security.sudo-rs; - enableSSHAgentAuth = - with config.security; - pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth; - - usingMillersSudo = cfg.package.pname == sudo.pname; - usingSudoRs = cfg.package.pname == sudo-rs.pname; + inherit (config.security.pam) enableSSHAgentAuth; toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; @@ -41,33 +34,19 @@ in defaultOptions = mkOption { type = with types; listOf str; - default = optional usingMillersSudo "SETENV"; - defaultText = literalMD '' - `[ "SETENV" ]` if using the default `sudo` implementation - ''; + default = []; description = mdDoc '' Options used for the default rules, granting `root` and the `wheel` group permission to run any command as any user. ''; }; - enable = mkOption { - type = types.bool; - default = false; - description = mdDoc '' - Whether to enable the {command}`sudo` command, which - allows non-root users to execute commands as root. - ''; - }; + enable = mkEnableOption (mdDoc '' + a memory-safe implementation of the {command}`sudo` command, + which allows non-root users to execute commands as root. + ''); - package = mkOption { - type = types.package; - default = pkgs.sudo-rs; - defaultText = literalExpression "pkgs.sudo-rs"; - description = mdDoc '' - Which package to use for `sudo`. - ''; - }; + package = mkPackageOption pkgs "sudo-rs" { }; wheelNeedsPassword = mkOption { type = types.bool; @@ -208,6 +187,12 @@ in ###### implementation config = mkIf cfg.enable { + assertions = [ { + assertion = ! config.security.sudo.enable; + message = "`security.sudo` and `security.sudo-rs` cannot both be enabled"; + }]; + security.sudo.enable = mkDefault false; + security.sudo-rs.extraRules = let defaultRule = { users ? [], groups ? [], opts ? [] }: [ { @@ -235,20 +220,16 @@ in # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’ # or ‘security.sudo-rs.extraRules’ instead. '' - (optionalString enableSSHAgentAuth '' - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. - Defaults env_keep+=SSH_AUTH_SOCK - '') - (concatStringsSep "\n" ( - lists.flatten ( - map ( - rule: optionals (length rule.commands != 0) [ - (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) - (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) - ] - ) cfg.extraRules - ) - ) + "\n") + (pipe cfg.extraRules [ + (filter (rule: length rule.commands != 0)) + (map (rule: [ + (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) + (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) + ])) + flatten + (concatStringsSep "\n") + ]) + "\n" (optionalString (cfg.extraConfig != "") '' # extraConfig ${cfg.extraConfig} @@ -265,18 +246,12 @@ in source = "${cfg.package.out}/bin/sudo"; inherit owner group setuid permissions; }; - # sudo-rs does not yet ship a sudoedit (as of v0.2.0) - sudoedit = mkIf usingMillersSudo { - source = "${cfg.package.out}/bin/sudoedit"; - inherit owner group setuid permissions; - }; }; - environment.systemPackages = [ sudo ]; + environment.systemPackages = [ cfg.package ]; security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; - security.pam.services.sudo-i = mkIf usingSudoRs - { sshAgentAuth = true; usshAuth = true; }; + security.pam.services.sudo-i = { sshAgentAuth = true; usshAuth = true; }; environment.etc.sudoers = { source = @@ -285,7 +260,7 @@ in src = pkgs.writeText "sudoers-in" cfg.configFile; preferLocalBuild = true; } - "${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out"; + "${pkgs.buildPackages.sudo-rs}/bin/visudo -f $src -c && cp $src $out"; mode = "0440"; }; |