From f297ddb5c97b23756c2a0685536edffeb20720c4 Mon Sep 17 00:00:00 2001 From: Leon Schuermann Date: Wed, 17 Jan 2018 21:56:08 +0700 Subject: sudo: define extra rules in Nix language (#33905) --- nixos/modules/security/sudo.nix | 129 +++++++++++++++++++++++++++++++++++++++- nixos/release.nix | 1 + nixos/tests/misc.nix | 5 -- nixos/tests/sudo.nix | 93 +++++++++++++++++++++++++++++ 4 files changed, 220 insertions(+), 8 deletions(-) create mode 100644 nixos/tests/sudo.nix diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index cfd0595e63b7..a57f14bb5ae1 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -8,6 +8,22 @@ let inherit (pkgs) sudo; + toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; + toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; + + toCommandOptionsString = options: + "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} "; + + toCommandsString = commands: + concatStringsSep ", " ( + map (command: + if (isString command) then + command + else + "${toCommandOptionsString command.options}${command.command}" + ) commands + ); + in { @@ -47,6 +63,97 @@ in ''; }; + security.sudo.extraRules = mkOption { + description = '' + Define specific rules to be in the sudoers file. + ''; + default = []; + example = [ + # Allow execution of any command by all users in group sudo, + # requiring a password. + { groups = [ "sudo" ]; commands = [ "ALL" ]; } + + # Allow execution of "/home/root/secret.sh" by user `backup`, `database` + # and the group with GID `1006` without a password. + { users = [ "backup" ]; groups = [ 1006 ]; + commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; } + + # Allow all users of group `bar` to run two executables as user `foo` + # with arguments being pre-set. + { groups = [ "bar" ]; runAs = "foo"; + commands = + [ "/home/baz/cmd1.sh hello-sudo" + { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; } + ]; + type = with types; listOf (submodule { + options = { + users = mkOption { + type = with types; listOf (either string int); + description = '' + The usernames / UIDs this rule should apply for. + ''; + default = []; + }; + + groups = mkOption { + type = with types; listOf (either string int); + description = '' + The groups / GIDs this rule should apply for. + ''; + default = []; + }; + + host = mkOption { + type = types.string; + default = "ALL"; + description = '' + For what host this rule should apply. + ''; + }; + + runAs = mkOption { + type = with types; string; + default = "ALL:ALL"; + description = '' + Under which user/group the specified command is allowed to run. + + A user can be specified using just the username: "foo". + It is also possible to specify a user/group combination using "foo:bar" + or to only allow running as a specific group with ":bar". + ''; + }; + + commands = mkOption { + description = '' + The commands for which the rule should apply. + ''; + type = with types; listOf (either string (submodule { + + options = { + command = mkOption { + type = with types; string; + description = '' + A command being either just a path to a binary to allow any arguments, + the full command with arguments pre-set or with "" used as the argument, + not allowing arguments to the command at all. + ''; + }; + + options = mkOption { + type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]); + description = '' + Options for running the command. Refer to the sudo manual. + ''; + default = []; + }; + }; + + })); + }; + }; + }); + }; + security.sudo.extraConfig = mkOption { type = types.lines; default = ""; @@ -61,10 +168,16 @@ in config = mkIf cfg.enable { + security.sudo.extraRules = [ + { groups = [ "wheel" ]; + commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ]; + } + ]; + security.sudo.configFile = '' # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ - # or ‘security.sudo.extraConfig’ instead. + # or ‘security.sudo.extraRules’ instead. # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. Defaults env_keep+=SSH_AUTH_SOCK @@ -72,8 +185,18 @@ in # "root" is allowed to do anything. root ALL=(ALL:ALL) SETENV: ALL - # Users in the "wheel" group can do anything. - %wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL + # extraRules + ${concatStringsSep "\n" ( + lists.flatten ( + map ( + rule: if (length rule.commands != 0) then [ + (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) + (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) + ] else [] + ) cfg.extraRules + ) + )} + ${cfg.extraConfig} ''; diff --git a/nixos/release.nix b/nixos/release.nix index 39c550b62774..e69a7f6d6f89 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -337,6 +337,7 @@ in rec { tests.smokeping = callTest tests/smokeping.nix {}; tests.snapper = callTest tests/snapper.nix {}; tests.statsd = callTest tests/statsd.nix {}; + tests.sudo = callTest tests/sudo.nix {}; tests.switchTest = callTest tests/switch-test.nix {}; tests.taskserver = callTest tests/taskserver.nix {}; tests.tomcat = callTest tests/tomcat.nix {}; diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index 79290861cb0b..6de17518214c 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -115,11 +115,6 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->succeed("nix-store -qR /run/current-system | grep nixos-"); }; - # Test sudo - subtest "sudo", sub { - $machine->succeed("su - sybil -c 'sudo true'"); - }; - # Test sysctl subtest "sysctl", sub { $machine->waitForUnit("systemd-sysctl.service"); diff --git a/nixos/tests/sudo.nix b/nixos/tests/sudo.nix new file mode 100644 index 000000000000..35addb0ee805 --- /dev/null +++ b/nixos/tests/sudo.nix @@ -0,0 +1,93 @@ +# Some tests to ensure sudo is working properly. + +let + password = "helloworld"; + +in + import ./make-test.nix ({ pkgs, ...} : { + name = "sudo"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lschuermann ]; + }; + + machine = + { config, lib, pkgs, ... }: + with lib; + { + users.extraGroups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; }; + users.users = { + test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; }; + test1 = { isNormalUser = true; password = password; }; + test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; }; + test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; }; + test4 = { isNormalUser = true; extraGroups = [ "baz" ]; }; + test5 = { isNormalUser = true; }; + }; + + security.sudo = { + enable = true; + wheelNeedsPassword = false; + + extraRules = [ + # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output; + # errors being detected by the visudo checks. + + # These should not create any entries + { users = [ "notest1" ]; commands = [ ]; } + { commands = [ { command = "ALL"; options = [ ]; } ]; } + + # Test defining commands with the options syntax, though not setting any options + { users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; } + + + # CONFIGURATION FOR TEST CASES + { users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; } + { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; } + { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; } + ]; + }; + }; + + testScript = + '' + subtest "users in wheel group should have passwordless sudo", sub { + $machine->succeed("su - test0 -c \"sudo -u root true\""); + }; + + subtest "test1 user should have sudo with password", sub { + $machine->succeed("su - test1 -c \"echo ${password} | sudo -S -u root true\""); + }; + + subtest "test1 user should not be able to use sudo without password", sub { + $machine->fail("su - test1 -c \"sudo -n -u root true\""); + }; + + subtest "users in group 'foobar' should be able to use sudo with password", sub { + $machine->succeed("sudo -u test2 echo ${password} | sudo -S -u root true"); + }; + + subtest "users in group 'barfoo' should be able to use sudo without password", sub { + $machine->succeed("sudo -u test3 sudo -n -u root true"); + }; + + subtest "users in group 'baz' (GID 1337) should be able to use sudo without password", sub { + $machine->succeed("sudo -u test4 sudo -n -u root echo true"); + }; + + subtest "test5 user should be able to run commands under test1", sub { + $machine->succeed("sudo -u test5 sudo -n -u test1 true"); + }; + + subtest "test5 user should not be able to run commands under root", sub { + $machine->fail("sudo -u test5 sudo -n -u root true"); + }; + + subtest "test5 user should be able to keep his environment", sub { + $machine->succeed("sudo -u test5 sudo -n -E -u test1 true"); + }; + + subtest "users in group 'barfoo' should not be able to keep their environment", sub { + $machine->fail("sudo -u test3 sudo -n -E -u root true"); + }; + ''; + }) -- cgit 1.4.1