Skip to content

Commit

Permalink
sudo: add assertion; avoid silent errors
Browse files Browse the repository at this point in the history
  • Loading branch information
@MarcelCoding
MarcelCoding committed Sep 22, 2024
1 parent 38bc5bc commit 23f4bc2
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions modules/common/sudo.nix
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
{ config, ... }:

# https://github.com/nix-community/srvos/blob/main/nixos/common/sudo.nix
{
security.sudo = {
# Only allow members of the wheel group to execute sudo by setting the executable’s permissions accordingly. This prevents users that are not members of wheel from exploiting vulnerabilities in sudo such as CVE-2021-3156.
Expand All @@ -7,4 +10,18 @@
Defaults lecture = never
'';
};

assertions =
let
validUsers = users: users == [ ] || users == [ "root" ];
validGroups = groups: groups == [ ] || groups == [ "wheel" ];
validUserGroups = builtins.all
(r: validUsers (r.users or [ ]) && validGroups (r.groups or [ ]))
config.security.sudo.extraRules;
in
[{
assertion = config.security.sudo.execWheelOnly -> validUserGroups;
message = "Some definitions in `security.sudo.extraRules` refer to users other than 'root' or groups other than 'wheel'. Disable `config.security.sudo.execWheelOnly`, or adjust the rules.";
}];
}

0 comments on commit 23f4bc2

Please sign in to comment.