diff options
| author | Robert Schütz <dev@schuetz-co.de> | 2021-05-05 13:09:45 +0200 |
|---|---|---|
| committer | Robert Schütz <dev@schuetz-co.de> | 2021-05-08 23:48:00 +0200 |
| commit | 5624aa9f812aeccc6b70de9812a28df28996545a (patch) | |
| tree | 12f305d062ed99859f11038cd5e1a902fe57fa3d /nixos/modules/security | |
| parent | 39e6bf76474ce742eb027a88c4da6331f0a1526f (diff) | |
nixos/sudo: add option execWheelOnly
By setting the executable's group to wheel and permissions to 4510, we make sure that only members of the wheel group can execute sudo.
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/sudo.nix | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index cc3ff3d11b917..2e73f8f4f311d 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -61,6 +61,17 @@ in ''; }; + security.sudo.execWheelOnly = mkOption { + type = types.bool; + default = false; + description = '' + Only allow members of the <code>wheel</code> group to execute sudo by + setting the executable's permissions accordingly. + This prevents users that are not members of <code>wheel</code> from + exploiting vulnerabilities in sudo such as CVE-2021-3156. + ''; + }; + security.sudo.configFile = mkOption { type = types.lines; # Note: if syntax errors are detected in this file, the NixOS @@ -216,9 +227,20 @@ in ${cfg.extraConfig} ''; - security.wrappers = { - sudo.source = "${cfg.package.out}/bin/sudo"; - sudoedit.source = "${cfg.package.out}/bin/sudoedit"; + security.wrappers = let + owner = "root"; + group = if cfg.execWheelOnly then "wheel" else "root"; + setuid = true; + permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x"; + in { + sudo = { + source = "${cfg.package.out}/bin/sudo"; + inherit owner group setuid permissions; + }; + sudoedit = { + source = "${cfg.package.out}/bin/sudoedit"; + inherit owner group setuid permissions; + }; }; environment.systemPackages = [ sudo ]; |