diff options
author | Robert Schütz <dev@schuetz-co.de> | 2021-05-05 13:09:45 +0200 |
---|---|---|
committer | Robert Schütz <dev@schuetz-co.de> | 2021-05-08 23:48:00 +0200 |
commit | 5624aa9f812aeccc6b70de9812a28df28996545a (patch) | |
tree | 12f305d062ed99859f11038cd5e1a902fe57fa3d /nixos/tests/sudo.nix | |
parent | 39e6bf76474ce742eb027a88c4da6331f0a1526f (diff) |
nixos/sudo: add option execWheelOnly
By setting the executable's group to wheel and permissions to 4510, we make sure that only members of the wheel group can execute sudo.
Diffstat (limited to 'nixos/tests/sudo.nix')
-rw-r--r-- | nixos/tests/sudo.nix | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/nixos/tests/sudo.nix b/nixos/tests/sudo.nix index 2a85c490665a9..4885d6e17b829 100644 --- a/nixos/tests/sudo.nix +++ b/nixos/tests/sudo.nix @@ -10,7 +10,7 @@ in maintainers = [ lschuermann ]; }; - machine = + nodes.machine = { lib, ... }: with lib; { @@ -48,6 +48,19 @@ in }; }; + nodes.strict = { ... }: { + users.users = { + admin = { isNormalUser = true; extraGroups = [ "wheel" ]; }; + noadmin = { isNormalUser = true; }; + }; + + security.sudo = { + enable = true; + wheelNeedsPassword = false; + execWheelOnly = true; + }; + }; + testScript = '' with subtest("users in wheel group should have passwordless sudo"): @@ -79,5 +92,11 @@ in with subtest("users in group 'barfoo' should not be able to keep their environment"): machine.fail("sudo -u test3 sudo -n -E -u root true") + + with subtest("users in wheel should be able to run sudo despite execWheelOnly"): + strict.succeed('su - admin -c "sudo -u root true"') + + with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"): + strict.fail('su - noadmin -c "sudo --help"') ''; }) |