mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-15 14:26:33 +01:00
5624aa9f81
By setting the executable's group to wheel and permissions to 4510, we make sure that only members of the wheel group can execute sudo.
102 lines
3.9 KiB
Nix
102 lines
3.9 KiB
Nix
# Some tests to ensure sudo is working properly.
|
|
|
|
let
|
|
password = "helloworld";
|
|
|
|
in
|
|
import ./make-test-python.nix ({ pkgs, ...} : {
|
|
name = "sudo";
|
|
meta = with pkgs.lib.maintainers; {
|
|
maintainers = [ lschuermann ];
|
|
};
|
|
|
|
nodes.machine =
|
|
{ lib, ... }:
|
|
with lib;
|
|
{
|
|
users.groups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };
|
|
users.users = {
|
|
test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };
|
|
test1 = { isNormalUser = true; password = password; };
|
|
test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };
|
|
test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
|
|
test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };
|
|
test5 = { isNormalUser = true; };
|
|
};
|
|
|
|
security.sudo = {
|
|
enable = true;
|
|
wheelNeedsPassword = false;
|
|
|
|
extraRules = [
|
|
# SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
|
|
# errors being detected by the visudo checks.
|
|
|
|
# These should not create any entries
|
|
{ users = [ "notest1" ]; commands = [ ]; }
|
|
{ commands = [ { command = "ALL"; options = [ ]; } ]; }
|
|
|
|
# Test defining commands with the options syntax, though not setting any options
|
|
{ users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }
|
|
|
|
|
|
# CONFIGURATION FOR TEST CASES
|
|
{ users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
|
|
{ groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }
|
|
{ users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }
|
|
];
|
|
};
|
|
};
|
|
|
|
nodes.strict = { ... }: {
|
|
users.users = {
|
|
admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
|
|
noadmin = { isNormalUser = true; };
|
|
};
|
|
|
|
security.sudo = {
|
|
enable = true;
|
|
wheelNeedsPassword = false;
|
|
execWheelOnly = true;
|
|
};
|
|
};
|
|
|
|
testScript =
|
|
''
|
|
with subtest("users in wheel group should have passwordless sudo"):
|
|
machine.succeed('su - test0 -c "sudo -u root true"')
|
|
|
|
with subtest("test1 user should have sudo with password"):
|
|
machine.succeed('su - test1 -c "echo ${password} | sudo -S -u root true"')
|
|
|
|
with subtest("test1 user should not be able to use sudo without password"):
|
|
machine.fail('su - test1 -c "sudo -n -u root true"')
|
|
|
|
with subtest("users in group 'foobar' should be able to use sudo with password"):
|
|
machine.succeed("sudo -u test2 echo ${password} | sudo -S -u root true")
|
|
|
|
with subtest("users in group 'barfoo' should be able to use sudo without password"):
|
|
machine.succeed("sudo -u test3 sudo -n -u root true")
|
|
|
|
with subtest("users in group 'baz' (GID 1337)"):
|
|
machine.succeed("sudo -u test4 sudo -n -u root echo true")
|
|
|
|
with subtest("test5 user should be able to run commands under test1"):
|
|
machine.succeed("sudo -u test5 sudo -n -u test1 true")
|
|
|
|
with subtest("test5 user should not be able to run commands under root"):
|
|
machine.fail("sudo -u test5 sudo -n -u root true")
|
|
|
|
with subtest("test5 user should be able to keep their environment"):
|
|
machine.succeed("sudo -u test5 sudo -n -E -u test1 true")
|
|
|
|
with subtest("users in group 'barfoo' should not be able to keep their environment"):
|
|
machine.fail("sudo -u test3 sudo -n -E -u root true")
|
|
|
|
with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
|
|
strict.succeed('su - admin -c "sudo -u root true"')
|
|
|
|
with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
|
|
strict.fail('su - noadmin -c "sudo --help"')
|
|
'';
|
|
})
|