Talk:Sudo: Difference between revisions
Latest comment: 26 December 2024 by Hans4687
→Default securepath: new section |
|||
| Line 1: | Line 1: | ||
I would like to know why the definition for default | I would like to know why the definition for <code>default secure_path</code> for user <code>picloud</code> is used and also what is the relation with the rules for passwordless commands. [[User:Hans4687|Hans4687]] ([[User talk:Hans4687|talk]]) 14:18, 26 December 2024 (UTC) | ||
I tried to change one program specification for <code>ls</code> | |||
<syntaxhighlight lang="nix"> | |||
{ | |||
command = "${pkgs.coreutils-full}/bin/ls"; | |||
options = [ "NOPASSWD" ]; | |||
} | |||
</syntaxhighlight> | |||
This is the sudoers.tmp file and commented out the generic wheel group rule: | |||
<syntaxhighlight> | |||
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ | |||
# or ‘security.sudo.extraRules’ instead. | |||
root ALL=(ALL:ALL) SETENV: ALL | |||
#%wheel ALL=(ALL:ALL) SETENV: ALL | |||
%wheel ALL=(ALL:ALL) NOPASSWD: /nix/store/d45f4km3x568b10bwlc90gi8jdfmh643-coreutils-full-9.5/bin/ls, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/reboot, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/poweroff | |||
# extraConfig | |||
Defaults:picloud secure_path="/nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" | |||
# Keep terminfo database for root and %wheel. | |||
Defaults:root,%wheel env_keep+=TERMINFO_DIRS | |||
Defaults:root,%wheel env_keep+=TERMINFO | |||
</syntaxhighlight> | |||
If I use an account in the wheel group, it is giving the following response: | |||
<syntaxhighlight lang="bash"> | |||
$ sudo ls | |||
Sorry, user myaccount is not allowed to execute '/run/current-system/sw/bin/ls' as root on mercurius. | |||
</syntaxhighlight> | |||
Probably something is not secure enough. If I change the user <code>picloud</code> in the script to <code>%wheel</code> then it works | |||
<syntaxhighlight lang="bash"> | |||
$ sudo ls | |||
---empty line, the directory is empty --- | |||
</syntaxhighlight> | |||
It does not give an error or asked for password. This is fine. The example would work with user <code>picloud</code> changed into <code>%wheel</code>. | |||
Latest revision as of 15:59, 26 December 2024
I would like to know why the definition for default secure_path for user picloud is used and also what is the relation with the rules for passwordless commands. Hans4687 (talk) 14:18, 26 December 2024 (UTC)
I tried to change one program specification for ls
{
command = "${pkgs.coreutils-full}/bin/ls";
options = [ "NOPASSWD" ];
}
This is the sudoers.tmp file and commented out the generic wheel group rule:
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
# or ‘security.sudo.extraRules’ instead.
root ALL=(ALL:ALL) SETENV: ALL
#%wheel ALL=(ALL:ALL) SETENV: ALL
%wheel ALL=(ALL:ALL) NOPASSWD: /nix/store/d45f4km3x568b10bwlc90gi8jdfmh643-coreutils-full-9.5/bin/ls, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/reboot, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/poweroff
# extraConfig
Defaults:picloud secure_path="/nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"
# Keep terminfo database for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFOIf I use an account in the wheel group, it is giving the following response:
$ sudo ls
Sorry, user myaccount is not allowed to execute '/run/current-system/sw/bin/ls' as root on mercurius.
Probably something is not secure enough. If I change the user picloud in the script to %wheel then it works
$ sudo ls
---empty line, the directory is empty ---
It does not give an error or asked for password. This is fine. The example would work with user picloud changed into %wheel.