Talk:Sudo: Difference between revisions
Appearance
	
	
Latest comment: 26 December 2024 by Hans4687
|  →Default securepath:  new section | |||
| Line 1: | Line 1: | ||
| I would like to know why the definition for default  | I would like to know why the definition for <code>default secure_path</code> for user <code>picloud</code> is used and also what is the relation with the rules for passwordless commands. [[User:Hans4687|Hans4687]] ([[User talk:Hans4687|talk]]) 14:18, 26 December 2024 (UTC) | ||
| I tried to change one program specification for <code>ls</code>   | |||
| <syntaxhighlight lang="nix"> | |||
|       { | |||
|         command = "${pkgs.coreutils-full}/bin/ls"; | |||
|         options = [ "NOPASSWD" ]; | |||
|       } | |||
| </syntaxhighlight> | |||
| This is the sudoers.tmp file and commented out the generic wheel group rule: | |||
| <syntaxhighlight> | |||
| # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ | |||
| # or ‘security.sudo.extraRules’ instead. | |||
| root     ALL=(ALL:ALL)    SETENV: ALL | |||
| #%wheel  ALL=(ALL:ALL)    SETENV: ALL | |||
| %wheel  ALL=(ALL:ALL)    NOPASSWD: /nix/store/d45f4km3x568b10bwlc90gi8jdfmh643-coreutils-full-9.5/bin/ls, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/reboot, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/poweroff | |||
| # extraConfig | |||
| Defaults:picloud secure_path="/nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" | |||
| # Keep terminfo database for root and %wheel. | |||
| Defaults:root,%wheel env_keep+=TERMINFO_DIRS | |||
| Defaults:root,%wheel env_keep+=TERMINFO | |||
| </syntaxhighlight> | |||
| If I use an account in the wheel group, it is giving the following response: | |||
| <syntaxhighlight lang="bash"> | |||
| $ sudo ls | |||
| Sorry, user myaccount is not allowed to execute '/run/current-system/sw/bin/ls' as root on mercurius. | |||
| </syntaxhighlight> | |||
| Probably something is not secure enough. If I change the user <code>picloud</code> in the script to <code>%wheel</code> then it works | |||
| <syntaxhighlight lang="bash"> | |||
| $ sudo ls | |||
| ---empty line, the directory is empty --- | |||
| </syntaxhighlight> | |||
| It does not give an error or asked for password. This is fine. The example would work with user <code>picloud</code> changed into <code>%wheel</code>. | |||
Latest revision as of 15:59, 26 December 2024
I would like to know why the definition for default secure_path for user picloud is used and also what is the relation with the rules for passwordless commands. Hans4687 (talk) 14:18, 26 December 2024 (UTC)
I tried to change one program specification for ls  
      {
        command = "${pkgs.coreutils-full}/bin/ls";
        options = [ "NOPASSWD" ];
      }
This is the sudoers.tmp file and commented out the generic wheel group rule:
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
# or ‘security.sudo.extraRules’ instead.
root     ALL=(ALL:ALL)    SETENV: ALL
#%wheel  ALL=(ALL:ALL)    SETENV: ALL
%wheel  ALL=(ALL:ALL)    NOPASSWD: /nix/store/d45f4km3x568b10bwlc90gi8jdfmh643-coreutils-full-9.5/bin/ls, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/reboot, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/poweroff
 
# extraConfig
Defaults:picloud secure_path="/nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"
 
# Keep terminfo database for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFOIf I use an account in the wheel group, it is giving the following response:
$ sudo ls
Sorry, user myaccount is not allowed to execute '/run/current-system/sw/bin/ls' as root on mercurius.
Probably something is not secure enough. If I change the user picloud in the script to %wheel then it works
$ sudo ls
---empty line, the directory is empty ---
It does not give an error or asked for password. This is fine. The example would work with user picloud changed into %wheel.
