Talk:Sudo
Latest comment: 26 December 2024 by Hans4687
I would like to know why the definition for default secure_path for user picloud is used and also what is the relation with the rules for passwordless commands. Hans4687 (talk) 14:18, 26 December 2024 (UTC)
I tried to change one program specification for ls
{
command = "${pkgs.coreutils-full}/bin/ls";
options = [ "NOPASSWD" ];
}
This is the sudoers.tmp file and commented out the generic wheel group rule:
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
# or ‘security.sudo.extraRules’ instead.
root ALL=(ALL:ALL) SETENV: ALL
#%wheel ALL=(ALL:ALL) SETENV: ALL
%wheel ALL=(ALL:ALL) NOPASSWD: /nix/store/d45f4km3x568b10bwlc90gi8jdfmh643-coreutils-full-9.5/bin/ls, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/reboot, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/poweroff
# extraConfig
Defaults:picloud secure_path="/nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"
# Keep terminfo database for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFOIf I use an account in the wheel group, it is giving the following response:
$ sudo ls
Sorry, user myaccount is not allowed to execute '/run/current-system/sw/bin/ls' as root on mercurius.
Probably something is not secure enough. If I change the user picloud in the script to %wheel then it works
$ sudo ls
---empty line, the directory is empty ---
It does not give an error or asked for password. This is fine. The example would work with user picloud changed into %wheel.