Talk:Sudo

From NixOS Wiki
Latest comment: 26 December 2024 by Hans4687

I would like to know why the definition for default secure_path for user picloud is used and also what is the relation with the rules for passwordless commands. Hans4687 (talk) 14:18, 26 December 2024 (UTC)Reply

I tried to change one program specification for ls 

      {
        command = "${pkgs.coreutils-full}/bin/ls";
        options = [ "NOPASSWD" ];
      }

This is the sudoers.tmp file and commented out the generic wheel group rule: 

# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
# or ‘security.sudo.extraRules’ instead.

root     ALL=(ALL:ALL)    SETENV: ALL
#%wheel  ALL=(ALL:ALL)    SETENV: ALL
%wheel  ALL=(ALL:ALL)    NOPASSWD: /nix/store/d45f4km3x568b10bwlc90gi8jdfmh643-coreutils-full-9.5/bin/ls, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/reboot, NOPASSWD: /nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin/poweroff
 

# extraConfig
Defaults:picloud secure_path="/nix/store/h05qs7dk5i6490ji0f9fndia9q2wwjac-systemd-255.9/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"


 
# Keep terminfo database for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFO

If I use an account in the wheel group, it is giving the following response: 

$ sudo ls
Sorry, user myaccount is not allowed to execute '/run/current-system/sw/bin/ls' as root on mercurius.

Probably something is not secure enough. If I change the user picloud in the script to %wheel then it works 

$ sudo ls
---empty line, the directory is empty ---

It does not give an error or asked for password. This is fine. The example would work with user picloud changed into %wheel.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Talk:Sudo&oldid=19286"