From 7b5b3f5124331ea5679c100e6d58f1493ad4e64d Mon Sep 17 00:00:00 2001 From: nicoo Date: Thu, 7 Sep 2023 15:53:18 +0000 Subject: [PATCH] nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 --- nixos/tests/all-tests.nix | 1 + nixos/tests/sudo-rs.nix | 97 +++++++++++++++++++++++++ pkgs/tools/security/sudo-rs/default.nix | 6 +- 3 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 nixos/tests/sudo-rs.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 30ea7c70026f4..d80b9aa8d696e 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -739,6 +739,7 @@ in { strongswan-swanctl = handleTest ./strongswan-swanctl.nix {}; stunnel = handleTest ./stunnel.nix {}; sudo = handleTest ./sudo.nix {}; + sudo-rs = handleTest ./sudo-rs.nix {}; swap-file-btrfs = handleTest ./swap-file-btrfs.nix {}; swap-partition = handleTest ./swap-partition.nix {}; swap-random-encryption = handleTest ./swap-random-encryption.nix {}; diff --git a/nixos/tests/sudo-rs.nix b/nixos/tests/sudo-rs.nix new file mode 100644 index 0000000000000..334a2d0fa3ea4 --- /dev/null +++ b/nixos/tests/sudo-rs.nix @@ -0,0 +1,97 @@ +# Some tests to ensure sudo is working properly. +{ pkgs, sudo-rs, ... }: +let + inherit (pkgs.lib) mkIf optionalString; + password = "helloworld"; +in + import ./make-test-python.nix ({ lib, pkgs, ...} : { + name = "sudo"; + meta.maintainers = pkgs.sudo-rs.meta.maintainers; + + nodes.machine = + { lib, ... }: + { + environment.systemPackages = [ pkgs.faketty ]; + users.groups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; }; + users.users = { + test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; }; + test1 = { isNormalUser = true; password = password; }; + test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; }; + test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; }; + test4 = { isNormalUser = true; extraGroups = [ "baz" ]; }; + test5 = { isNormalUser = true; }; + }; + + security.sudo = { + enable = true; + package = sudo-rs; + wheelNeedsPassword = false; + + extraRules = [ + # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output; + # errors being detected by the visudo checks. + + # These should not create any entries + { users = [ "notest1" ]; commands = [ ]; } + { commands = [ { command = "ALL"; options = [ ]; } ]; } + + # Test defining commands with the options syntax, though not setting any options + { users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; } + + + # CONFIGURATION FOR TEST CASES + { users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; } + { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; runAs = "test1:barfoo"; } + ]; + }; + }; + + nodes.strict = { ... }: { + environment.systemPackages = [ pkgs.faketty ]; + users.users = { + admin = { isNormalUser = true; extraGroups = [ "wheel" ]; }; + noadmin = { isNormalUser = true; }; + }; + + security.sudo = { + package = sudo-rs; + enable = true; + wheelNeedsPassword = false; + execWheelOnly = true; + }; + }; + + testScript = + '' + with subtest("users in wheel group should have passwordless sudo"): + machine.succeed('faketty -- su - test0 -c "sudo -u root true"') + + with subtest("test1 user should have sudo with password"): + machine.succeed('faketty -- su - test1 -c "echo ${password} | sudo -S -u root true"') + + with subtest("test1 user should not be able to use sudo without password"): + machine.fail('faketty -- su - test1 -c "sudo -n -u root true"') + + with subtest("users in group 'foobar' should be able to use sudo with password"): + machine.succeed('faketty -- su - test2 -c "echo ${password} | sudo -S -u root true"') + + with subtest("users in group 'barfoo' should be able to use sudo without password"): + machine.succeed("sudo -u test3 sudo -n -u root true") + + with subtest("users in group 'baz' (GID 1337)"): + machine.succeed("sudo -u test4 sudo -n -u root echo true") + + with subtest("test5 user should be able to run commands under test1"): + machine.succeed("sudo -u test5 sudo -n -u test1 true") + + with subtest("test5 user should not be able to run commands under root"): + machine.fail("sudo -u test5 sudo -n -u root true") + + with subtest("users in wheel should be able to run sudo despite execWheelOnly"): + strict.succeed('faketty -- su - admin -c "sudo -u root true"') + + with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"): + strict.fail('faketty -- su - noadmin -c "sudo --help"') + '';; + }) diff --git a/pkgs/tools/security/sudo-rs/default.nix b/pkgs/tools/security/sudo-rs/default.nix index d4621e2292252..3cda1cde8322c 100644 --- a/pkgs/tools/security/sudo-rs/default.nix +++ b/pkgs/tools/security/sudo-rs/default.nix @@ -4,6 +4,7 @@ , fetchpatch , installShellFiles , nix-update-script +, nixosTests , pam , pandoc , rustPlatform @@ -73,7 +74,10 @@ rustPlatform.buildRustPackage rec { "su::context::tests::invalid_shell" ]; - passthru.updateScript = nix-update-script { }; + passthru = { + updateScript = nix-update-script { }; + tests = nixosTests.sudo-rs; + }; meta = with lib; { description = "A memory safe implementation of sudo and su.";