mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-11 13:49:23 -05:00
system: Add 'sudo' to the setuid programs, and handle /etc/sudoers.
* gnu/system.scm (<operating-system>)[groups]: Change default to just the 'root' group. [sudoers]: New field. (etc-directory): Add #:sudoers parameter. Add 'sudoers' to the file union. (operating-system-etc-directory): Pass #:sudoers to 'etc-directory'. (%setuid-programs): Add 'sudo'. (%sudoers-specification): New variable. * gnu/system/linux.scm (base-pam-services): Add 'sudo'. * build-aux/hydra/demo-os.scm: Add 'groups' field; add 'guest' to the 'wheel' group.
This commit is contained in:
parent
b9100e2f11
commit
696893801c
3 changed files with 32 additions and 9 deletions
|
@ -48,6 +48,15 @@
|
||||||
(uid 1000) (gid 100)
|
(uid 1000) (gid 100)
|
||||||
(comment "Guest of GNU")
|
(comment "Guest of GNU")
|
||||||
(home-directory "/home/guest"))))
|
(home-directory "/home/guest"))))
|
||||||
|
(groups (list (user-group (name "root") (id 0))
|
||||||
|
(user-group
|
||||||
|
(name "wheel")
|
||||||
|
(id 1)
|
||||||
|
(members '("guest"))) ; allow 'guest' to use sudo
|
||||||
|
(user-group
|
||||||
|
(name "users")
|
||||||
|
(id 100)
|
||||||
|
(members '("guest")))))
|
||||||
(services (cons* (slim-service #:auto-login? #t
|
(services (cons* (slim-service #:auto-login? #t
|
||||||
#:default-user "guest")
|
#:default-user "guest")
|
||||||
|
|
||||||
|
|
|
@ -85,11 +85,7 @@ (define-record-type* <operating-system> operating-system
|
||||||
(groups operating-system-groups ; list of user groups
|
(groups operating-system-groups ; list of user groups
|
||||||
(default (list (user-group
|
(default (list (user-group
|
||||||
(name "root")
|
(name "root")
|
||||||
(id 0))
|
(id 0)))))
|
||||||
(user-group
|
|
||||||
(name "users")
|
|
||||||
(id 100)
|
|
||||||
(members '("guest"))))))
|
|
||||||
|
|
||||||
(packages operating-system-packages ; list of (PACKAGE OUTPUT...)
|
(packages operating-system-packages ; list of (PACKAGE OUTPUT...)
|
||||||
(default (list coreutils ; or just PACKAGE
|
(default (list coreutils ; or just PACKAGE
|
||||||
|
@ -111,8 +107,10 @@ (define-record-type* <operating-system> operating-system
|
||||||
(pam-services operating-system-pam-services ; list of PAM services
|
(pam-services operating-system-pam-services ; list of PAM services
|
||||||
(default (base-pam-services)))
|
(default (base-pam-services)))
|
||||||
(setuid-programs operating-system-setuid-programs
|
(setuid-programs operating-system-setuid-programs
|
||||||
(default %setuid-programs))) ; list of string-valued gexps
|
(default %setuid-programs)) ; list of string-valued gexps
|
||||||
|
|
||||||
|
(sudoers operating-system-sudoers ; /etc/sudoers contents
|
||||||
|
(default %sudoers-specification)))
|
||||||
|
|
||||||
|
|
||||||
;;;
|
;;;
|
||||||
|
@ -164,13 +162,15 @@ (define* (etc-directory #:key
|
||||||
(accounts '())
|
(accounts '())
|
||||||
(groups '())
|
(groups '())
|
||||||
(pam-services '())
|
(pam-services '())
|
||||||
(profile "/var/run/current-system/profile"))
|
(profile "/var/run/current-system/profile")
|
||||||
|
(sudoers ""))
|
||||||
"Return a derivation that builds the static part of the /etc directory."
|
"Return a derivation that builds the static part of the /etc directory."
|
||||||
(mlet* %store-monad
|
(mlet* %store-monad
|
||||||
((passwd (passwd-file accounts))
|
((passwd (passwd-file accounts))
|
||||||
(shadow (passwd-file accounts #:shadow? #t))
|
(shadow (passwd-file accounts #:shadow? #t))
|
||||||
(group (group-file groups))
|
(group (group-file groups))
|
||||||
(pam.d (pam-services->directory pam-services))
|
(pam.d (pam-services->directory pam-services))
|
||||||
|
(sudoers (text-file "sudoers" sudoers))
|
||||||
(login.defs (text-file "login.defs" "# Empty for now.\n"))
|
(login.defs (text-file "login.defs" "# Empty for now.\n"))
|
||||||
(shells (text-file "shells" ; used by xterm and others
|
(shells (text-file "shells" ; used by xterm and others
|
||||||
"\
|
"\
|
||||||
|
@ -215,7 +215,9 @@ (define* (etc-directory #:key
|
||||||
#$timezone))
|
#$timezone))
|
||||||
("passwd" ,#~#$passwd)
|
("passwd" ,#~#$passwd)
|
||||||
("shadow" ,#~#$shadow)
|
("shadow" ,#~#$shadow)
|
||||||
("group" ,#~#$group)))))
|
("group" ,#~#$group)
|
||||||
|
|
||||||
|
("sudoers" ,#~#$sudoers)))))
|
||||||
|
|
||||||
(define (operating-system-profile os)
|
(define (operating-system-profile os)
|
||||||
"Return a derivation that builds the default profile of OS."
|
"Return a derivation that builds the default profile of OS."
|
||||||
|
@ -254,6 +256,7 @@ (define (operating-system-etc-directory os)
|
||||||
#:pam-services pam-services
|
#:pam-services pam-services
|
||||||
#:locale (operating-system-locale os)
|
#:locale (operating-system-locale os)
|
||||||
#:timezone (operating-system-timezone os)
|
#:timezone (operating-system-timezone os)
|
||||||
|
#:sudoers (operating-system-sudoers os)
|
||||||
#:profile profile-drv)))
|
#:profile profile-drv)))
|
||||||
|
|
||||||
(define %setuid-programs
|
(define %setuid-programs
|
||||||
|
@ -261,7 +264,16 @@ (define %setuid-programs
|
||||||
(let ((shadow (@ (gnu packages admin) shadow)))
|
(let ((shadow (@ (gnu packages admin) shadow)))
|
||||||
(list #~(string-append #$shadow "/bin/passwd")
|
(list #~(string-append #$shadow "/bin/passwd")
|
||||||
#~(string-append #$shadow "/bin/su")
|
#~(string-append #$shadow "/bin/su")
|
||||||
#~(string-append #$inetutils "/bin/ping"))))
|
#~(string-append #$inetutils "/bin/ping")
|
||||||
|
#~(string-append #$sudo "/bin/sudo"))))
|
||||||
|
|
||||||
|
(define %sudoers-specification
|
||||||
|
;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'
|
||||||
|
;; group can do anything. See
|
||||||
|
;; <http://www.sudo.ws/sudo/man/1.8.10/sudoers.man.html>.
|
||||||
|
;; TODO: Add a declarative API.
|
||||||
|
"root ALL=(ALL) ALL
|
||||||
|
%wheel ALL=(ALL) ALL\n")
|
||||||
|
|
||||||
(define (operating-system-boot-script os)
|
(define (operating-system-boot-script os)
|
||||||
"Return the boot script for OS---i.e., the code started by the initrd once
|
"Return the boot script for OS---i.e., the code started by the initrd once
|
||||||
|
|
|
@ -157,6 +157,8 @@ (define* (base-pam-services #:key allow-empty-passwords?)
|
||||||
(list %pam-other-services
|
(list %pam-other-services
|
||||||
(unix-pam-service "su" #:allow-empty-passwords? allow-empty-passwords?)
|
(unix-pam-service "su" #:allow-empty-passwords? allow-empty-passwords?)
|
||||||
(unix-pam-service "passwd"
|
(unix-pam-service "passwd"
|
||||||
|
#:allow-empty-passwords? allow-empty-passwords?)
|
||||||
|
(unix-pam-service "sudo"
|
||||||
#:allow-empty-passwords? allow-empty-passwords?)))
|
#:allow-empty-passwords? allow-empty-passwords?)))
|
||||||
|
|
||||||
;;; linux.scm ends here
|
;;; linux.scm ends here
|
||||||
|
|
Loading…
Reference in a new issue