-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathdefault.nix
73 lines (60 loc) · 2.23 KB
/
default.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
{ nixosTest, escalationTool }:
nixosTest {
name = "autoescalate-${escalationTool}";
nodes.machine = { pkgs, lib, ... }:
with lib; {
imports = [
(if escalationTool == "sudo" then {
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
}
else if escalationTool == "doas" then {
security.sudo.enable = mkForce false;
security.doas = {
enable = true;
wheelNeedsPassword = false;
};
}
else if escalationTool == "run0" then {
security.sudo.enable = mkForce false;
security.polkit.enable = true;
# see https://warlord0blog.wordpress.com/2024/07/30/passwordless-run0/
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
}
});
'';
security.pam.services.su.requireWheel = true;
}
else
builtins.throw ("Unrecognized escalation tool" ++ escalationTool))
];
users.users = {
admin = {
isNormalUser = true;
extraGroups = [ "wheel" ];
};
};
environment.systemPackages = with pkgs; [ caligula ];
};
testScript = ''
${builtins.readFile ../common.py}
try:
# Set up loop devices
machine.succeed('dd if=/dev/zero of=/tmp/blockfile bs=1M count=1')
machine.succeed('dd if=/dev/urandom of=/tmp/input.iso bs=100K count=1')
machine.succeed('losetup /dev/loop0 /tmp/blockfile')
# Sanity check: can we run something without asking for a password?
machine.succeed('timeout 10 su admin -c "${escalationTool} -- echo We are able to escalate without asking for a password"')
with subtest("should succeed when run as non-root wheel user"):
machine.succeed('timeout 10 su admin -c "caligula burn /tmp/input.iso --force -o /dev/loop0 --hash skip --compression auto --root always --interactive never"')
finally:
print_logs(machine)
'';
}