Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/doas: let wheel keepEnv by default #88546

Closed
wants to merge 1 commit into from
Closed

nixos/doas: let wheel keepEnv by default #88546

wants to merge 1 commit into from

Conversation

@cole-h
Copy link
Member

cole-h commented May 21, 2020

Prior to this change, the behavior was inconsistent with the sudo
module; now, doas follows in sudo's footsteps by permitting members
of wheel to keep their environment by default.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Prior to this change, the behavior was inconsistent with the `sudo`
module; now, `doas` follows in `sudo`'s footsteps by permitting members
of `wheel` to keep their environment by default.
@cole-h cole-h requested a review from adisbladis May 21, 2020
@cole-h
Copy link
Member Author

cole-h commented May 21, 2020

@ofborg test doas

@colemickens
Copy link
Contributor

colemickens commented May 21, 2020

Does this cause doas to propagate the env by default, or just allow for it? Does that follow sudo's behavior in nixos?

@cole-h
Copy link
Member Author

cole-h commented May 21, 2020

I believe this propagates the env by default, which is consistent with sudo's default behavior on NixOS. This can be overridden by supplying any rule that either doesn't specify keepEnv, or explicitly sets it to false (the default).

Without keepenv for doas, and with SETENV: ALL for sudo:

[vin@scadrial:~]$ doas nixos-rebuild dry-build
building the system configuration...
error: file 'nixpkgs/nixos' was not found in the Nix search path (add it using $NIX_PATH or -I)
# failure :(

[vin@scadrial:~]$ sudo nixos-rebuild dry-build
building the system configuration...
# success!

With keepenv for doas:

[vin@scadrial:~]$ doas nixos-rebuild dry-build
building the system configuration...
# success!
@colemickens
Copy link
Contributor

colemickens commented May 21, 2020

I'm confused.

[cole@xeep:~]$ echo $TEST
foo

[cole@xeep:~]$ sudo bash

[root@xeep:/home/cole]# echo $TEST

@colemickens
Copy link
Contributor

colemickens commented May 21, 2020

Is SETENV: ALL the default for NixOS?

@adisbladis
Copy link
Member

adisbladis commented May 21, 2020

Is SETENV: ALL the default for NixOS?

Yes it is.

@colemickens
Copy link
Contributor

colemickens commented May 21, 2020

Okay, so be it. My understanding, still, is that sudo -E or adding env_keep directives to /etc/sudoers was necessary to propagate any environment variables through sudo.

That seems in contrast to what this PR will do, which will cause doas to propagate the environment by default.

However, maybe this is a non-issue. Is it typical for doas to keepEnv by default on other distros? Is it more important that we follow expectations for doas? Otherwise, I am naively assuming there is a reason that sudo acts this way by default and we might want to consider that.

@cole-h
Copy link
Member Author

cole-h commented May 21, 2020

SETENV: ALL is what allows a user to sudo -E (and thereby preserve their environment). Without that, sudo turns them away at the gate.

doas has no way to let a user say "I'm allowed to keep my environment, please let me do so" like sudo -E does -- it's either you get to keep your environment during invocation, or you don't.

I personally think this is fine, but open to hearing reasons why this might be a bad idea. After all, I could just add keepEnv to my local rules (like I currently do).

@emilazy
Copy link
Member

emilazy commented May 21, 2020

I'd prefer to not introduce this change; it makes the default behaviour of doas and sudo inconsistent, and environment variables implicitly leaking can lead to a lot of problems. I do wish doas let you permit keeping environment variables without forcing you to, though.

@emilazy
Copy link
Member

emilazy commented May 21, 2020

In particular it can lead to a program running as root deciding it should definitely try to create a bunch of files in your user's home directory and generally inheriting resources it ought not to.

@cole-h
Copy link
Member Author

cole-h commented May 21, 2020

Those are the kind of reasons I was looking for (or maybe not looking for, depending on how you look at it). I agree with @emilazy, and will instead just keep the change (keepEnv = true;) in my system configuration.

Thanks all for the input.

@cole-h cole-h closed this May 21, 2020
@cole-h cole-h deleted the cole-h:doas branch May 21, 2020
@cole-h cole-h removed the request for review from adisbladis May 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.