aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2014-05-01 15:29:24 +0200
committerLudovic Courtès <ludo@gnu.org>2014-05-01 22:31:36 +0200
commit696893801c9d4b83adc9a15ce60103142e7c1a79 (patch)
tree7087904402049156935769090d875c307b7c76dd
parentb9100e2f11a6735d37bb256ffecb947f9b7ce31f (diff)
downloadpatches-696893801c9d4b83adc9a15ce60103142e7c1a79.tar
patches-696893801c9d4b83adc9a15ce60103142e7c1a79.tar.gz
system: Add 'sudo' to the setuid programs, and handle /etc/sudoers.
* gnu/system.scm (<operating-system>)[groups]: Change default to just the 'root' group. [sudoers]: New field. (etc-directory): Add #:sudoers parameter. Add 'sudoers' to the file union. (operating-system-etc-directory): Pass #:sudoers to 'etc-directory'. (%setuid-programs): Add 'sudo'. (%sudoers-specification): New variable. * gnu/system/linux.scm (base-pam-services): Add 'sudo'. * build-aux/hydra/demo-os.scm: Add 'groups' field; add 'guest' to the 'wheel' group.
-rw-r--r--build-aux/hydra/demo-os.scm9
-rw-r--r--gnu/system.scm30
-rw-r--r--gnu/system/linux.scm2
3 files changed, 32 insertions, 9 deletions
diff --git a/build-aux/hydra/demo-os.scm b/build-aux/hydra/demo-os.scm
index 3987c4048d..03449abda2 100644
--- a/build-aux/hydra/demo-os.scm
+++ b/build-aux/hydra/demo-os.scm
@@ -48,6 +48,15 @@
(uid 1000) (gid 100)
(comment "Guest of GNU")
(home-directory "/home/guest"))))
+ (groups (list (user-group (name "root") (id 0))
+ (user-group
+ (name "wheel")
+ (id 1)
+ (members '("guest"))) ; allow 'guest' to use sudo
+ (user-group
+ (name "users")
+ (id 100)
+ (members '("guest")))))
(services (cons* (slim-service #:auto-login? #t
#:default-user "guest")
diff --git a/gnu/system.scm b/gnu/system.scm
index ba105e2df1..6c94eb90c5 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -85,11 +85,7 @@
(groups operating-system-groups ; list of user groups
(default (list (user-group
(name "root")
- (id 0))
- (user-group
- (name "users")
- (id 100)
- (members '("guest"))))))
+ (id 0)))))
(packages operating-system-packages ; list of (PACKAGE OUTPUT...)
(default (list coreutils ; or just PACKAGE
@@ -111,8 +107,10 @@
(pam-services operating-system-pam-services ; list of PAM services
(default (base-pam-services)))
(setuid-programs operating-system-setuid-programs
- (default %setuid-programs))) ; list of string-valued gexps
+ (default %setuid-programs)) ; list of string-valued gexps
+ (sudoers operating-system-sudoers ; /etc/sudoers contents
+ (default %sudoers-specification)))
;;;
@@ -164,13 +162,15 @@ file."
(accounts '())
(groups '())
(pam-services '())
- (profile "/var/run/current-system/profile"))
+ (profile "/var/run/current-system/profile")
+ (sudoers ""))
"Return a derivation that builds the static part of the /etc directory."
(mlet* %store-monad
((passwd (passwd-file accounts))
(shadow (passwd-file accounts #:shadow? #t))
(group (group-file groups))
(pam.d (pam-services->directory pam-services))
+ (sudoers (text-file "sudoers" sudoers))
(login.defs (text-file "login.defs" "# Empty for now.\n"))
(shells (text-file "shells" ; used by xterm and others
"\
@@ -215,7 +215,9 @@ alias ll='ls -l'
#$timezone))
("passwd" ,#~#$passwd)
("shadow" ,#~#$shadow)
- ("group" ,#~#$group)))))
+ ("group" ,#~#$group)
+
+ ("sudoers" ,#~#$sudoers)))))
(define (operating-system-profile os)
"Return a derivation that builds the default profile of OS."
@@ -254,6 +256,7 @@ alias ll='ls -l'
#:pam-services pam-services
#:locale (operating-system-locale os)
#:timezone (operating-system-timezone os)
+ #:sudoers (operating-system-sudoers os)
#:profile profile-drv)))
(define %setuid-programs
@@ -261,7 +264,16 @@ alias ll='ls -l'
(let ((shadow (@ (gnu packages admin) shadow)))
(list #~(string-append #$shadow "/bin/passwd")
#~(string-append #$shadow "/bin/su")
- #~(string-append #$inetutils "/bin/ping"))))
+ #~(string-append #$inetutils "/bin/ping")
+ #~(string-append #$sudo "/bin/sudo"))))
+
+(define %sudoers-specification
+ ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'
+ ;; group can do anything. See
+ ;; <http://www.sudo.ws/sudo/man/1.8.10/sudoers.man.html>.
+ ;; TODO: Add a declarative API.
+ "root ALL=(ALL) ALL
+%wheel ALL=(ALL) ALL\n")
(define (operating-system-boot-script os)
"Return the boot script for OS---i.e., the code started by the initrd once
diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm
index 4030d8860e..3a43eb45e3 100644
--- a/gnu/system/linux.scm
+++ b/gnu/system/linux.scm
@@ -157,6 +157,8 @@ should be the name of a file used as the message-of-the-day."
(list %pam-other-services
(unix-pam-service "su" #:allow-empty-passwords? allow-empty-passwords?)
(unix-pam-service "passwd"
+ #:allow-empty-passwords? allow-empty-passwords?)
+ (unix-pam-service "sudo"
#:allow-empty-passwords? allow-empty-passwords?)))
;;; linux.scm ends here