Sudo

`security.sudo.configFile`

This string contains the contents of the {file}sudoers file.

Type: strings concatenated with "\n"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/sudo.nix

`security.sudo.defaultOptions`

Options used for the default rules, granting root and the wheel group permission to run any command as any user.

Type: list of string

Default

["SETENV"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/sudo.nix

`security.sudo.enable`

Whether to enable the {command}sudo command, which allows non-root users to execute commands as root.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/sudo.nix

`security.sudo.execWheelOnly`

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly. This prevents users that are not members of wheel from exploiting vulnerabilities in sudo such as CVE-2021-3156.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/sudo.nix

`security.sudo.extraConfig`

Extra configuration text appended to {file}sudoers.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/sudo.nix

`security.sudo.extraRules`

Define specific rules to be in the {file}sudoers file. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore/mkAfter to ensure this is the case when configuration options are merged.

Type: list of (submodule)

Default

[ ]

Example

`#!nix [ # Allow execution of any command by all users in group sudo, # requiring a password.

# Allow execution of "/home/root/secret.sh" by user backup, database # and the group with GID 1006 without a password. { users = [ "backup" "database" ]; groups = [ 1006 ]; commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }

# Allow all users of group bar to run two executables as user foo # with arguments being pre-set. { groups = [ "bar" ]; runAs = "foo"; commands = [ "/home/baz/cmd1.sh hello-sudo" { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; } ] `

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/sudo.nix

`security.sudo.extraRules.*.commands`

The commands for which the rule should apply.

Type: list of (string or (submodule))

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/sudo.nix

`security.sudo.extraRules.*.groups`

The groups / GIDs this rule should apply for.

Type: list of (string or signed integer)

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/sudo.nix

`security.sudo.extraRules.*.host`

For what host this rule should apply.

Type: string

Default

"ALL"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/sudo.nix

`security.sudo.extraRules.*.runAs`

Under which user/group the specified command is allowed to run.

A user can be specified using just the username: "foo". It is also possible to specify a user/group combination using "foo:bar" or to only allow running as a specific group with ":bar".

Type: string