So i have added a few sudo rows to my sudoes file that allows the user that is running the github runner to specific sudo commands without password.
This works great when I run the manually as that user.
But when I try to execute them from the github runner i get the error
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
I set the NoNewPrivileges
to false using services.github-runners..serviceOverrides and its correctly reflected in the service file, but sadly that didn’t work as I still get the same error.
So then i found the following text here
NoNewPrivileges
Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this setting. This is the case when SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, RestrictRealtime=, RestrictSUIDSGID=, DynamicUser= or LockPersonality= are specified. Note that even if this setting is overridden by them, systemctl show shows the original value of this setting. See also: No New Privileges Flag.
Using serviceOverrides
i can turn off all flags, but lists like SystemCallFilter
and RestrictAddressFamilies
are merged with the base definition…
So even if i write
RestrictAddressFamilies = [];
SystemCallFilter = [];
Nix still generates
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictAddressFamilies=AF_UNIX
RestrictAddressFamilies=AF_NETLINK
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~capset
SystemCallFilter=~setdomainname
SystemCallFilter=~sethostname
Is there someway to clear them or is there some other way to achieve sudo
commands?