I’m trying to lock down security on my NixOS hosts. Currently I rebuild from my development host using a dedicated deploy user on the target hosts, using pam for passwordless sudo like so:
Ideally, I’d like to lock down the deploy user to only having passwordless sudo on the commands needed to rebuild as in this thread however looking in the logs it seems like the commands are wrapped in /bin/sh -c:
which upsets my sudoers approach without giving the user passwordless sudo access to /bin/sh, which would seem to defeat the whole point of locking it down. I’d love to know if anyone has got this working, thanks!
Since the deployed configuration can change the sudoers configuration or run anything it wants as root in an activation script or service, is locking this down accomplishing anything?
Consider instead making the deploy user be an alt-root account (that is, an account with uid 0 but whose name isn’t root), and using ssh’s forced command mechanism to control what commands it can run. Then you don’t need sudo at all.
I might be misunderstanding what you’re saying, but my aim was to restrict as much as possible the user which can deploy configuration, so a malicious configuration like you describe wouldn’t be possible. I made sudo capabilities only available over SSH so even if the deploy user on the host is compromised, the configuration can’t be changed locally.
Hey I hadn’t thought of this, thanks . I haven’t head of ssh’s forced command mechanism or know it was possible to have multiple accounts share a UID. Since I’m rebuilding the configuration remotely (nixos-rebuild switch –-target-host=…), the arguments change slightly for each rebuild, do you think this method would still work?
[EDIT: I found a generic wrapper script someone already wrote: The Only Way For SSH Forced Commands I have not tried to use it myself, and it looks old enough that it might require a bunch of tweaking, but it’ll at least give you somewhere to start. ]