Securely login as different user without password / sudo

Help
1

Hi folks,

I use Linux for many years and NixOS is the first distro where my user (my desktop user) is not member of wheel. I don’t need sudo since all changes are done by nixos-rebuild which means I can time to time just su as root by typing password, run nixos-rebuild and them logoff. Perfect! Thank you Nix and NixOS and the community!

But today I realized that there is one small thing that might require sudo

I have a few special (without home dir) users that are unprivileged (not in wheel) users. I use them for development. I’d like to be able to use them without much of a hassle. Could you please give me some tips that won’t break any security rules?

Ideas:

  1. su as root and then sudo -su dev1user or sudo su dev1user - this is what I do now but it’s annoying to type root password all the time…
  2. I can give the dev1user user a password and then just su dev1user but I’d prefer other option…
  3. I can configure sudoers for my user to run a command without password: me ALL = NOPASSWD: .... But I’d prefer an option without sudo.
  4. I can create a package with a simple C/Go binary that will execute su dev1user and I can set setuid bit chmod u+s in mkDerivation for this binary… I know - setuid is evil, but in this case…
#include <unistd.h>
int main() {
    setuid(0);
    execle("/usr/bin/env","bash","...",(char*) NULL,(char*) NULL);
}
2
  1. Well, if you dislike sudo there is also doas
  2. You can’t have setuid files in the store.
  3. If you do a setuid wrapper, maybe make it owned directly by the target user so that you don’t even pass through root?
  4. Unless you check the UID of the calling user, this may slightly weaken UID isolation of unrelated things by letting them all to switch to your test users.
3

There are a variety of tools meant to replace sudo, such as doas. You also could configure sudo to allow your user to use it with root privileges excluded.

The ArchWiki article on sudo has a lot of good information on this topic.

4

Isn’t that just effectively hand-rolling sudo…?

1 Like
5

To be fair, it gets rid of a parser (and also all the policy logic)

6

You actually can’t, since the Nix store doesn’t preserve permissions other than the executable bit. You’d have to use NixOS’s security.wrappers.

But yeah, I’d just use sudo.

7

I finally had some time to play with security.wrappers, thank you for letting me know about this functionality

Absolutely, I was thinking about a config file in etc that would map user:usertologinas

Yes - exactly. But much simpler than sudo => in theory without security issues. My problem is that I don’t trust myself enough to write defensively enough in C or even in Golang.

I didn’t realize doas is a thing in Linux. I just remember using that on OpenBSD. It’s cool that it is packaged for NixOS. I’ll try it. This seems the best solution. Thank you.