I would like to setup my system to use a different password for sudo than for login.
I’ve found out how to do this for non-NixOS systems here, but I’d like to be able to do this on my NixOS device.
rootpw isn’t an effective solution here, as that allows logging into root directly via a different tty, unless there is a way to cut away the other ttys…
For context (to narrow down what would be helpful) this is for the purpose of parental control. The child should not be able to login without parental permission (withholding the login password), but once logged-in, they should be allowed to perform system administration (sudo).
I’m still a beginner at NixOS, so I don’t know how to translate this into my declarative configuration.
Digging further, I find that this is yet to be implemented.
This would be related to security.sudo.wheelNeedsPassword, so I propose a change.
security.sudo.wheelNeedsPassword | V
security.sudo.sudoPassword = {
enable = true; # wheelNeedsPassword takes effect here.
type = "separate"; # Can be "separate", "account", or "root"
# Account means the wheel user just uses their own password for sudo,
# root means the root password is used (rootpw), and separate means
# there is a user-specific password set that is separate from the login
# password, like configured here:
# https://unix.stackexchange.com/questions/94626/set-sudo-password-differently-from-login-one
# Perhaps there could be a separate command for setting sudo passwords for
# mutable users? Otherwise, how would I declaratively (and securely) set
# passwords?
};
Of course, this could be generalised to security.sudo-rs.
This would also require an addition to the (unsecure) method of setting password declaratively:
users = {
users.<name> = {
password = "";
sudoPassword = ""; # This could be added
};
extraUsers.<name> = {
password = "";
sudoPassword = ""; # Of course, for extraUsers as well.
};
};
I’m a beginner, so don’t take this namespace and layout idea as authoritative. Those with more experience may think of a better layout.
As I’ve seen other’s do, I’ll tag a couple relevant developers to get eyes on this: @joachifm@jtojnar
Thanks for the awesome Nix package manager, as well as NixOS!
I’m looking forward to things, and am willing to try to learn, though please note that my experience is very limited.
This seems like a pretty off-label use of sudo, so I’d be reluctant to endorse making config options specifically for this use case, but there are ways you can modify your PAM configuration to follow the instructions that you found on SE. It is frustratingly undocumented if you don’t know about this PR, and the relevant options don’t even appear in NixOS option search! But you can always explore your current NixOS configuration in a REPL with nix repl --file '<nixpkgs/nixos>', and if you do that and have a peek at config.security.pam.services.sudo.rules.auth you can see the configuration elements that generate the current auth entries in your machine’s /etc/pam.d/sudo file. In your configuration.nix file, you can manipulate these:
security.pam.services.sudo.rules.auth = {
# Disable an existing line
unix.enable = lib.mkForce false;
# Add a new one
userdb = {
enable = true;
order = 9000; # go first, before deny.order, which is 12400
control = "[success=1 default=ignore]";
modulePath = "${config.security.pam.package}/lib/security/pam_userdb.so";
args = [ "crypt=crypt" "db=/your/custom/location/here" ];
};
};
The above is entirely untested; based strictly on the configuration in your SE link, I think you’ll want something like this, but you will likely have to fiddle with the details to get it working.
While you’re hacking around, get a sneak peek of what your /etc/pam.d/sudo file will look like without rebuilding your entire machine with nix eval --raw --file '<nixpkgs/nixos>' config.security.pam.services.sudo.text.
