Edit: While typing this I did some more troubleshooting and found a workaround. Posting because I think it may help others running into a similar problem.
I have an admin user setup as a member of %wheel, which by default provides the ability to run any command as sudo. However, there are specific commands I want the user to be able to run without a password. I’m configuring sudo as follows (abbreviated to a single command for simplicity):
<SNIP>
root ALL=(ALL:ALL) SETENV: ALL
%wheel ALL=(ALL:ALL) SETENV: ALL
user ALL=NOPASSWD: SCRIPTS
<SNIP>
All fine. However, I’m unable to run the configured command without a password:
$ sudo -l
Matching Defaults entries for user on host:
!tty_tickets, !lecture, !env_reset, timestamp_timeout=120,
env_keep+=TERMINFO_DIRS, env_keep+=TERMINFO
User user may run the following commands on host:
(root) NOPASSWD: /run/wrappers/bin/mount
(ALL : ALL) SETENV: ALL
$ sudo mount
[sudo] password for user:
I spent a while troubleshooting this and found it’s an ordering issue. If I manually edit /etc/sudoers and put the user NOPASSWD line after %wheel:
Defaults !tty_tickets, !lecture, !env_reset, timestamp_timeout = 120
Cmnd_Alias SCRIPTS = /run/wrappers/bin/mount
user ALL=NOPASSWD: SCRIPTS
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
# or ‘security.sudo.extraRules’ instead.
root ALL=(ALL:ALL) SETENV: ALL
%wheel ALL=(ALL:ALL) SETENV: ALL
# extraConfig
# Keep terminfo database for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFO
Then it works as expected:
$ sudo mount
devtmpfs on /dev type devtmpfs (rw,nosuid,size=1598444k,nr_inodes=3990817,mode=755)
<SNIP>
Edit: This is where I was about to post for help, but then I discovered that security.sudo.configFile is written before the default root/%wheel lines, while security.sudo.extraConfig is written after those lines. Simply changing my config from configFile to extraConfig resolved the problem for me.
Hope this saves someone else some time.