Sudo-rs not working, suid not set

BoredSquirrel · April 22, 2025, 7:41pm

sudo echo hello
sudo-rs: sudo must be owned by uid 0 and have the setuid bit set

This is really weird, as I used sudo-rs before. These are the options I have set

security.sudo.package = pkgs.sudo-rs;
security.sudo-rs.enable = true;


security.sudo.execWheelOnly = true;
security.sudo-rs.execWheelOnly = true;

I tried just enabling sudo-rs, not setting the sudo package. No change.

Just enabling sudo and setting the package as sudo-rs does not work either.

Using up-to-date unstable 25.05

delliott · April 22, 2025, 7:50pm

Perhaps try disabling sudo rather than replacing the package?

I think you have sudo-rs installed twice.

I have

  security = {
    sudo.enable = false;
    sudo-rs = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = true;
    };
  };

And mine works nicely.

BoredSquirrel · April 22, 2025, 7:58pm

Hm, I has set a single rule regarding sudo, I will remove that as they maybe interfere. So I only have rules regarding sudo-rs

It still does not work, weird…

Ballmerpeaking · April 22, 2025, 11:11pm

Have you explicitly disabled sudo? It’s enabled by default, so I think you have to also explicitly disable it.

BoredSquirrel · April 22, 2025, 11:14pm

I think I also tried that, but can try again

dsparby · April 23, 2025, 1:16pm

It’s actually enforced with an assertion in the sudo-rs module. Setting sudo’s package to be sudo-rs is similarly disallowed. Owner and suid bit, which the error message is complaining about, is handled by creating a wrapper using the security.wrappers option. Do you have /run/wrappers/bin before /run/current-system/sw/bin in your $PATH? And is there a file named sudo in that wrappers directory?

BoredSquirrel · April 23, 2025, 1:37pm

Weird, I thought the suid should be set in the enable option?

I think I got it now.

# sudo-rs
    security.wrappers.sudo-rs = {
        #source = "${lib.getExe pkgs.sudo-rs}";
        source = "${pkgs.sudo-rs}/bin/sudo";
        setuid = true;
        setgid = true;
        owner = "0";
        group = "0";
    };

The former source does not work, because the binary of sudo-rs is sudo!

The owner and group need to be 0, not root!

It works in fish and bash now.

But to be clear, this should not be needed?

eblechschmidt · April 23, 2025, 3:35pm

This should work though:

source = "${lib.getExe' pkgs.sudo-rs "sudo"}";

dsparby · April 23, 2025, 3:56pm

True, you shouldn’t need to configure this manually. I have the same config as delliott above, works as expected.

arthsmn · April 23, 2025, 4:06pm

This is a problem with the packaging. The sudo-rs package should have a meta.mainProgram set to “sudo”. Created a fix here.

Edit: now that my PR is merged, you can use lib.getExe pkgs.sudo-rs to create the wrapper.