sudo echo hello
sudo-rs: sudo must be owned by uid 0 and have the setuid bit set
This is really weird, as I used sudo-rs before. These are the options I have set
security.sudo.package = pkgs.sudo-rs;
security.sudo-rs.enable = true;
security.sudo.execWheelOnly = true;
security.sudo-rs.execWheelOnly = true;
I tried just enabling sudo-rs, not setting the sudo package. No change.
Just enabling sudo and setting the package as sudo-rs does not work either.
Using up-to-date unstable 25.05
Perhaps try disabling sudo
rather than replacing the package?
I think you have sudo-rs
installed twice.
I have
security = {
sudo.enable = false;
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = true;
};
};
And mine works nicely.
1 Like
Hm, I has set a single rule regarding sudo, I will remove that as they maybe interfere. So I only have rules regarding sudo-rs
It still does not work, weird…
Have you explicitly disabled sudo? It’s enabled by default, so I think you have to also explicitly disable it.
I think I also tried that, but can try again
It’s actually enforced with an assertion in the sudo-rs module. Setting sudo’s package to be sudo-rs is similarly disallowed. Owner and suid bit, which the error message is complaining about, is handled by creating a wrapper using the security.wrappers option. Do you have /run/wrappers/bin before /run/current-system/sw/bin in your $PATH? And is there a file named sudo in that wrappers directory?
1 Like
Weird, I thought the suid should be set in the enable option?
I think I got it now.
# sudo-rs
security.wrappers.sudo-rs = {
#source = "${lib.getExe pkgs.sudo-rs}";
source = "${pkgs.sudo-rs}/bin/sudo";
setuid = true;
setgid = true;
owner = "0";
group = "0";
};
The former source does not work, because the binary of sudo-rs
is sudo
!
The owner and group need to be 0
, not root
!
It works in fish and bash now.
But to be clear, this should not be needed?
This should work though:
source = "${lib.getExe' pkgs.sudo-rs "sudo"}";
1 Like
True, you shouldn’t need to configure this manually. I have the same config as delliott above, works as expected.
1 Like
This is a problem with the packaging. The sudo-rs package should have a meta.mainProgram
set to “sudo”. Created a fix here.
Edit: now that my PR is merged, you can use lib.getExe pkgs.sudo-rs
to create the wrapper.
1 Like