I’m searching new user escalation setups, out of curiosity/learning sake.
What I found (as far as I know) is that for editing root files (in my case I only want to edit /etc/nixos/* files as root), only sudo seems to have the capability of running a root shell for the editor.
I was thinking about the following setups for my configuration edit script (using sudo-rs as default sudo for all of them):
edit a specific configuration file in a temporary folder in my home directory, use run0 to redirect said file to /etc/nixos, delete the temporary folder
use sudo for sudoedit, sudo-rs for everything else (I’d have to search how to do it declaratively)
I wanted to ask if you can recommend a different setup and if there are other important user escalation commands that I should be aware of.
This may not be within the bounds of what you wanted an answer about, but it’s worth considering if /etc/nixos really needs to be owned by root at all. I know many nixos users, myself included, edit their configurations under their normal user permissions, and only escalate for activation.
That was my 1. Bullet point, sorry if I missexplained. If it’s the common choice, I’ll modify my script to do it. Is it generally a bad practice to edit files as root user, as it would escalate privileges for an undefined (potentially long) time? Thank you.
The other part of the question is if there are safer alteratives for esclating privileges to move the files to the /etc/nixos (other than using sudo), or if just sticking to sudo is good enough/ it is something one shouldn’t worry in practice
I’m literally suggesting running sudo chown -R $(whoami) /etc/nixos and leaving it that way. Your bullet point 1 seemed to describe a more complex temporary file setup.
This opens up the possibility of a sneaky edit to your config going unnoticed until your next nixos-rebuild, but only at the time of a nixos-rebuild is there an actual opportunity to accomplish anything. The files are inert at all other times, unlike most files in /etc. On most desktop systems, in practice, the game’s already mostly over if an attacker gets access as your user, so it’s not unreasonable to choose the simplicity of the user owning the config over the bit of additional security gained by leaving it owned by root.
Running your editor as the root user is both an unnecessarily large attack surface, and potentially a source of problems with the editor’s configuration. As with everything in security, though, it depends on your threat model.
Sudo has the advantage of being the most commonly used privilege escalation tool, and thus probably the most heavily scrutinized. It is more complex than a tool in its role perhaps should be, but realistically, that’s not a security distinction that’s relevant to almost anyone in actual usage. Overall, I wouldn’t spend much time fretting over which escalation tool you use, and instead spend that time on what you run as root and whether you really need to.
Well, if you want to be 100% paranoid, put your files in a git repo. Now you have trivial change tracking, just need to double check that the hash matches up with what you last deployed every time you rebuild.
I’d say it’s almost always bad practice to use the root user for anything on NixOS. Changes to files owned by root should only ever be made by a nixos-rebuild invocation. Such files are always system configuration, and as such should not be modified imperatively.
Anything else that requires adequate permissions should be handled by giving users the permissions they need.
Personally I only very rarely use sudo by hand, even for nixos-rebuild I use the --use-remote-sudo flag. Everything else is configured to properly escalate privileges with PAM or appropriate group permissions.
I fully agree. sudo / sudo-rs / run0 all have their merits. Which you use is ultimately splitting hairs; if you’re struggling with the basic question of what the purpose of root permissions even is you’re not going to get a meaningful difference in security from choosing a particular one of these.
That said, sudo-rs is a pretty good alternative to traditional sudo at this point, even sporting a proper audit or two, and is seeing increasing adoption. run0 is conceptually cool because it uses systemd APIs to permit privilege escalation instead of the hack that is the setuid bit. sudo still has the largest userbase, for sure, but as recent security mishaps have shown, this does not necessarily mean it has as many eyes as you’d hope.
I really don’t think there’s an obvious “best” here, it depends on which risks you personally find significant. Either way, I don’t think the average newbie can make a meaningful decision here; For such users, I would always recommend just going with the default - which is sudo on NixOS.
Defaults are defaults for a reason. The distro will change the default for you if there is a good reason to in the future, until then you should only change defaults if you have sufficient understanding to reassess your distro’s choice.
And if you ask around here what the best choice is, well, we’re going to tell you the default NixOS setting because that’s the choice of the distro we rally behind; if we disagreed, we’d open PRs/RFCs to change the choice (or have already been outvoted by the forces that be).
as a regular linux user (i dont develop anything), i have been using sudo-rs for EVERYTHING ever since it was added to nixpkgs and i had 0 problems. i recommend! just remember that there is an option for it - security.sudo-rs.*
there is also please, but i have no idea how it works… security.please.*