I’m using emacs to edit my configuration.nix file via:
$ sudo emacs /etc/nixos/configuration.nix
and I often forget to close it after a nixos-rebuild, which means that if someone gets access to my computer a few hours later, they can use emacs to have root access to my machine. Is there a solution to automatically disconnect emacs/any editor from having root access after, say, 10mn of inactivity? I would prefer to just disconnect it from root access instead of killing it as if I have some unchanged modifications, I would lose them after killing emacs.
You can open files in emacs with /sudo::/etc/nixos/configuration.nix to open them as root from a non-root editor. I wouldn’t be surprised if this can be configured to drop that privilege after some time, though I don’t know.
EDIT: Though, the more realistic thing that most people do is store their nixos configs in their home dir, owned by their own user. That way you only need sudo for the actual nixos-rebuild command.
Thanks, I tried to give i a quick look, but can’t find much emacs option, need to invest a bit more.
Regarding the solution to edit user files, it’s certainly better… But I don’t love this solution as it kinds of allow people to modify the git repository if they have access to the user session, which will be deployed during the next rebuild (ok, might be a bit paranoid… and you might argue that if a user has such access, they might anyway pack a malicious terminal that records the root password etc…). I guess it is possible to mitigate this by checking with git diff before pushing etc, or introduce signed commits… I need to think about it ^^