|
19 | 19 | zstd,
|
20 | 20 | stdenv,
|
21 | 21 | glibc,
|
| 22 | + sudo, |
22 | 23 | }:
|
23 | 24 | let
|
24 | 25 | inherit (lib)
|
|
88 | 89 |
|
89 | 90 | staticPath = "${dirOf shell}:${
|
90 | 91 | lib.makeBinPath (
|
91 |
| - lib.flatten [ |
| 92 | + (lib.flatten [ |
92 | 93 | builder
|
93 | 94 | drv.buildInputs
|
94 |
| - ] |
| 95 | + ]) |
| 96 | + ++ [ "/usr" ] |
95 | 97 | )
|
96 | 98 | }";
|
97 | 99 |
|
@@ -123,11 +125,38 @@ let
|
123 | 125 | experimental-features = nix-command flakes
|
124 | 126 | '';
|
125 | 127 |
|
126 |
| - etcNixConf = runCommand "etcd-nix-conf" { } '' |
| 128 | + etcNixConf = runCommand "etc-nix-conf" { } '' |
127 | 129 | mkdir -p $out/etc/nix/
|
128 | 130 | ln -s ${nixConfFile} $out/etc/nix/nix.conf
|
129 | 131 | '';
|
130 | 132 |
|
| 133 | + sudoersFile = writeText "sudoers" '' |
| 134 | + root ALL=(ALL) ALL |
| 135 | + ${toString uname} ALL=(ALL) NOPASSWD:ALL |
| 136 | + ''; |
| 137 | + |
| 138 | + etcSudoers = runCommand "etc-sudoers" { } '' |
| 139 | + mkdir -p $out/etc/ |
| 140 | + cp ${sudoersFile} $out/etc/sudoers |
| 141 | + chmod 440 $out/etc/sudoers |
| 142 | + ''; |
| 143 | + |
| 144 | + pamSudoFile = writeText "pam-sudo" '' |
| 145 | + auth sufficient pam_rootok.so |
| 146 | + auth required pam_permit.so |
| 147 | + account required pam_permit.so |
| 148 | + session required pam_permit.so |
| 149 | + session optional pam_xauth.so |
| 150 | + ''; |
| 151 | + |
| 152 | + etcPamSudo = runCommand "etc-pam-sudo" { } '' |
| 153 | + mkdir -p $out/etc/pam.d/ |
| 154 | + cp ${pamSudoFile} $out/etc/pam.d/sudo |
| 155 | +
|
| 156 | + # We can’t chown in a sandbox, but that’s okay for Nix store. |
| 157 | + chmod 644 $out/etc/pam.d/sudo |
| 158 | + ''; |
| 159 | + |
131 | 160 | # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465
|
132 | 161 | sandboxBuildDir = "/build";
|
133 | 162 |
|
|
194 | 223 | binSh
|
195 | 224 | usrBinEnv
|
196 | 225 | etcNixConf
|
| 226 | + etcSudoers |
| 227 | + etcPamSudo |
197 | 228 | (fakeNss.override {
|
198 | 229 | # Allows programs to look up the build user's home directory
|
199 | 230 | # https://github.com/NixOS/nix/blob/ffe155abd36366a870482625543f9bf924a58281/src/libstore/build/local-derivation-goal.cc#L906-L910
|
|
241 | 272 | mkdir -p ./lib64
|
242 | 273 | ln -s "${glibc}/lib64/ld-linux-x86-64.so.2" ./lib64/ld-linux-x86-64.so.2
|
243 | 274 | fi
|
| 275 | +
|
| 276 | + # Copy sudo from the Nix store to a "normal" path in the container |
| 277 | + mkdir -p ./usr/bin |
| 278 | + cp ${sudo}/bin/sudo ./usr/bin/sudo |
| 279 | +
|
| 280 | + # Ensure root owns it & set setuid bit |
| 281 | + chown 0:0 ./usr/bin/sudo |
| 282 | + chmod 4755 ./usr/bin/sudo |
| 283 | +
|
| 284 | + chown root:root ./etc/pam.d/sudo |
| 285 | + chown root:root ./etc/sudoers |
244 | 286 | '';
|
245 | 287 |
|
246 | 288 | # Run this image as the given uid/gid
|
|
0 commit comments