Skip to content

Commit 11cccb3

Browse files
committed
fix(nix/docker.nix): add sudo and jq.bin
Change-Id: Ie978c62ce4164386e55cedd6d7ceae71b07e217e Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent c1b4a3b commit 11cccb3

File tree

2 files changed

+46
-3
lines changed

2 files changed

+46
-3
lines changed

flake.nix

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -257,6 +257,7 @@
257257
nix
258258
curl.bin # Ensure the actual curl binary is included in the PATH
259259
glibc.bin # Ensure the glibc binaries are included in the PATH
260+
jq.bin
260261
binutils # ld and strings
261262
filebrowser # Ensure that we're not redownloading filebrowser on each launch
262263
])

nix/docker.nix

Lines changed: 45 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
zstd,
2020
stdenv,
2121
glibc,
22+
sudo,
2223
}:
2324
let
2425
inherit (lib)
@@ -88,10 +89,11 @@ let
8889

8990
staticPath = "${dirOf shell}:${
9091
lib.makeBinPath (
91-
lib.flatten [
92+
(lib.flatten [
9293
builder
9394
drv.buildInputs
94-
]
95+
])
96+
++ [ "/usr" ]
9597
)
9698
}";
9799

@@ -123,11 +125,38 @@ let
123125
experimental-features = nix-command flakes
124126
'';
125127

126-
etcNixConf = runCommand "etcd-nix-conf" { } ''
128+
etcNixConf = runCommand "etc-nix-conf" { } ''
127129
mkdir -p $out/etc/nix/
128130
ln -s ${nixConfFile} $out/etc/nix/nix.conf
129131
'';
130132

133+
sudoersFile = writeText "sudoers" ''
134+
root ALL=(ALL) ALL
135+
${toString uname} ALL=(ALL) NOPASSWD:ALL
136+
'';
137+
138+
etcSudoers = runCommand "etc-sudoers" { } ''
139+
mkdir -p $out/etc/
140+
cp ${sudoersFile} $out/etc/sudoers
141+
chmod 440 $out/etc/sudoers
142+
'';
143+
144+
pamSudoFile = writeText "pam-sudo" ''
145+
auth sufficient pam_rootok.so
146+
auth required pam_permit.so
147+
account required pam_permit.so
148+
session required pam_permit.so
149+
session optional pam_xauth.so
150+
'';
151+
152+
etcPamSudo = runCommand "etc-pam-sudo" { } ''
153+
mkdir -p $out/etc/pam.d/
154+
cp ${pamSudoFile} $out/etc/pam.d/sudo
155+
156+
# We can’t chown in a sandbox, but that’s okay for Nix store.
157+
chmod 644 $out/etc/pam.d/sudo
158+
'';
159+
131160
# https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465
132161
sandboxBuildDir = "/build";
133162

@@ -194,6 +223,8 @@ let
194223
binSh
195224
usrBinEnv
196225
etcNixConf
226+
etcSudoers
227+
etcPamSudo
197228
(fakeNss.override {
198229
# Allows programs to look up the build user's home directory
199230
# https://github.com/NixOS/nix/blob/ffe155abd36366a870482625543f9bf924a58281/src/libstore/build/local-derivation-goal.cc#L906-L910
@@ -241,6 +272,17 @@ let
241272
mkdir -p ./lib64
242273
ln -s "${glibc}/lib64/ld-linux-x86-64.so.2" ./lib64/ld-linux-x86-64.so.2
243274
fi
275+
276+
# Copy sudo from the Nix store to a "normal" path in the container
277+
mkdir -p ./usr/bin
278+
cp ${sudo}/bin/sudo ./usr/bin/sudo
279+
280+
# Ensure root owns it & set setuid bit
281+
chown 0:0 ./usr/bin/sudo
282+
chmod 4755 ./usr/bin/sudo
283+
284+
chown root:root ./etc/pam.d/sudo
285+
chown root:root ./etc/sudoers
244286
'';
245287

246288
# Run this image as the given uid/gid

0 commit comments

Comments
 (0)