[CRITICAL] Passwordless sudo for wheel group on all hosts #11

New issue

Open

opened 2026-05-05 15:43:14 -05:00 by pjennings · 0 comments

pjennings commented

2026-05-05 15:43:14 -05:00

Owner

Labels: area:security, priority:critical, type:bug

Description

In modules/profiles/standard.nix line 79:

security.sudo-rs.wheelNeedsPassword = lib.mkDefault false;

This allows ALL users in the wheel group to execute ANY command as root without password verification.

Impact

CRITICAL — Combined with SSH key-based authentication, compromising any SSH private key of a wheel group user grants immediate, unauthenticated root access. There is no second factor of defense.

Attack vectors:

SSH key theft from developer workstations
Compromised CI/CD pipelines that hold SSH keys
Social engineering to add attacker keys

Recommended Fix

security.sudo-rs.wheelNeedsPassword = lib.mkDefault true;

If passwordless operations are needed for automation (e.g., nixos-rebuild over SSH), use targeted NOPASSWD rules for specific commands rather than blanket passwordless sudo.

**Labels:** `area:security`, `priority:critical`, `type:bug` ## Description In `modules/profiles/standard.nix` line 79: ```nix security.sudo-rs.wheelNeedsPassword = lib.mkDefault false; ``` This allows ALL users in the wheel group to execute ANY command as root without password verification. ## Impact **CRITICAL** — Combined with SSH key-based authentication, compromising any SSH private key of a wheel group user grants immediate, unauthenticated root access. There is no second factor of defense. Attack vectors: - SSH key theft from developer workstations - Compromised CI/CD pipelines that hold SSH keys - Social engineering to add attacker keys ## Recommended Fix ```nix security.sudo-rs.wheelNeedsPassword = lib.mkDefault true; ``` If passwordless operations are needed for automation (e.g., nixos-rebuild over SSH), use targeted NOPASSWD rules for specific commands rather than blanket passwordless sudo.