From 6fc5a2b1ea54207a13c292a52d664d6227dfe2fb Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@katherina.rocks>
Date: Wed, 19 Jun 2024 19:39:00 +0100
Subject: [PATCH] Fix CVE-2021-3156

---
 common/sudo.nix | 5 +++++
 hive.nix        | 1 +
 2 files changed, 6 insertions(+)
 create mode 100644 common/sudo.nix

diff --git a/common/sudo.nix b/common/sudo.nix
new file mode 100644
index 0000000..fe9b2fc
--- /dev/null
+++ b/common/sudo.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs,... }:
+
+{
+  security.sudo.execWheelOnly = true;
+}
diff --git a/hive.nix b/hive.nix
index c9e17de..e3ccd2b 100644
--- a/hive.nix
+++ b/hive.nix
@@ -23,6 +23,7 @@ in {
       (import "${sources.home-manager}/nixos")
       (import "${sources.agenix}/modules/age.nix")
       ./pinning.nix
+      ./common/sudo.nix
       ./common/utilities.nix
       ./users/qenya.nix
     ];