Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
en:philosophy:sudo_complexity [2022/03/26 20:19] i3_relativism |
en:philosophy:sudo_complexity [2022/11/03 14:08] (current) throgh [Solution with a strict and lightweight replacement] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== | + | ====== The complexity of " |
- | I started working on doas quite some time ago after some personal issues | + | Starting |
- | The core of the problem | + | ===== Introduction and basic problem |
- | Writing a small simple replacement meant that we could ship something in base which was totally unsuitable | + | The program <color # |
- | The code was just sitting around in a spare source tree for a while because | + | Documented reports like [[https:// |
- | Talking with deraadt and millert, however, I wasn’t quite alone. | + | There are furthermore issues reported with the default <color # |
- | First, doas needed a new name because nobody ever likes the first name. A few suggestions were made. sux (already taken by su, now with more X. machtfrei (too many letters). powershell (if only). datass (submitted after contest end). | + | ===== Solution |
- | In to cvs it went as doas. Incidentally, | + | Using <color # |
- | + | ||
- | And then the real hacking and chopping could begin. I always thought the most important feature of sudo was that it insulted the user after entering a bad password. Apparently the world is filled with poor typists; the first diff to doas was to add a config option noinsults. Unfortunately, | + | |
- | + | ||
- | Deleting | + | |
- | + | ||
- | The config file syntax is crudely inspired by pf.conf. Instead of pass and block keywords, there are permit and deny keywords. There are some limitations. Trying to deny a single command can be tricky because “ksh” and “/bin/ksh” and “/// | + | |
- | + | ||
- | We’ve been contemplating a different config syntax which reverses the ordering | + | |
- | + | ||
- | Coming full circle, the majority of tweaking and polishing of doas now appears to have returned to refinement | + | |
- | + | ||
- | The doas code lives in cvs. | + | |
- | + | ||
- | doas was created to run on OpenBSD. I suppose you could port it, but I don’t plan to. Figuring out a replacement for auth_userokay is probably the hard part. | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | The ''' | + | |
- | + | ||
- | == Installation == | + | |
- | + | ||
- | === USE flags === | + | |
- | + | ||
- | {{USEflag|package=app-admin/ | + | |
- | + | ||
- | === Emerge === | + | |
- | + | ||
- | {{Emerge|app-admin/ | + | |
- | + | ||
- | == Configuration == | + | |
- | + | ||
- | The {{c|doas}} tool is configured | + | |
- | + | ||
- | === Basic configuration === | + | |
- | + | ||
- | A simple skeleton configuration could be to specify a rule which allows all users in the {{c|wheel}} group to perform any action as root. | + | |
- | + | ||
- | {{FileBox|filename=/ | + | |
- | permit :wheel | + | |
- | }} | + | |
- | + | ||
- | It' | + | |
- | + | ||
- | {{FileBox|filename=/ | + | |
- | permit :wheel | + | |
- | deny larry cmd fdisk | + | |
- | }} | + | |
- | + | ||
- | The user {{c|larry}} is part of the {{c|wheel}} group and therefore may perform actions available to root, but the second rule denies this user access to the {{c|fdisk}} command. | + | |
- | + | ||
- | === Authentication === | + | |
- | + | ||
- | The {{c|nopass}} keyword provides the ability to perform actions without having to enter a password: | + | |
- | + | ||
- | {{FileBox|filename=/ | + | |
- | permit nopass :wheel | + | |
- | }} | + | |
- | + | ||
- | {{Note|Due to OpenBSD-specific kernel API required by {{c|doas}} to set and clear timeouts, the persist feature is disabled by default in the '' | + | |
- | + | ||
- | With the {{c|persist}} keyword {{c|doas}} can remember an authenticated user and will not require confirmation by password for five minutes: | + | |
- | + | ||
- | {{FileBox|filename=/ | + | |
- | permit persist :wheel | + | |
- | }} | + | |
- | + | ||
- | === Commands === | + | |
- | + | ||
- | The {{c|doas}} tool allows the creation of rules which only apply to certain commands. | + | |
- | + | ||
- | A rule can be specified to allow a certain user to use a command only available to root: | + | |
- | + | ||
- | {{FileBox|filename=/ | + | |
- | permit nopass larry cmd reboot | + | |
- | }} | + | |
- | + | ||
- | This allows the user {{c|larry}} to execute the {{c|reboot}} command without having to enter a password. This may allow users to use restricted commands without providing complete root access. | + | |
- | + | ||
- | === Testing === | + | |
- | + | ||
- | A configuration | + | |
- | + | ||
- | {{Cmd|doas -C / | + | |
- | + | ||
- | Specifying a command will show you whether you have permissions to perform this command: | + | |
- | + | ||
- | {{Cmd|doas -C / | + | |
- | + | ||
- | This test will output {{c|deny}} if you do not have the permissions to execute {{c|cat}}. | + | |
- | + | ||
- | You can also check permissions for a specified user: | + | |
- | + | ||
- | {{Cmd|doas -C / | + | |
- | + | ||
- | If the user {{c|larry}} has permissions to access {{c|cat}} it may output {{c|permit}}. | + | |
- | + | ||
- | === Targets === | + | |
- | + | ||
- | The {{c|doas}} can not only be used to perform actions with root privileges, it also allows to target certain users and groups. The syntax to distinguish between groups (like {{c|: | + | |
- | + | ||
- | {{FileBox|filename=/ | + | |
- | permit nopass larry as postgres | + | |
- | }} | + | |
- | + | ||
- | By adding this rule, the user {{c|larry}} is allowed to perform actions as the {{c|postgres}} user without having to enter a password. | + | |
- | + | ||
- | === Bash tab completion === | + | |
- | + | ||
- | By default {{c|bash}} will only tab complete files and directories within the current or referenced directory. To tell bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users {{Path|.bashrc}}, | + | |
- | + | ||
- | {{FileBox|filename=~/ | + | |
- | # Configure completion for doas | + | |
- | # -c : Complete arguments as if they were commands | + | |
- | # (eg: `doas emer< | + | |
- | # (eg: `doas dd status=p< | + | |
- | # -f : Complete arguments as if they were directory names (default behaviour) | + | |
- | # (eg: `doas / | + | |
- | complete -cf doas | + | |
- | }} | + | |
- | + | ||
- | == Usage == | + | |
- | + | ||
- | The {{c|doas}} command can be used like {{c|sudo}}: | + | |
- | + | ||
- | {{Cmd|doas emerge -uDN world}} | + | |
- | + | ||
- | See [https:// | + | |
- | + | ||
- | == See also == | + | |
- | + | ||
- | * {{See also|sudo}} | + | |
- | + | ||
- | == External resources == | + | |
- | + | ||
- | * [https:// | + | |
- | + | ||
- | [[Category: | + |