HyperWiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
en:system:userspace:open_doas [2023/02/20 22:35]
i3_relativism 		en:system:userspace:open_doas [2023/02/22 20:29]
throgh [Bash tab completion]
Line 61: Line 61:
 The configuration file must end with a newline The configuration file must end with a newline
 </note> </note>
 +
 +For example, to allow members of the <color #620BB9/#EEDDFF>libre</color> group to run **smartctl** without password as **Root user**.
 +
 +Edit <color #620BB9/#EEDDFF>/etc/doas.conf</color>:
 +
 +<code bash>
 +permit nopass :libre as root cmd /usr/bin/smartctl
 +</code>
 ==== Basic setup ==== ==== Basic setup ====
  
Line 85: Line 93:
 It is imperative that <color #620BB9/#EEDDFF>/etc/doas.conf</color> is free of syntax errors! It is imperative that <color #620BB9/#EEDDFF>/etc/doas.conf</color> is free of syntax errors!
 </note> </note>
- 
-To allow members of the <color #620BB9/#EEDDFF>libre</color> group to run **smartctl** without password as **Root user**. 
- 
-Edit <color #620BB9/#EEDDFF>/etc/doas.conf</color>: 
- 
-<code bash> 
-permit nopass :libre as root cmd /usr/bin/smartctl 
-</code> 
- 
-WIP??!question 
-what is smartctl is this systemd related? 
-endWIP??! 
 ==== Rulesets ==== ==== Rulesets ====
  
Line 300: Line 296:
  
 ==== Authentication ==== ==== Authentication ====
 +=== Nopass feature ===
  
 The **<color #816E00/#FAE65B>nopass</color>** keyword provides the ability to perform actions without having to enter a password. The **<color #816E00/#FAE65B>nopass</color>** keyword provides the ability to perform actions without having to enter a password.
Line 309: Line 306:
 </code> </code>
  
-<note warning> +=== Persist feature ===
-Due to OpenBSD-specific kernel API required by **doas** to set and clear timeouts, the **<color #816E00/#FAE65B>persist</color>** feature is disabled by default in the ''OpenDoas'' port. +
-</note>+
  
-With the **<color #816E00/#FAE65B>persist</color>** keyword **doas** can remember an authenticated user and will not require confirmation by password for **five minutes**.+**doas** provides the <color #620BB9/#EEDDFF>persist</color> feature: after the user successfully authenticates. There will be presistance and an authenticated user, will be remember, and not be prompted or a password will not require be required confirmation for **five minutes** . It is disabled by default, enable it with the **<color #816E00/#FAE65B>persist</color>** option.
  
 Edit  <color #620BB9/#EEDDFF>/etc/doas.conf</color>, to not require passwords for five minutes for all users in the //wheel//: Edit  <color #620BB9/#EEDDFF>/etc/doas.conf</color>, to not require passwords for five minutes for all users in the //wheel//:
Line 321: Line 316:
 </code> </code>
  
 +<note warning>
 +Due to OpenBSD-specific kernel API required by **doas** to set and clear timeouts, the **<color #816E00/#FAE65B>persist</color>** feature is disabled by default in the ''OpenDoas'' port, and because it is new and potentially dangerous. In the original ''doas'', a kernel API is used to set and clear timeouts. This API is OpenBSD specific and no similar API is available on other operating systems. As a workaround, the **<color #816E00/#FAE65B>persist</color>** feature is implemented using timestamp files similar to ''sudo''.
 +</note>
 ==== Testing ==== ==== Testing ====
  
Line 357: Line 355:
 By adding this rule, the user //larry// is allowed to perform actions as the //postgres// user without having to enter a password. By adding this rule, the user //larry// is allowed to perform actions as the //postgres// user without having to enter a password.
  
-==== Bash tab completion ====+===== Bash tab completion =====
  
-By default Bash will only tab complete files and directories within the current or referenced directory. To tell Bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users WIP.bashrc, or the global /etc/bash.bashrc:+By default Bash will only tab complete files and directories within the current or referenced directory. To tell Bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users .bashrc, or the global /etc/bash.bashrc:
  
 <code bash> <code bash>
Line 365: Line 363:
 </code> </code>
  
-===== Tips and tricks ===== 
- 
-==== doas persist feature ==== 
- 
-''doas'' provides a "persist" feature: after the user successfully authenticates, they will not be prompted for a password again for some time. It is disabled by default, enable it with the **<color #816E00/#FAE65B>persist</color>** option in <color #620BB9/#EEDDFF>/etc/doas.conf</color>: 
- 
-<code bash> 
-permit persist :wheel 
-</code> 
- 
-<note> 
-The **<color #816E00/#FAE65B>persist</color>** feature is disabled by default and because it is new and potentially dangerous. In the original ''doas'', a kernel API is used to set and clear timeouts. This API is OpenBSD specific and no similar API is available on other operating systems. As a workaround, the **<color #816E00/#FAE65B>persist</color>** feature is implemented using timestamp files similar to ''sudo''. 
-</note> 
  
-==== Smooth transition sudo to doas ====+===== Smooth transition sudo to doas =====
  
 For a smooth transition from ''sudo'' to ''doas'' and to stay downward compatible, you could add to your environment: For a smooth transition from ''sudo'' to ''doas'' and to stay downward compatible, you could add to your environment:
Line 405: Line 390:
 </note> </note>
  
-==== See also ====+===== See also =====
  
   * See also [[en:philosophy:sudo_complexity|sudo]].   * See also [[en:philosophy:sudo_complexity|sudo]].