HyperWiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
en:system:userspace:open_doas [2023/02/20 23:27]
i3_relativism [doas persist feature] reorganize uneeded section 		en:system:userspace:open_doas [2023/02/22 20:29] (current)
throgh [External resources]
Line 61: Line 61:
 The configuration file must end with a newline The configuration file must end with a newline
 </note> </note>
 +
 +For example, to allow members of the <color #620BB9/#EEDDFF>libre</color> group to run **smartctl** without password as **Root user**.
 +
 +Edit <color #620BB9/#EEDDFF>/etc/doas.conf</color>:
 +
 +<code bash>
 +permit nopass :libre as root cmd /usr/bin/smartctl
 +</code>
 ==== Basic setup ==== ==== Basic setup ====
  
Line 85: Line 93:
 It is imperative that <color #620BB9/#EEDDFF>/etc/doas.conf</color> is free of syntax errors! It is imperative that <color #620BB9/#EEDDFF>/etc/doas.conf</color> is free of syntax errors!
 </note> </note>
- 
-To allow members of the <color #620BB9/#EEDDFF>libre</color> group to run **smartctl** without password as **Root user**. 
- 
-Edit <color #620BB9/#EEDDFF>/etc/doas.conf</color>: 
- 
-<code bash> 
-permit nopass :libre as root cmd /usr/bin/smartctl 
-</code> 
- 
-WIP??!question 
-what is smartctl is this systemd related? 
-endWIP??! 
 ==== Rulesets ==== ==== Rulesets ====
  
Line 300: Line 296:
  
 ==== Authentication ==== ==== Authentication ====
 +=== Nopass feature ===
  
 The **<color #816E00/#FAE65B>nopass</color>** keyword provides the ability to perform actions without having to enter a password. The **<color #816E00/#FAE65B>nopass</color>** keyword provides the ability to perform actions without having to enter a password.
Line 309: Line 306:
 </code> </code>
  
-<note warning> +=== Persist feature ===
-Due to OpenBSD-specific kernel API required by **doas** to set and clear timeouts, the **<color #816E00/#FAE65B>persist</color>** feature is disabled by default in the ''OpenDoas'' port. +
-</note>+
  
-With the **<color #816E00/#FAE65B>persist</color>** keyword **doas** can remember an authenticated user and will not require confirmation by password for **five minutes**.+**doas** provides the <color #620BB9/#EEDDFF>persist</color> feature: after the user successfully authenticates. There will be presistance and an authenticated user, will be remember, and not be prompted or a password will not require be required confirmation for **five minutes** . It is disabled by default, enable it with the **<color #816E00/#FAE65B>persist</color>** option.
  
 Edit  <color #620BB9/#EEDDFF>/etc/doas.conf</color>, to not require passwords for five minutes for all users in the //wheel//: Edit  <color #620BB9/#EEDDFF>/etc/doas.conf</color>, to not require passwords for five minutes for all users in the //wheel//:
Line 321: Line 316:
 </code> </code>
  
 +<note warning>
 +Due to OpenBSD-specific kernel API required by **doas** to set and clear timeouts, the **<color #816E00/#FAE65B>persist</color>** feature is disabled by default in the ''OpenDoas'' port, and because it is new and potentially dangerous. In the original ''doas'', a kernel API is used to set and clear timeouts. This API is OpenBSD specific and no similar API is available on other operating systems. As a workaround, the **<color #816E00/#FAE65B>persist</color>** feature is implemented using timestamp files similar to ''sudo''.
 +</note>
 ==== Testing ==== ==== Testing ====
  
Line 359: Line 357:
 ===== Bash tab completion ===== ===== Bash tab completion =====
  
-By default Bash will only tab complete files and directories within the current or referenced directory. To tell Bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users WIP.bashrc, or the global /etc/bash.bashrc:+By default Bash will only tab complete files and directories within the current or referenced directory. To tell Bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users .bashrc, or the global /etc/bash.bashrc:
  
 <code bash> <code bash>
 complete -cf doas complete -cf doas
 </code> </code>
- 
-===== Tips and tricks ===== 
- 
  
  
Line 395: Line 390:
 </note> </note>
  
-==== See also ====+===== See also =====
  
   * See also [[en:philosophy:sudo_complexity|sudo]].   * See also [[en:philosophy:sudo_complexity|sudo]].
Line 403: Line 398:
 ==== External resources ==== ==== External resources ====
  
-WIP 
 "It would not have been possible to finish doas without the support of many other OpenBSD developers and users. In particular, Vadim Zhukov contributed immensely to the config parser and regress testsuite; Todd Miller, Damien Miller, and Martijn van Duren provided ideas and inspiration; Theo de Raadt provided backup to rejecting feature requests; Henning Brauer gave me the idea for tying authorization persistence to the terminal; and I owe Michael Lucas for stealing a catchy title." "It would not have been possible to finish doas without the support of many other OpenBSD developers and users. In particular, Vadim Zhukov contributed immensely to the config parser and regress testsuite; Todd Miller, Damien Miller, and Martijn van Duren provided ideas and inspiration; Theo de Raadt provided backup to rejecting feature requests; Henning Brauer gave me the idea for tying authorization persistence to the terminal; and I owe Michael Lucas for stealing a catchy title."