The new persist feature fills in the only thing (except for insults) I missed from sudo. For my uses, that’s 100% of the functionality for less than 9% of the code.
Anyone using doas in FreeBSD? I just tried it and got an interesting bug (I think).
permit :wheel
This let’s me do doas pkg list and works fine
permit :wheel
permit nopass :wheel cmd pkg
I would expect this to let me run pkg commands without a password, which it does, but I get no output. doas pkg list takes awhile since it is printing a lot of stuff out to the screen, but I never see it on the screen with the second rule.
Great, I added persist do /etc/doas.conf in 5.9 which apparently doesn’t support it. Now whenever I try to run doas it drops an error:
$ doas vi /etc/doas.conf
syntax error at line 1
I’m now locked out from the root account. Any easy solution to this, which doesn’t involve disassembling the machine and attaching the disk to another computer to edit doas.conf?
Instead of “doas mastery” I’ve performed “doas foolery”
You can copy the doas.conf file before editing and verify that its correct by running doas -C doas.conf cmd args..., it prints the matching rule, e.g. permits, permits nopass.
I see you already have some suggestions on how to recover. I can offer that a higher-level approach like Ansible or Puppet really has the potential to increase the reliability of your systems. Not only can you force an overall configuration check with Ansible before deploying, you can also use the -C feature to test that certain commands are allowed or not allowed.
Or an alias like:
f=`mktemp` && doas cp /etc/doas.conf $f && $EDITOR $f && doas -C $f && doas cp $f /etc/doas.conf
Additionally, the authentication information includes the parent shell process ID. This means that executing doas again in a shell script will require authentication. Or, to repeat that another way, if you run a script or program of uncertain quality, it won’t be able to silently elevate privileges.
You know, I (and others, even) specifically considered that, but then I somehow convinced myself that the execed process would still have a different parent. :(
There’s a reason the official documentation doesn’t explain this point. That way it can’t be wrong. :)
The way the persists feature is implemented is very smart and its the first feature that is really not portable, though I fully understand the decision to avoid sudo like timestamp/cookie/ticket files.
One thing I wonder is, why it doesn’t have a login-backoff sleep as described in login.conf(5), is it considered useless?
Linux-PAM has a pam_timestamp module which could be used to provide this feature, but there is no way to use the pam api to open a session as the target user while authenticating the requesting user without breaking the pam_timestamp module.
The new persist feature fills in the only thing (except for insults) I missed from sudo. For my uses, that’s 100% of the functionality for less than 9% of the code.
I wish
doaswould tell me about the usual lecture from the local system administrator.I wish it would report incidents to an unknown entity.
Other than that, it’s a much better alternative to sudo. I really like it so far.
They are logged to syslog, its your decision what you do with logs, there are ways to filter and forward them ;).
FWIW, and especially for those running the just-released 6.0, persist is only available in -current.
I really enjoyed the first time i used doas. The interface is very self explanatory.
Anyone using
doasin FreeBSD? I just tried it and got an interesting bug (I think).This let’s me do
doas pkg listand works fineI would expect this to let me run
pkgcommands without a password, which it does, but I get no output.doas pkg listtakes awhile since it is printing a lot of stuff out to the screen, but I never see it on the screen with the second rule.Anyone else running FreeBSD and see this?
Looks like there was a bug that would close stdout if nopass was set.
Nice, thanks!
Great, I added
persistdo/etc/doas.confin 5.9 which apparently doesn’t support it. Now whenever I try to rundoasit drops an error:I’m now locked out from the root account. Any easy solution to this, which doesn’t involve disassembling the machine and attaching the disk to another computer to edit doas.conf?
Instead of “doas mastery” I’ve performed “doas foolery”
https://www.openbsd.org/faq/faq8.html
Thanks, I totally forgot about single user mode!
This is one strength to
visudoers, it does a little syntax check before saving.You can copy the
doas.conffile before editing and verify that its correct by runningdoas -C doas.conf cmd args..., it prints the matching rule, e.g.permits,permits nopass.su?I had a passwordless root account, but I managed to reset it by booting into single user mode
I see you already have some suggestions on how to recover. I can offer that a higher-level approach like Ansible or Puppet really has the potential to increase the reliability of your systems. Not only can you force an overall configuration check with Ansible before deploying, you can also use the -C feature to test that certain commands are allowed or not allowed.
Or an alias like:
Unless it uses
exec().You know, I (and others, even) specifically considered that, but then I somehow convinced myself that the execed process would still have a different parent. :(
There’s a reason the official documentation doesn’t explain this point. That way it can’t be wrong. :)
The way the persists feature is implemented is very smart and its the first feature that is really not portable, though I fully understand the decision to avoid sudo like timestamp/cookie/ticket files. One thing I wonder is, why it doesn’t have a
login-backoffsleep as described inlogin.conf(5), is it considered useless?Linux-PAM has a
pam_timestampmodule which could be used to provide this feature, but there is no way to use the pam api to open a session as the target user while authenticating the requesting user without breaking thepam_timestampmodule.