DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default Restrict doas.conf to syspatch only

I want to allow my regular account to run only syspatch.

I added this to doas.conf.

Code:
$ cat /etc/doas.conf                                                       
permit myusername /usr/sbin/syspatch
But I get this

Code:
$ doas syspatch       
doas: syntax error at line 1
Reply With Quote
  #2   (View Single Post)  
Old 18th October 2018
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 408
Default

I think you need to specify the command with cmd, it should be more like :

Code:
permit myusername as root cmd /usr/sbin/syspatch
__________________
ThinkPad W500 P8700 6GB HD3650 - faultry
ThinkStation P700 2x2620v3 32GB 1050ti 3xSSD 1xHDD
Reply With Quote
  #3   (View Single Post)  
Old 18th October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

I tried with

Code:
$ cat /etc/doas.conf                                                       
permit myusername as root cmd /usr/sbin/syspatch
Code:
$ doas syspatch
doas: Operation not permitted
Its not working.
Reply With Quote
  #4   (View Single Post)  
Old 18th October 2018
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 314
Default

Try your config again using the full path:
Code:
doas /usr/sbin/syspatch
Reply With Quote
  #5   (View Single Post)  
Old 18th October 2018
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 314
Default

No, I meant the last config you posted. Above my reply:
Code:
$ cat /etc/doas.conf                                                       
permit myusername as root cmd /usr/sbin/syspatch
Now do a
Code:
doas /usr/sbin/syspatch
This works for my test user.

edit:
Did you just delete your message, mate?

Last edited by fvgit; 18th October 2018 at 10:31 PM. Reason: Presumably bsd007's previous message was deleted
Reply With Quote
  #6   (View Single Post)  
Old 18th October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Code:
$ cat /etc/doas.conf      
permit myusername as root cmd /usr/sbin/syspatch


Code:
$ doas /usr/sbin/syspatch
doas: Operation not permitted
Reply With Quote
  #7   (View Single Post)  
Old 18th October 2018
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 314
Default

Quote:
Originally Posted by bsd007 View Post
Code:
$ cat /etc/doas.conf      
permit myusername as root cmd /usr/sbin/syspatch


Code:
$ doas /usr/sbin/syspatch
doas: Operation not permitted
That's weird, for me this combination works. I just tested it.
Reply With Quote
  #8   (View Single Post)  
Old 18th October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
edit:
Did you just delete your message, mate?
Yes coz I misunderstood. I have now edited my message, Please have a look.
Reply With Quote
  #9   (View Single Post)  
Old 18th October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by fvgit View Post
That's weird, for me this combination works. I just tested it.
I am using 6.4. Is that causing an issue ?
Reply With Quote
Old 18th October 2018
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 314
Default

Quote:
Originally Posted by bsd007 View Post
Yes coz I misunderstood. I have now edited my message, Please have a look.
Ah, I see. We need to slow down our conversation to avoid confusion.

Mind you that I'm still on 6.3. Haven't had time to upgrade, yet.
Reply With Quote
Old 18th October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Okay I will wait.
Reply With Quote
Old 18th October 2018
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 314
Default

Quote:
Originally Posted by bsd007 View Post
I am using 6.4. Is that causing an issue ?
Perhaps, I don't know.

BTW, I think you should post sequentially instead of editing your previous messages. Otherwise we'll end up in a communicative mess.
Reply With Quote
Old 18th October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by fvgit View Post
Perhaps, I don't know.

BTW, I think you should post sequentially instead of editing your previous messages. Otherwise we'll end up in a communicative mess.
Okay.
Reply With Quote
Old 19th October 2018
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 408
Default

Code:
$ doas /usr/sbin/syspatch
doas: Operation not permitted
It looks like a password error.

doas(1) asks for myusername's password, not root's password.

Edit : also, you can add nopass to the doas.conf file, but it will lacks security.
Now I assume it'll be ok with syspatch...

Code:
permit nopass myusername as root cmd /usr/sbin/syspatch
__________________
ThinkPad W500 P8700 6GB HD3650 - faultry
ThinkStation P700 2x2620v3 32GB 1050ti 3xSSD 1xHDD

Last edited by LeFrettchen; 19th October 2018 at 12:31 AM. Reason: nopass
Reply With Quote
Old 19th October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by LeFrettchen View Post
Code:
$ doas /usr/sbin/syspatch
doas: Operation not permitted
It looks like a password error.

doas(1) asks for myusername's password, not root's password.

Edit : also, you can add nopass to the doas.conf file, but it will lacks security.
Now I assume it'll be ok with syspatch...

Code:
permit nopass myusername as root cmd /usr/sbin/syspatch
It doesnt even as for a password . After typing doas /usr/sbin/syspatch it goes straight to

doas: Operation not permitted.

Please dont misunderstand but I dont want to take the "nopass" route as it compromises security.
Reply With Quote
Old 19th October 2018
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

Are you guys removing your user's access and just adding the line for syspatch or are you just tacking on the syspatch line?

It "works" if I just tack on the syspatch line because my usual "allow everything" still matches.

If you restrict the user to only /usr/sbin/syspatch, the user needs to run exactly '/usr/sbin/syspatch'. Just 'syspatch' doesn't work. Use the full path.

EDIT: Sorry, I just re-read the thread. I guess that doesn't work for bsd007.
Reply With Quote
Old 19th October 2018
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 408
Default

Quote:
Originally Posted by bsd007 View Post
It doesnt even ask for a password
This is not the normal behavior, it should ask a password.

Or maybe a username mismatch ?
__________________
ThinkPad W500 P8700 6GB HD3650 - faultry
ThinkStation P700 2x2620v3 32GB 1050ti 3xSSD 1xHDD
Reply With Quote
Old 19th October 2018
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 408
Default

OK, after trying, nope it's not a password issue.
A password issue gives a doas: Authorization failed message.

Be sure your user is the good one.
__________________
ThinkPad W500 P8700 6GB HD3650 - faultry
ThinkStation P700 2x2620v3 32GB 1050ti 3xSSD 1xHDD

Last edited by LeFrettchen; 18th February 2020 at 11:10 PM. Reason: Deleting useless stuff...
Reply With Quote
Old 19th October 2018
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 242
Default

Quote:
Originally Posted by LeFrettchen View Post
This is not the normal behavior, it should ask a password.

Or maybe a username mismatch ?
You are right. It was a mistake I made while editing doas.conf.

Now its working.

Thanks a lot.
Reply With Quote
Old 19th October 2018
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 408
Default

You're welcome
__________________
ThinkPad W500 P8700 6GB HD3650 - faultry
ThinkStation P700 2x2620v3 32GB 1050ti 3xSSD 1xHDD
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
syspatch cron job bsdsource OpenBSD General 4 29th June 2018 04:05 PM
syspatch on only two architectures? pawkolor OpenBSD General 9 22nd October 2017 05:39 PM
syspatch appears to get stuck Prevet OpenBSD Installation and Upgrading 1 9th October 2017 07:37 PM
DOAS(1) rules jjstorm OpenBSD General 8 11th April 2016 08:09 PM
doas package Peter_APIIT OpenBSD General 2 1st November 2015 07:45 AM


All times are GMT. The time now is 06:03 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick