DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th May 2019
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Default Help with doas.conf OpenBSD 6.5

Greetings!

When I run doas <anycommand> I get errors. For example:

Code:
beowulf$ doas syspatch
doas: syntax error at line 1
My /etc/doas.conf is:

Code:
permit hitest
This doas.conf file worked with OpenBSD 6.4. I have done some reading on man doas. Google results are a bit vague on this issue.
I would like user hitest to be able to execute any command like syspatch, pkg_add, etc. At the moment I'm using sudo. I would like to be able to run doas.
Do you have suggestions for a working /etc/doas.conf?
Thank you for any and all replies.
__________________
hitest
Reply With Quote
  #2   (View Single Post)  
Old 15th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You'll find permit keepenv :wheel in /etc/examples/doas.conf. It appears to me that you've got such as simple configuration that it confuses the parser. Try adding an option, such as keepenv, and see if it suddenly works. If it does, you've discovered a bug.

Last edited by jggimi; 15th May 2019 at 04:40 PM. Reason: typo
Reply With Quote
  #3   (View Single Post)  
Old 15th May 2019
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Default

Many thanks for the reply, jggimi!
I've modified /etc/doas.conf:

Code:
cat /etc/doas.conf
permit keepenv :wheel
When I run doas syspatch this is the error I receive:

Code:
 doas syspatch
doas: syntax error at line 1
The only changes I've made between OpenBSD 6.4 and 6.5 is that now my user is in the operator group. Very odd.
__________________
hitest
Reply With Quote
  #4   (View Single Post)  
Old 15th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Does this file have a correct null termination on its one and only line? Is the file owned by root:wheel? Is it a symbolic link?? Is it unreadable to your hitest user?
Reply With Quote
  #5   (View Single Post)  
Old 15th May 2019
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Code:
$ ls -al /usr/sbin/syspatch
-r-xr-xr-x  1 root  bin  9070 Apr 13 13:35 /usr/sbin/syspatch
Unless it has changed, you can utilize as many doas.conf lines as you want.

Code:
permit nopass :operator as root cmd /usr/sbin/syspatch
permit nopass :operator as root cmd /usr/local/libexec/openup
Reply With Quote
  #6   (View Single Post)  
Old 15th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I'm sorry. I was asking about hitest's /etc/doas.conf file.


The doas(1) man pages list 4 reasons for non-zero return codes.
Reply With Quote
  #7   (View Single Post)  
Old 16th May 2019
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 316
Default

There needs to be a new line / carriage return at the end of the file (the one and only line) as jggimi suggests.

Just tested here and it works.
Reply With Quote
  #8   (View Single Post)  
Old 16th May 2019
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Smile

Quote:
Originally Posted by cynwulf View Post
There needs to be a new line / carriage return at the end of the file (the one and only line) as jggimi suggests.

Just tested here and it works.
Thank you, cynwulf! That works. Many thanks for the doas example, jggimi. This issue is solved.
There are many days when OpenBSD makes me feel stupid. Yesterday was one of those days. Very grateful to be a member of this forum.
__________________
hitest
Reply With Quote
  #9   (View Single Post)  
Old 16th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Don't blame OpenBSD. Blame your text editor, as it gave you an invalid text file.
Reply With Quote
Old 16th May 2019
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Default

Quote:
Originally Posted by jggimi View Post
Don't blame OpenBSD. Blame your text editor, as it gave you an invalid text file.
Haha. True enough, my friend!
__________________
hitest
Reply With Quote
Old 16th May 2019
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

It is funny, I remember once wanting to make a one-line "text" file without the newline at the end, and emacs kept putting one in automatically because it thought it was supposed to be there. Very frustrating, especially before I realized what was happening, but got around it some other way. I blame, of course, emacs.
Reply With Quote
Old 17th May 2019
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 316
Default

Quote:
Originally Posted by hitest View Post
Thank you, cynwulf! That works. Many thanks for the doas example, jggimi. This issue is solved.
There are many days when OpenBSD makes me feel stupid. Yesterday was one of those days. Very grateful to be a member of this forum.
I suspect you're using the nano text editor or similar rather than vi(1)? Either that or some GUI based text editor perhaps?

I say this because I can reproduce your problem easily with nano (haven't tested with any other text editor) but not with vi(1), where I don't even need a new line as it terminates the file correctly.

(Perhaps it's tedu's way of ensuring that everyone uses a proper text editor... )
Reply With Quote
Old 17th May 2019
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Smile

Quote:
Originally Posted by cynwulf View Post
I suspect you're using the nano text editor or similar rather than vi(1)? Either that or some GUI based text editor perhaps?
Guilty as charged! Haha. Adding the extra carriage return solved the problem. Thanks again, cynwulf!
__________________
hitest
Reply With Quote
Old 17th May 2019
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

FWIW, mg(1) will prompt you to add a newline if there isn't one when you go to save a file.
Reply With Quote
Old 17th May 2019
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Thumbs up

Quote:
Originally Posted by ibara View Post
FWIW, mg(1) will prompt you to add a newline if there isn't one when you go to save a file.
Thanks for the tip, ibara!
__________________
hitest
Reply With Quote
Old 17th May 2019
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 316
Default

Quote:
Originally Posted by hitest View Post
Guilty as charged! Haha. Adding the extra carriage return solved the problem. Thanks again, cynwulf!
I've used nano historically, but these days I stick to vi(1), even though I only know the basics. It's valuable because if you have to set up a system which is offline and has nothing installed from ports, it's all you have to rely on. Fortunately I learned the vi(1) basics many years ago (as I wasn't aware of the alternatives anyway).

As I recall I had some problems with nano saving out wrapping / truncated lines into the file as actual line breaks, when run from certain terminal emulators (can't remember which).
Reply With Quote
Old 17th May 2019
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Smile

Quote:
Originally Posted by cynwulf View Post
I've used nano historically, but these days I stick to vi(1), even though I only know the basics. It's valuable because if you have to set up a system which is offline and has nothing installed from ports, it's all you have to rely on.
Yes. I have used vi briefly and know only the most simple commands. I think this will be a good, new mini project to focus on. There's lots of vi support materials on the Internet. Thanks for the motivation, cynwulf.
__________________
hitest
Reply With Quote
Old 18th May 2019
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

I think most BSD & Linux distro's come with "ed" installed, so, in some difficult situations you do have a minimal "line editor"
Reply With Quote
Old 18th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

And there's a fun book to go with it. Ed Mastery, by Michael W. Lucas.
Reply With Quote
Old 18th May 2019
TheTKS TheTKS is offline
Port Guard
 
Join Date: Sep 2018
Location: Canada
Posts: 42
Default

Quote:
Originally Posted by cynwulf View Post
I suspect you're using the nano text editor or similar rather than vi(1)? Either that or some GUI based text editor perhaps?
I think this completely explains the trouble I was having in the thread in OpenBSD General, "Shutdown issue in 6.5". I was using nano.

I saved copies of some of the rc.conf.local files I made before and after putting my user into the operator group.

In one rc.conf.local, "pkg_scripts=messagebus" was the last line with no newline at the end. That explains the time I was not able to shutdown from Xfce after adding my user to the operator group.

In another rc.conf.local, "xenodm_flags=" was the last line with no newline at the end. That explains the time the xenodm login window was no longer launching.

I actually conscientiously (ha!) removed the newline in some of the rc.conf.local files that I made.

hitest, jggimi, cynwulf - your discussion here helped me learn something useful. Thanks. And like hitest, it may be time for me to use vi enough to actually learn it, even if I now better know how to use nano.

TKS
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Doas.conf question staus OpenBSD General 6 8th November 2018 03:07 PM
Restrict doas.conf to syspatch only bsd007 OpenBSD Security 19 19th October 2018 01:05 AM
DOAS(1) rules jjstorm OpenBSD General 8 11th April 2016 08:09 PM
Doas has logging? cpaulette OpenBSD General 1 13th March 2016 10:24 AM
doas package Peter_APIIT OpenBSD General 2 1st November 2015 07:45 AM


All times are GMT. The time now is 10:21 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick