DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th June 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default sudo(8) moving from base to ports

Posted today on the ports@ mailing list:

http://marc.info/?t=143466002900006&r=1&w=2

Last edited by ocicat; 18th June 2015 at 10:25 PM. Reason: updated link now that responses have been made to thread...
Reply With Quote
  #2   (View Single Post)  
Old 19th June 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by ocicat View Post
Posted today on the ports@ mailing list:

http://marc.info/?t=143466002900006&r=1&w=2
A little unexpected to be honest as IIRC Todd Miller is one of maintainers of sudo so for practical purposes sudo is OpenBSD affiliated project. I guess all those cool features described in Sudo Mastery by Michael Lucas had as a side effect increased complexity of the code which made it difficult to maintain in the base. Maybe Ibara can shed some light on the internal discussions among developers which lead to this decision.
Reply With Quote
  #3   (View Single Post)  
Old 19th June 2015
bsd-keith bsd-keith is offline
Real Name: Keith
Open Source Software user
 
Join Date: Jun 2014
Location: Surrey/Hants Border, England
Posts: 344
Default

Being a recent OBSD user, I was quite surprised it was in the default installation.
(I personally won't miss it, as I am happy to su when neccessary.)
__________________
Linux since 1999, & also a BSD user.
Reply With Quote
  #4   (View Single Post)  
Old 19th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by Oko View Post
...Todd Miller is one of maintainers of sudo so for practical purposes sudo is OpenBSD affiliated project.
He has been maintaining it since 1993, and there is a web page full of contributors. While he is an OpenBSD developer also, that began some three years later, and this is an unaffiliated project.

The version in base is 1.7.2p8, which is five years old this month. Todd described it as "ancient" in his post. Looking at the port published yesterday, it appears to me that the technical reason we are on the old version in base is newer versions have a dependency on devel/gettext. The port has an LDAP flavor, which will likely be popular.

Last edited by jggimi; 19th June 2015 at 11:38 AM. Reason: clarity. tarball -> port
Reply With Quote
  #5   (View Single Post)  
Old 19th June 2015
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 316
Default

Quote:
Originally Posted by bsd-keith View Post
Being a recent OBSD user, I was quite surprised it was in the default installation.
(I personally won't miss it, as I am happy to su when neccessary.)
Well it's good software which many admins find useful and OpenBSD docs mention it a lot when referring to building from source and managing ports. e.g.

http://www.openbsd.org/faq/ports/ports.html#PortsConfig

The ISC licence is also compatible.
Reply With Quote
  #6   (View Single Post)  
Old 19th June 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

su(1) implements an either-or scheme -- either one has the administrative password, or one does not, and if one has knowledge of the password, one has access to everything.

Keeping the password secret also becomes harder as more administrators are needed. Plus, this creates more instances where the password can be compromised.

sudo(8) implements a scheme where knowledge of the administrative password is not required, and administrative work can divided between many, & each has access to only what they need -- not everything.

While this sounds bureaucratic in how to manage a staff, sudo(8) simplifies administrative tasks of single-user systems too.

The real value of sudo(8) is how an administrative policy can be flexibly constructed for large and small systems alike.

Readers are encouraged to read Michael Lucas' book on this very topic:

https://www.michaelwlucas.com/nonfiction/sudo-mastery

Highly recommended.
Reply With Quote
  #7   (View Single Post)  
Old 23rd June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Helpful explanation.
Reply With Quote
  #8   (View Single Post)  
Old 3rd July 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

It's official now:Curious readers may enjoy perusing the sudo project's website:

http://www.sudo.ws/

...along with a blog entry from tedu@ mentioned on http://undeadly.org:

http://www.tedunangst.com/flak/post/...-with-the-less

Long live sudo!
Reply With Quote
  #9   (View Single Post)  
Old 4th July 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

A new entry in Following -current has been added describing the removal of the old version of sudo(8). This will be of particular interest to those upgrading from older versions of -current.
Reply With Quote
Old 17th July 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

sudo has received another revision prior to tagging OpenBSD 5.8-release:

http://marc.info/?l=openbsd-ports-cv...4838426007&w=2

Not that I intend to post notices of all revisions, but the point is that sudo development is not static.

FYI.
Reply With Quote
Old 17th July 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

And a replacement service called doas(8) has just been added to -current. It's undergoing lots of additional development -- -current users and other interested parties can track the various development threads via a tech@ mailing list archive or by subscribing to the list.
Reply With Quote
Old 18th July 2015
betweendayandnight betweendayandnight is offline
friendly
 
Join Date: Jul 2015
Posts: 67
Default

Quote:
Originally Posted by ocicat View Post
It's official now:
  • sudo(8) has been removed from base:
Based on your statement above, sudo is included in the base install of OpenBSD --release which is 5.7 ?
Reply With Quote
Old 18th July 2015
betweendayandnight betweendayandnight is offline
friendly
 
Join Date: Jul 2015
Posts: 67
Default

Quote:
Originally Posted by jggimi View Post
And a replacement service called doas(8) has just been added to -current.
Could you be a bit more specific please such as the date of the snapshot ISO which has doas(8)?

Is there a brief write-up on how to invoke doas(8) and use it?

Am I right to guess that doas(8) will be the default in OpenBSD 5.8 release version which, based on past trends, is due for release to the public sometime in November?
Reply With Quote
Old 18th July 2015
sacerdos_daemonis's Avatar
sacerdos_daemonis sacerdos_daemonis is offline
Real Name: Will forever be a secret.
Spam Deminer
 
Join Date: Sep 2014
Posts: 283
Default

Quote:
Is there a brief write-up on how to invoke doas(8) and use it?
The man page.
Code:
NAME
doas — execute commands as another user
SYNOPSIS
doas     [-u user] command [args]
DESCRIPTION
The doas utility executes the given command as another user.
The options are as follows:

-u user
    Execute the command as user. The default is root.

EXIT STATUS
The doas utility exits 0 on success, and >0 if an error occurs. It may fail because of one of the following reasons:

    The config file could not be parsed.
    The user attempted an command which is not permitted.
    Entered passphrase is incorrect.
Reply With Quote
Old 18th July 2015
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Quote:
Originally Posted by betweendayandnight View Post
Could you be a bit more specific please such as the date of the snapshot ISO which has doas(8)?
That's not how this works. The answer is "some snapshot after the time of that commit."
Fast archs (amd64, i386) already have doas in their snaps. Slower arches will take more time.

Quote:
Originally Posted by betweendayandnight View Post
Am I right to guess that doas(8) will be the default in OpenBSD 5.8 release version which, based on past trends, is due for release to the public sometime in November?
Yes. November 1, 2015.

And to pre-empt the question, since someone is bound to think it:
If doas does not do something that sudo does, and you need that sudo feature, the correct way to deal with it is to
Code:
# pkg_add sudo
(In other words: doas is not designed to do everything sudo does intentionally.)
Reply With Quote
Old 18th July 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by betweendayandnight View Post
Based on your statement above, sudo is included in the base install of OpenBSD --release which is 5.7 ?
OpenBSD 5.7-release, given that it was officially released in May 2015, is now a static entity -- it will not be changed. sudo(8) was included in the 5.7-release base installation.
Reply With Quote
Old 18th July 2015
betweendayandnight betweendayandnight is offline
friendly
 
Join Date: Jul 2015
Posts: 67
Default

Quote:
Originally Posted by ibara View Post
Yes. November 1, 2015.
I like how OpenBSD updates its OS with new tricks (a.k.a. features) about once every six months. There's a novelty in using it.

Coming up second would be FreeBSD. And third place goes to Ubuntu.

Quote:
Originally Posted by ibara View Post
If doas does not do something that sudo does, and you need that sudo feature, the correct way to deal with it is to. (In other words: doas is not designed to do everything sudo does intentionally.)
Oh..I see...I thought doas(8) was meant to be a total replacement for sudo(8).

If that's the case, why replace sudo(8) with doas(8) in the base system? Is it because of possible security vulnerabilties in sudo(8), correctness of software code, much like in the case of OpenSSL versus LibreSSL in which the latter is the de facto standard?
Reply With Quote
Old 18th July 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by betweendayandnight View Post
If that's the case, why replace sudo(8) with doas(8) in the base system?
Read tedu@'s article already mentioned in the following:

http://daemonforums.org/showpost.php...89&postcount=8
Reply With Quote
Old 18th July 2015
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

The sudo in base was old. Having it in ports allows it to be updated basically in real-time (seeing as the person who maintains sudo is also an OpenBSD developer). It also allows for ldap and gettext flavors, for those who need it.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Moving /var to /usr/var sharris FreeBSD General 2 6th August 2010 12:00 AM
-Stable Ports with -Release+Errata Base Android1 OpenBSD Packages and Ports 5 16th May 2010 09:26 PM
Moving to ZFS Business_woman FreeBSD General 6 20th October 2008 03:28 PM
Moving FreeBSD to new PC? cwhitmore FreeBSD General 23 22nd July 2008 02:59 PM
Moving files Weaseal Programming 2 14th July 2008 07:30 AM


All times are GMT. The time now is 08:02 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick