DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th April 2016
jjstorm jjstorm is offline
Package Pilot
 
Join Date: Nov 2014
Location: Buenos Aires, AR
Posts: 144
Default DOAS(1) rules

Here are the privileges that I have set so far.

Code:
permit nopass user as root cmd sh
permit nopass user as root cmd mount

How are you using DOAS(1)?
Reply With Quote
  #2   (View Single Post)  
Old 9th April 2016
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default

OpenBSD 5.8-stable (GENERIC)

I followed the FAQ and that produces decent results.

$ cat /etc/doas.conf
Code:
permit nopass keepenv { \
    FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \
    DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \
    MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \
    PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \
    SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
$ userinfo hanzer
Code:
                                                                                       
login   hanzer
passwd  *
uid     1000
groups  hanzer wheel wsrc
change  NEVER
class   staff
gecos   Adam Jensen
dir     /home/hanzer
shell   /bin/ksh
expire  NEVER
Reply With Quote
  #3   (View Single Post)  
Old 9th April 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,301
Default

Quote:
Originally Posted by jjstorm View Post
How are you using DOAS(1)?
Simply specifying doas.conf(5) as the following:
Code:
permit nopass account-name as root
Reply With Quote
  #4   (View Single Post)  
Old 10th April 2016
TronDD TronDD is offline
Package Pilot
 
Join Date: Sep 2014
Posts: 186
Default

Someone correct me, but if you allow a user to run a shell as root, aren't you effectively allowing them to run anything as root?

Tim.
Reply With Quote
  #5   (View Single Post)  
Old 10th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,570
Default

That's correct.

I still use sudo, because occasionally I need to use its -i feature, which gives me a login shell. But often, when I need to do a lot of work, I just use sudo -s, which is the same as doas -s.

I also use sudoedit, which I liked very much; but I could live without it and am considering dropping sudo. I will need to add an alias in my shells, because decades of muscle memory will make the transition to doas difficult without it.
Reply With Quote
  #6   (View Single Post)  
Old 10th April 2016
TronDD TronDD is offline
Package Pilot
 
Join Date: Sep 2014
Posts: 186
Default

I took the plunge and don't really miss sudo. I even still have to use sudo on many linux systems and flip between the two all day without getting confused. The one thing I don't like, however, is since you don't get a login shell, you can't preserve nor load shell aliases. I am too used to my favorite ls flags and typing vi to get vim.

I had a modified doas that ran the shell as a login shell, but didn't need it enough to maintain it. You can also just run 'doas ksh -l' to get the login shell. Usually I don't think ahead to do that and just source my profile after the fact the rare times I really need it.

Tim.
Reply With Quote
  #7   (View Single Post)  
Old 10th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,570
Default

Ok, i'll start to use it.

But because it doesn't have the password timeout feature of sudo, nopass is a very attractive option.
Reply With Quote
  #8   (View Single Post)  
Old 11th April 2016
jjstorm jjstorm is offline
Package Pilot
 
Join Date: Nov 2014
Location: Buenos Aires, AR
Posts: 144
Default

Quote:
Originally Posted by jggimi View Post
Ok, i'll start to use it.

But because it doesn't have the password timeout feature of sudo, nopass is a very attractive option.
It's nice to be able to extend select commands to non root accounts without having to enter a password.
Reply With Quote
  #9   (View Single Post)  
Old 11th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,570
Default

The nopass option assumes the user has physical control of her connection at all times.

One can use doas() with non-password authentication schema, via -a <style>, so I suppose it is possible to use mechanisms like a mounted usb key the user can take with her if she leaves her workstation unattended but logged in.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Doas has logging? cpaulette OpenBSD General 1 13th March 2016 10:24 AM
doas package Peter_APIIT OpenBSD General 2 1st November 2015 07:45 AM
for current users playing with doas ocicat OpenBSD General 0 22nd July 2015 02:49 PM
PF Rules for DoS chazz FreeBSD Security 3 14th July 2009 09:35 PM
Help with pf rules TerranAce007 OpenBSD General 4 16th January 2009 10:14 PM


All times are GMT. The time now is 09:16 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick