DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3 Weeks Ago
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 219
Default Restrict doas.conf to syspatch only

I want to allow my regular account to run only syspatch.

I added this to doas.conf.

Code:
$ cat /etc/doas.conf                                                       
permit myusername /usr/sbin/syspatch
But I get this

Code:
$ doas syspatch       
doas: syntax error at line 1
__________________
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote
  #2   (View Single Post)  
Old 3 Weeks Ago
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 332
Default

I think you need to specify the command with cmd, it should be more like :

Code:
permit myusername as root cmd /usr/sbin/syspatch
__________________
The secret of wisdom is not wisdom itself, it's the road that leads us there.
Reply With Quote
  #3   (View Single Post)  
Old 3 Weeks Ago
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 219
Default

I tried with

Code:
$ cat /etc/doas.conf                                                       
permit myusername as root cmd /usr/sbin/syspatch
Code:
$ doas syspatch
doas: Operation not permitted
Its not working.
__________________
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote
  #4   (View Single Post)  
Old 3 Weeks Ago
fvgit's Avatar
fvgit fvgit is offline
Real Name: Tempvs fvgit
Package Pilot
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("SGVyZSBiZSBkcmFnb25zC")'
Posts: 149
Default

Try your config again using the full path:
Code:
doas /usr/sbin/syspatch
Reply With Quote
  #5   (View Single Post)  
Old 3 Weeks Ago
fvgit's Avatar
fvgit fvgit is offline
Real Name: Tempvs fvgit
Package Pilot
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("SGVyZSBiZSBkcmFnb25zC")'
Posts: 149
Default

No, I meant the last config you posted. Above my reply:
Code:
$ cat /etc/doas.conf                                                       
permit myusername as root cmd /usr/sbin/syspatch
Now do a
Code:
doas /usr/sbin/syspatch
This works for my test user.

edit:
Did you just delete your message, mate?

Last edited by fvgit; 3 Weeks Ago at 10:31 PM. Reason: Presumably bsd007's previous message was deleted
Reply With Quote
  #6   (View Single Post)  
Old 3 Weeks Ago
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 219
Default

Code:
$ cat /etc/doas.conf      
permit myusername as root cmd /usr/sbin/syspatch


Code:
$ doas /usr/sbin/syspatch
doas: Operation not permitted
__________________
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote
  #7   (View Single Post)  
Old 3 Weeks Ago
fvgit's Avatar
fvgit fvgit is offline
Real Name: Tempvs fvgit
Package Pilot
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("SGVyZSBiZSBkcmFnb25zC")'
Posts: 149
Default

Quote:
Originally Posted by bsd007 View Post
Code:
$ cat /etc/doas.conf      
permit myusername as root cmd /usr/sbin/syspatch


Code:
$ doas /usr/sbin/syspatch
doas: Operation not permitted
That's weird, for me this combination works. I just tested it.
Reply With Quote
  #8   (View Single Post)  
Old 3 Weeks Ago
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 219
Default

Quote:
edit:
Did you just delete your message, mate?
Yes coz I misunderstood. I have now edited my message, Please have a look.
__________________
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote
  #9   (View Single Post)  
Old 3 Weeks Ago
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 219
Default

Quote:
Originally Posted by fvgit View Post
That's weird, for me this combination works. I just tested it.
I am using 6.4. Is that causing an issue ?
__________________
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote
Old 3 Weeks Ago
fvgit's Avatar
fvgit fvgit is offline
Real Name: Tempvs fvgit
Package Pilot
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("SGVyZSBiZSBkcmFnb25zC")'
Posts: 149
Default

Quote:
Originally Posted by bsd007 View Post
Yes coz I misunderstood. I have now edited my message, Please have a look.
Ah, I see. We need to slow down our conversation to avoid confusion.

Mind you that I'm still on 6.3. Haven't had time to upgrade, yet.
Reply With Quote
Old 3 Weeks Ago
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 219
Default

Okay I will wait.
__________________
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote
Old 3 Weeks Ago
fvgit's Avatar
fvgit fvgit is offline
Real Name: Tempvs fvgit
Package Pilot
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("SGVyZSBiZSBkcmFnb25zC")'
Posts: 149
Default

Quote:
Originally Posted by bsd007 View Post
I am using 6.4. Is that causing an issue ?
Perhaps, I don't know.

BTW, I think you should post sequentially instead of editing your previous messages. Otherwise we'll end up in a communicative mess.
Reply With Quote
Old 3 Weeks Ago
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 219
Default

Quote:
Originally Posted by fvgit View Post
Perhaps, I don't know.

BTW, I think you should post sequentially instead of editing your previous messages. Otherwise we'll end up in a communicative mess.
Okay.
__________________
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote
Old 3 Weeks Ago
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 332
Default

Code:
$ doas /usr/sbin/syspatch
doas: Operation not permitted
It looks like a password error.

doas(1) asks for myusername's password, not root's password.

Edit : also, you can add nopass to the doas.conf file, but it will lacks security.
Now I assume it'll be ok with syspatch...

Code:
permit nopass myusername as root cmd /usr/sbin/syspatch
__________________
The secret of wisdom is not wisdom itself, it's the road that leads us there.

Last edited by LeFrettchen; 3 Weeks Ago at 12:31 AM. Reason: nopass
Reply With Quote
Old 3 Weeks Ago
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 219
Default

Quote:
Originally Posted by LeFrettchen View Post
Code:
$ doas /usr/sbin/syspatch
doas: Operation not permitted
It looks like a password error.

doas(1) asks for myusername's password, not root's password.

Edit : also, you can add nopass to the doas.conf file, but it will lacks security.
Now I assume it'll be ok with syspatch...

Code:
permit nopass myusername as root cmd /usr/sbin/syspatch
It doesnt even as for a password . After typing doas /usr/sbin/syspatch it goes straight to

doas: Operation not permitted.

Please dont misunderstand but I dont want to take the "nopass" route as it compromises security.
__________________
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote
Old 3 Weeks Ago
TronDD TronDD is offline
Package Pilot
 
Join Date: Sep 2014
Posts: 177
Default

Are you guys removing your user's access and just adding the line for syspatch or are you just tacking on the syspatch line?

It "works" if I just tack on the syspatch line because my usual "allow everything" still matches.

If you restrict the user to only /usr/sbin/syspatch, the user needs to run exactly '/usr/sbin/syspatch'. Just 'syspatch' doesn't work. Use the full path.

EDIT: Sorry, I just re-read the thread. I guess that doesn't work for bsd007.
Reply With Quote
Old 3 Weeks Ago
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 332
Default

Quote:
Originally Posted by bsd007 View Post
It doesnt even ask for a password
This is not the normal behavior, it should ask a password.

Or maybe a username mismatch ?
__________________
The secret of wisdom is not wisdom itself, it's the road that leads us there.
Reply With Quote
Old 3 Weeks Ago
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 332
Default

OK, after trying, nope it's not a password issue.
A password issue gives a doas: Authorization failed message.

Be sure your user is the good one.

Could you please display the results of

Code:
cat /etc/doas.conf
and

Code:
users
__________________
The secret of wisdom is not wisdom itself, it's the road that leads us there.
Reply With Quote
Old 3 Weeks Ago
bsd007's Avatar
bsd007 bsd007 is offline
Always learning
 
Join Date: Sep 2014
Posts: 219
Default

Quote:
Originally Posted by LeFrettchen View Post
This is not the normal behavior, it should ask a password.

Or maybe a username mismatch ?
You are right. It was a mistake I made while editing doas.conf.

Now its working.

Thanks a lot.
__________________
OpenBSD 6.4
Intel(R) Core(TM) i3-6100 CPU
Ram 4GB
Intel HD Graphics
Reply With Quote
Old 3 Weeks Ago
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 332
Default

You're welcome
__________________
The secret of wisdom is not wisdom itself, it's the road that leads us there.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
syspatch cron job azdps OpenBSD General 4 29th June 2018 04:05 PM
syspatch on only two architectures? pawkolor OpenBSD General 9 22nd October 2017 05:39 PM
syspatch appears to get stuck Prevet OpenBSD Installation and Upgrading 2 9th October 2017 07:56 PM
DOAS(1) rules jjstorm OpenBSD General 8 11th April 2016 08:09 PM
doas package Peter_APIIT OpenBSD General 2 1st November 2015 07:45 AM


All times are GMT. The time now is 07:00 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick