DOAS(1) rules

[jjstorm]

Here are the privileges that I have set so far.

Code:

permit nopass user as root cmd sh
permit nopass user as root cmd mount

How are you using DOAS(1)?

[hanzer]

OpenBSD 5.8-stable (GENERIC)

I followed the FAQ and that produces decent results.

$ cat /etc/doas.conf

Code:

permit nopass keepenv { \
    FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \
    DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \
    MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \
    PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \
    SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel

$ userinfo hanzer

Code:

                                                                                       
login   hanzer
passwd  *
uid     1000
groups  hanzer wheel wsrc
change  NEVER
class   staff
gecos   Adam Jensen
dir     /home/hanzer
shell   /bin/ksh
expire  NEVER

[ocicat]

Quote:

Originally Posted by jjstorm

How are you using DOAS(1)?

Simply specifying doas.conf(5) as the following:

Code:

permit nopass account-name as root

[TronDD]

Someone correct me, but if you allow a user to run a shell as root, aren't you effectively allowing them to run anything as root?

Tim.

[jggimi]

That's correct.

I still use sudo, because occasionally I need to use its -i feature, which gives me a login shell. But often, when I need to do a lot of work, I just use sudo -s, which is the same as doas -s.

I also use sudoedit, which I liked very much; but I could live without it and am considering dropping sudo. I will need to add an alias in my shells, because decades of muscle memory will make the transition to doas difficult without it.

[TronDD]

I took the plunge and don't really miss sudo. I even still have to use sudo on many linux systems and flip between the two all day without getting confused. The one thing I don't like, however, is since you don't get a login shell, you can't preserve nor load shell aliases. I am too used to my favorite ls flags and typing vi to get vim.

I had a modified doas that ran the shell as a login shell, but didn't need it enough to maintain it. You can also just run 'doas ksh -l' to get the login shell. Usually I don't think ahead to do that and just source my profile after the fact the rare times I really need it.

Tim.

[jggimi]

Ok, i'll start to use it.

But because it doesn't have the password timeout feature of sudo, nopass is a very attractive option.

[jjstorm]

Quote:

Originally Posted by jggimi

Ok, i'll start to use it.

But because it doesn't have the password timeout feature of sudo, nopass is a very attractive option.

It's nice to be able to extend select commands to non root accounts without having to enter a password.

[jggimi]

The nopass option assumes the user has physical control of her connection at all times.

One can use doas() with non-password authentication schema, via -a <style>, so I suppose it is possible to use mechanisms like a mounted usb key the user can take with her if she leaves her workstation unattended but logged in.