|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
DOAS(1) rules
Here are the privileges that I have set so far.
Code:
permit nopass user as root cmd sh permit nopass user as root cmd mount How are you using DOAS(1)? |
|
|||
|
|
|||
Someone correct me, but if you allow a user to run a shell as root, aren't you effectively allowing them to run anything as root?
Tim. |
|
||||
That's correct.
I still use sudo, because occasionally I need to use its -i feature, which gives me a login shell. But often, when I need to do a lot of work, I just use sudo -s, which is the same as doas -s. I also use sudoedit, which I liked very much; but I could live without it and am considering dropping sudo. I will need to add an alias in my shells, because decades of muscle memory will make the transition to doas difficult without it. |
|
|||
I took the plunge and don't really miss sudo. I even still have to use sudo on many linux systems and flip between the two all day without getting confused. The one thing I don't like, however, is since you don't get a login shell, you can't preserve nor load shell aliases. I am too used to my favorite ls flags and typing vi to get vim.
I had a modified doas that ran the shell as a login shell, but didn't need it enough to maintain it. You can also just run 'doas ksh -l' to get the login shell. Usually I don't think ahead to do that and just source my profile after the fact the rare times I really need it. Tim. |
|
|||
It's nice to be able to extend select commands to non root accounts without having to enter a password.
|
|
||||
The nopass option assumes the user has physical control of her connection at all times.
One can use doas() with non-password authentication schema, via -a <style> , so I suppose it is possible to use mechanisms like a mounted usb key the user can take with her if she leaves her workstation unattended but logged in.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Doas has logging? | cpaulette | OpenBSD General | 1 | 13th March 2016 10:24 AM |
doas package | Peter_APIIT | OpenBSD General | 2 | 1st November 2015 07:45 AM |
for current users playing with doas | ocicat | OpenBSD General | 0 | 22nd July 2015 02:49 PM |
PF Rules for DoS | chazz | FreeBSD Security | 3 | 14th July 2009 09:35 PM |
Help with pf rules | TerranAce007 | OpenBSD General | 4 | 16th January 2009 10:14 PM |