DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd May 2023
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Two core Unix-like utilities, sudo and su, are getting rewrites in Rust

From https://arstechnica.com/information-...rites-in-rust/:
Quote:
Two of the most fundamental tools of the modern Unix-like command line, sudo and su, are being rewritten in the modern language Rust as part of a wider effort to get critical but aging infrastructure pieces replaced by memory-safe counterparts.
As detailed at Prossimo, a joint team from Ferrous Systems and Tweede Golf, with support from Amazon Web Services, is reimplementing sudo and su. These utilities allow a user to perform actions with the privileges of another user (typically a higher-level superuser) without having to learn and enter that other user's password. Given their age and wide usage, the Prossimo team believes it's time for a rework.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 2nd May 2023
bsd-keith bsd-keith is offline
Real Name: Keith
Open Source Software user
 
Join Date: Jun 2014
Location: Surrey/Hants Border, England
Posts: 344
Default

Interesting, but wasn't that the reason behind the creating of doas.
__________________
Linux since 1999, & also a BSD user.
Reply With Quote
  #3   (View Single Post)  
Old 2nd May 2023
Onauk's Avatar
Onauk Onauk is offline
Real Name: Thomas
Fdisk Soldier
 
Join Date: Jan 2023
Location: France
Posts: 60
Default

This rewrite seems to be a drop-in replacement of sudo and su which is not the case for doas.
Reply With Quote
  #4   (View Single Post)  
Old 2nd May 2023
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 316
Default

Quote:
Originally Posted by bsd-keith View Post
Interesting, but wasn't that the reason behind the creating of doas.
I seem to recall that one of the reasons doas came about was because sudo gained a dependency on a certain lib with a GPL licence, meaning sudo in OpenBSD base was well behind.
Reply With Quote
  #5   (View Single Post)  
Old 2nd May 2023
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bitchy Nerd Elitist
 
Join Date: Dec 2015
Location: London
Posts: 461
Default

The creator of doas said that the complexities of sudo's configuration file caused them to make an alternative:
Quote:
Originally Posted by Ted Unangst
The core of the problem was really that some people like to use sudo to build elaborate sysadmin infrastructures with highly refined sets of permissions and checks and balances. Some people (me) like to use sudo to get a root shell without remembering two passwords. And so there was considerable tension trying to ship a default config that would mostly work with the second group, but not be too permissive for the first group.

Writing a small simple replacement meant that we could ship something in base which was totally unsuitable for the power sysadmin group. It could only work for me, and I would be happy. Meanwhile, those who truly needed all the flexibility of sudo would install it from ports, and they would be happy.
https://flak.tedunangst.com/post/doas

So doas is (potentially) more secure because of it's simplicity. I prefer this approach to the "rewrite it in Rust" mentality that has become prevalent.
Reply With Quote
  #6   (View Single Post)  
Old 3rd May 2023
Onauk's Avatar
Onauk Onauk is offline
Real Name: Thomas
Fdisk Soldier
 
Join Date: Jan 2023
Location: France
Posts: 60
Default

Quote:
Originally Posted by Head_on_a_Stick View Post
So doas is (potentially) more secure because of it's simplicity. I prefer this approach to the "rewrite it in Rust" mentality that has become prevalent.
I also prefer doas for my own use, however for AWS it makes sense to use sudo since the may need configurations which are impossible to do with doas.
Reply With Quote
  #7   (View Single Post)  
Old 10th May 2023
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Default

I like and use sudo, but, prefer doas on OpenBSD. It's very slick.
__________________
hitest
Reply With Quote
  #8   (View Single Post)  
Old 28th May 2023
thirdm thirdm is offline
Spam Deminer
 
Join Date: May 2009
Posts: 248
Default

Also prefer, for simplicity reasons, doas on systems where it's available and works. However, on my debian partition it didn't seem to work despite being offered. I didn't look into it further.

Rust in Linux notwithstanding, I'm not putting a lot of significance to this story, particularly for BSD. It's an old idea in two respects: 1. if you only re-wrote your code in Ada, modula II, Lisp, C++, Rust, Haskell, etc. is a very old mailing list troll subject. 2. it's common for language enthusiasts to re-implement smallish unix utilities in their favourite languages.

For #2 I'd give the Perl example of File::Which. If you read its docs on metacpan you can see that there's proposed the justification that Windows lacks this utility lest someone think it just a lark, but I suppose most of the motivation was a (justifiable!) love of the Perl programming language and some free time.

The difference here is that the language memory safety issue might be given out as a more broad or serious justification and one seeming to have some cachet this year (particularly among Rust enthusiasts?). So they have a little money and foundation backing them. There will probably be some linux distro that takes this, but I'm guessing not mainstream ones or at least not Debian and Slackware (Slackware is still mainstream in these parts, no?).

It's interesting Ted Unangst's point on tension between sysadmin with complex requirements and more casual use. That tension runs deep through a lot of hobbiest use of BSD and Linux seems to me. As I get closer to retirement and don't aspire so much to have corporate exploitable skills, more and more I feel a draw to systems without so much pull from the work a day world. E.g. just downloaded Dragoro to play with -- not sure how far that will go, but it looks suitably uninfluenced by today's technical professional enthusiasms. And someday plan9, Minix or even Oberon, there's always someday.
Reply With Quote
  #9   (View Single Post)  
Old 31st May 2023
Onauk's Avatar
Onauk Onauk is offline
Real Name: Thomas
Fdisk Soldier
 
Join Date: Jan 2023
Location: France
Posts: 60
Default

Quote:
Originally Posted by thirdm View Post
Also prefer, for simplicity reasons, doas on systems where it's available and works. However, on my debian partition it didn't seem to work despite being offered. I didn't look into it further.
For what it's worth, I use doas with debian on a home server and it worked perfectly so far. sudo is not installed on this server.
Reply With Quote
Old 5th June 2023
thirdm thirdm is offline
Spam Deminer
 
Join Date: May 2009
Posts: 248
Default

Quote:
Originally Posted by Onauk View Post
For what it's worth, I use doas with debian on a home server and it worked perfectly so far. sudo is not installed on this server.
Taking the binary debian package, doas version 6.8.1, I can't get the permit persist feature to work. README.md from the debian source explains...

Quote:
Originally Posted by README
The persist feature is disabled by default and can be enabled with the configure
flag `--with-timestamp`.

This feature is new and potentially dangerous, in the original doas, a kernel API
is used to set and clear timeouts. This API is openbsd specific and no similar A[PI
is available on other operating systems.

As a workaround, the persist feature is implemented using timestamp files
similar to sudo.

See the comment block in `timestamp.c` for an in-depth description on how
timestamps are created and checked to be as safe as possible.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Upgrading VPS from single core to multi-core isn't automatically recognized openletter OpenBSD Installation and Upgrading 8 23rd December 2021 05:32 PM
Rust getting into mainline Linux kernel and AOSP e1-531g News 4 30th April 2021 10:14 AM
hide ip/mac from arp scanning utilities on openbsd sunfish117 OpenBSD Security 3 1st March 2021 12:59 PM
Rust programming language 1.0 released e1-531g News 1 19th May 2015 06:50 PM
HighPoint Rocket Raid Utilities paul-lkw FreeBSD Ports and Packages 0 3rd March 2009 05:41 AM


All times are GMT. The time now is 05:12 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick