You are not logged in.
Good Morning Guys,
I have used for this post, deepl to bring the following as good as possible to you because English is unfortunately not my native language and writing is not very good. So please excuse me.
I decided to try doas today and strictly followed the corresponding Archwiki article (https://wiki.archlinux.org/title/Doas).
After I have worked through this, doas also worked so far. Except for the fact that the mentioned "doas persist feature" function and "permit setenv { XAUTHORITY LANG LC_ALL } :wheel" did not work properly.
For example, the password was requested every time, and the locale was also not taken into account (pacman questions had to be answered with (Y/n) instead of (J/n) (german)).
After extensive internet research I found no solution, and went to the official archlinux irc. There I got a lot of help and I thank you very much (especially tirnanog).
There it was explained to me, that doas.conf must be configured a little bit different to use the two given functions, as described in the wiki. Or that it is a little misleading there.
My doas.conf looked like this after I followed the article:
permit :wheel
permit persist :wheel
permit setenv { XAUTHORITY LANG LC_ALL } :wheel
permit nopass :wheel as root cmd reboot
permit nopass :wheel as root cmd poweroff
This worked so far, but as mentioned the persist and locale function did not.
Unfortunately the article does not describe that the doas.conf is parsed the other way around.
So if you want the persist and locale function, it should look like this:
permit persist setenv { XAUTHORITY LANG LC_ALL } :wheel
permit nopass :wheel as root cmd reboot
permit nopass :wheel as root cmd poweroff
This works exactly as it should.
Likewise, the "suggestion" to "protect" doas.conf with the following is questionable:
chown -c root:root /etc/doas.conf
chmod -c 0400 /etc/doas.conf
Wouldn't 0600 be the better choice? 0400 can make editing awkward because some editors (such as vim) raise warnings in the case they do not have the write bit in effect, even though this does not suppress root from being able to write to the file (< thanks to tirnanog again for this sentence, because i didnt know how to explain it better)
Since the file has root:root as owner and group, it is anyway questionable what 0400 should bring. Should it be to protect against changes (and be it by foreign influence, virus, trojan, what ever), it brings nothing anyway, because the respective person/application already has root rights and can simply bypass this.
I am curious about your suggestions.
Edit:
It would maybe a nice idea too, to implement a package like visudo for opendoas. There exist a project for that: https://git.sr.ht/~insidepie/vidoas/tre … tem/vidoas @ https://git.sr.ht/~insidepie/vidoas
It does the same like visudo, including syntax checking. Maybe worth it to think about that.
Edit2:
Created AUR Packages for vidoas and a package like opendoas-sudo for dropin for visudo.
https://aur.archlinux.org/packages/vidoas
https://aur.archlinux.org/packages/vidoas-visudo
Last edited by tomekk228 (2022-08-18 10:51:10)
Offline