OpenBSD Journal

Ted Unangst on "doas mastery"

Contributed by nayden on from the not MWL dept.

Ted Unangst (tedu@) has written an item regarding doas:

Itís been a year since the introduction of doas, so itís clearly time to write a book. Or maybe a pamphlet.

See his flak entry for the full story (and bear in mind he's referring to -current at the time of writing).

(Comments are closed)


Comments
  1. By Anonymous Coward (82.68.199.130) on

    Regarding "persist", there is a restriction beyond what sudo does, "Additionally, the authentication information includes the parent shell process ID".

    Has anyone figured out a way to use this with the ports infrastructure without having doas ask for a password for every operation requiring privs?

    Comments
    1. By journeysquid (Tor) on http://www.openbsd.org/donations.html

      > Regarding "persist", there is a restriction beyond what sudo does, "Additionally, the authentication information includes the parent shell process ID".
      >
      > Has anyone figured out a way to use this with the ports infrastructure without having doas ask for a password for every operation requiring privs?

      Reading the docs is a good start.

      https://www.openbsd.org/faq/faq15.html#PortsConfig

      Comments
      1. By sthen (2a02:8011:7003:3:4f5:595e:6541:42bf) on

        > > Regarding "persist", there is a restriction beyond what sudo does, "Additionally, the authentication information includes the parent shell process ID".
        > >
        > > Has anyone figured out a way to use this with the ports infrastructure without having doas ask for a password for every operation requiring privs?
        >
        > Reading the docs is a good start.
        >
        > https://www.openbsd.org/faq/faq15.html#PortsConfig

        If you're not going to read the question asked, what's the point in making a useless RTFM post?

        > Re: Ted Unangst on (mod -7/65)

        That's just nuts.

    2. By Anonymous Coward (24.34.223.45) on

      > Regarding "persist", there is a restriction beyond what sudo does, "Additionally, the authentication information includes the parent shell process ID".
      >
      > Has anyone figured out a way to use this with the ports infrastructure without having doas ask for a password for every operation requiring privs?

      Also regarding "persist" is it possible to specify the amount of time that can pass before the password is required again? The man page for current says "After the user successfully authenticates, do not ask for a password again for some time." but does not note that time to be 5 minutes as the Tedu blog notes.

      Comments
      1. By rjc (rjc) on

        > Also regarding "persist" is it possible to specify the amount of time that can pass before the password is required again? The man page for current says "After the user successfully authenticates, do not ask for a password again for some time." but does not note that time to be 5 minutes as the Tedu blog notes.

        https://marc.info/?m=147314077009745

  2. By Anonymous Coward (119.247.89.48) on

    I want change gid (setgid) to run some program, can I do use doas to do that?

    Thanks.

    Comments
    1. By Anonymous Coward (2a02:8109:43f:9e14:b227:c3ff:fe7d:9e20) on

      > I want change gid (setgid) to run some program, can I do use doas to do that?

      No.

  3. By Anonymous Coward (2601:186:4400:2045:f927:6177:6b29:b9b8) on

    I recently moved a firewall to OpenBSD, in the process of doing so I decided to change some scripts from using sudo to using doas, instead of installing sudo from ports.

    Kudos to Mr Unangst. Learning doas was a cakewalk, the doas.conf syntax was intuitive and the man page was excellent.

    It was so good to see sudo in the rear-view mirror, that I download the doas pkg on my FreeBSD servers and I'm converting them as well.

    Thanks!

  4. By Anonymous Coward (217.170.201.106) on

    Where can download portable version for linux?

    Comments
    1. By Anonymous Coward (87.15.118.219) on

      > Where can download portable version for linux?

      If you use voidlinux (and possibly other distros), it's called "opendoas", but
      WARNING WARNING WARNING the portable version for linux DOES NOT EXIST (yet?), that's an unofficial port

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]