search

Duncaen / OpenDoas

A portable fork of the OpenBSD `doas` command
Other
610 stars 35 forks source link

how can i do "SUDO_ASKPASS" in doas? #34

Closed kevariable closed 3 years ago

hisacro commented 3 years ago

No you cannot do that in doas, someone already raised a *similar issue

z0noxz commented 3 years ago

@kevariable I used ASKPASS with 'sudo', but after moving to 'doas' I found another solution using 'expect' as a wrapper. I do not know if this is of any help and I can not guarantee the safety of it. So if you want to use it, it have to be at your own risk. I guess the risk depends on the use case. If you want to use it with something else than dmenu then use the environment variable DOAS_ASKPASS or change the script. Maybe this could be of help...

https://noxz.tech/articles/askpass_implementation_for_doas/

#!/usr/bin/expect --

# askpass implementation for doas
# example usage: DOAS_ASKPASS="dmenu -P -p password:" doas_askpass echo working

# don't mind the man behind the curtain
log_user 0

# no command, then nothing to do
if { $argc == 0 } { exit 0 }

# treat all arguments as command input
set cmd [lrange $argv 0 end];

# read askpass from env or fallback to dmanu_pass ()
if {[info exists ::env(DOAS_ASKPASS)]} {
    set askpass "$::env(DOAS_ASKPASS)"
} else {
    set askpass "dmenu_pass password:"
}

# read password from user
set pwd [exec {*}$askpass]

# spawn doas operation
spawn doas {*}$cmd

# send password and execute command
expect "doas*password:" {
    send -- "$pwd\r"
    expect \r
    log_user 1
    expect eof
}
DomBito commented 2 years ago

How do I use this? When using SUDO_ASKPASS, I use the -A flag (sudo -A command). By the given example, I assume there's a custom "doas_askpass" command, but I can't find this command anywhere else in the webpage you linked.

z0noxz commented 2 years ago

doas_askpass is the expect script I've written above. Use it like the example usage in the comment says:

DOAS_ASKPASS="dmenu -P -p password:" doas_askpass echo working

edit: Copy the script and save it as doas_askpass in any if your $PATHs and make it executable

DomBito commented 2 years ago

Cool, thanks! It doesn't handle error properly, though. For example, if do either

sudo ech "This is an echo command" 2>/dev/null || echo "It's a typo" sudo -A ech "This is an echo command" 2>/dev/null || echo "It's a typo" or doas ech "This is an echo command" 2>/dev/null || echo "It's a typo"

It will correctly display "It's a typo". But this won't work when I do doas_askpass ech "This is an echo command" 2>/dev/null || echo "It's a typo" This will output doas: ech: command not found. Another weird thing is that for doas_askpass I need to do 1>/dev/null to not get the regular doas error, when it's 2>/dev/null when doing the actual doas command.

z0noxz commented 2 years ago

That's an effect of how Expect works. Expects model of interaction does not include a separation of stdout and stderr streams. Without doing something to label the difference, Expect cannot distinguish them. The purpose of the script is not handle errors in the way you describe, but rather to enable alternative input methods for password interaction.