Closed kevariable closed 3 years ago
@kevariable I used ASKPASS with 'sudo', but after moving to 'doas' I found another solution using 'expect' as a wrapper. I do not know if this is of any help and I can not guarantee the safety of it. So if you want to use it, it have to be at your own risk. I guess the risk depends on the use case. If you want to use it with something else than dmenu
then use the environment variable DOAS_ASKPASS
or change the script. Maybe this could be of help...
https://noxz.tech/articles/askpass_implementation_for_doas/
#!/usr/bin/expect --
# askpass implementation for doas
# example usage: DOAS_ASKPASS="dmenu -P -p password:" doas_askpass echo working
# don't mind the man behind the curtain
log_user 0
# no command, then nothing to do
if { $argc == 0 } { exit 0 }
# treat all arguments as command input
set cmd [lrange $argv 0 end];
# read askpass from env or fallback to dmanu_pass ()
if {[info exists ::env(DOAS_ASKPASS)]} {
set askpass "$::env(DOAS_ASKPASS)"
} else {
set askpass "dmenu_pass password:"
}
# read password from user
set pwd [exec {*}$askpass]
# spawn doas operation
spawn doas {*}$cmd
# send password and execute command
expect "doas*password:" {
send -- "$pwd\r"
expect \r
log_user 1
expect eof
}
How do I use this? When using SUDO_ASKPASS, I use the -A flag (sudo -A command). By the given example, I assume there's a custom "doas_askpass" command, but I can't find this command anywhere else in the webpage you linked.
doas_askpass
is the expect script I've written above. Use it like the example usage in the comment says:
DOAS_ASKPASS="dmenu -P -p password:" doas_askpass echo working
edit:
Copy the script and save it as doas_askpass in any if your $PATH
s and make it executable
Cool, thanks! It doesn't handle error properly, though. For example, if do either
sudo ech "This is an echo command" 2>/dev/null || echo "It's a typo"
sudo -A ech "This is an echo command" 2>/dev/null || echo "It's a typo"
or
doas ech "This is an echo command" 2>/dev/null || echo "It's a typo"
It will correctly display "It's a typo". But this won't work when I do
doas_askpass ech "This is an echo command" 2>/dev/null || echo "It's a typo"
This will output doas: ech: command not found
. Another weird thing is that for doas_askpass
I need to do 1>/dev/null to not get the regular doas error, when it's 2>/dev/null when doing the actual doas
command.
That's an effect of how Expect works. Expects model of interaction does not include a separation of stdout
and stderr
streams. Without doing something to label the difference, Expect cannot distinguish them. The purpose of the script is not handle errors in the way you describe, but rather to enable alternative input methods for password interaction.
No you cannot do that in doas, someone already raised a *similar issue