not working for users with password set to "!" (exclamation mark)

[magiruuvelvet]

I'm trying to port a rule from sudo to doas for an application. In sudo you can run commands as other user even when the user is disabled (has its password set to an exclamation mark). doas just freezes on such users on the nopass option. Is this intentional design of doas or a bug? Any workaround other than setting a password for the user?

[Duncaen]

This should work with nopass set, I'm unable to reproduce the issue, maybe share the used configuration line. And are you using pam or shadow authentication?

[magiruuvelvet]

permit nopass http cmd pihole
permit nopass http cmd /usr/bin/pihole

I use PAM for authentication. I tried to set a password for the user, but it still freezes and I can't figure out where exactly it hangs. Could this be PAM related?

EDIT: sudo also used PAM on my system. I removed sudo by now. Distro is Gentoo Linux

[magiruuvelvet]

I figured out the problem. For testing purposes I was running doas command from within a su - user session to see if the rules are working. This makes PAM unhappy for some reason. su is using PAM too on my system.

Testing some privileged features from the pihole web interface are working and I can see the doas process for a second in my process monitor.

I guess this is a PAM security feature to deny nested authentications or something.

[Duncaen]

Weird, nested pam sessions should generally work as login or your desktop manager also open a session in which you are running sudo or doas. Are you sure its hanging in doas and not in su or the executed program?

I'm not really sure how to debug this properly other than a bunch of printf's in doas, attaching gdb or maybe somehow getting coredumps to work with the setuid binary and sending SIGABRT/SIGSEGV to see where it hangs if it is in doas and/or pam.