Timestamp are created with mode 000

[bricewge]

I was giving a try to doas on Linux (Guix), all went well until I used persist. The first call is fine, but the timestamp is created with mode 000 and subsequent call to doas return: doas: timestamp uid, gid or mode wrong.

Here is the state of /run/doas, after a first call using a rule with persist:

# ls -la /run/doas/
total 0
drwx------ 1 root root  62 29 janv. 09:03 .
drwxr-xr-x 1 root root 234 29 janv. 09:03 ..
---------- 1 root root   0 29 janv.  2021 11635-11635-34832-60385884-1000

[Duncaen]

The mode 000 is intended.

I think you installed the binary with u+s and g+s, while the default is to only used u+s.

With setgid the effective group ID is 0 and then the file is created as root:root, without setgid the file is created as root:user, which is checked for when trying to use the file as authentication source.

This is not really intended behavior and you shouldn't set the setgid bit, therefore I don't think I really want to add extra checks to also allow this setup too.

[Duncaen]

I reported this to the security team of GUIX because the default was concerning me and I found some examples where this is problematic, this is now changed in GUIX, which should resolve this.

https://issues.guix.gnu.org/46395

[bricewge]

@Duncaen Thank you for the answer and reporting the issue. I thought it was my customization on top of Guix which triggered the issue, or I would have submitted a hotfix.

I'm currently working on a patch set to integrate opendoas more tightly in Guix and being able to replace sudo with it.