Closed bricewge closed 3 years ago
The mode 000 is intended.
I think you installed the binary with u+s and g+s, while the default is to only used u+s.
With setgid the effective group ID is 0 and then the file is created as root:root, without setgid the file is created as root:user, which is checked for when trying to use the file as authentication source.
This is not really intended behavior and you shouldn't set the setgid bit, therefore I don't think I really want to add extra checks to also allow this setup too.
I reported this to the security team of GUIX because the default was concerning me and I found some examples where this is problematic, this is now changed in GUIX, which should resolve this.
@Duncaen Thank you for the answer and reporting the issue. I thought it was my customization on top of Guix which triggered the issue, or I would have submitted a hotfix.
I'm currently working on a patch set to integrate opendoas more tightly in Guix and being able to replace sudo with it.
I was giving a try to doas on Linux (Guix), all went well until I used
persist
. The first call is fine, but the timestamp is created with mode000
and subsequent call todoas
return:doas: timestamp uid, gid or mode wrong
.Here is the state of
/run/doas
, after a first call using a rule withpersist
: