search

Duncaen / OpenDoas

A portable fork of the OpenBSD `doas` command
Other
610 stars 35 forks source link

permit extended command #58

Closed dkwo closed 3 years ago

dkwo commented 3 years ago

What is the correct syntax to permit a command like

/usr/bin/xi -Su

in doas.conf? If I try with single quotation marks ' it gives an error.

stat -c %a /etc/doas.conf
440
cat /etc/doas.conf
permit :wheel
permit nopass dkwo cmd /usr/bin/brightness
permit nopass dkwo cmd /usr/bin/reboot
permit nopass dkwo cmd /usr/bin/poweroff

Thanks.

Duncaen commented 3 years ago 
permit nopass dkwo cmd /usr/bin/xi args -Su
dkwo commented 3 years ago

Thank you.

dkwo commented 3 years ago

If I remove sudo, then something weird happens:

[nicolo@mabragor ~]$ groups nicolo
nicolo : nicolo wheel
[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit nopass :wheel cmd /usr/bin/xi args -Su
[nicolo@mabragor ~]$ xi -Su
doas (nicolo@mabragor) password:

Do you know why it is asking for password?

Duncaen commented 3 years ago

You are executing xi without doas, xi itself executes doas xbps-install for which you are asked to authenticate yourself.

Either use doas xi -Su or allow permit nopass :wheel cmd /usr/bin/xbps-install args -Su.

dkwo commented 3 years ago

edit: Sorry, I was dumb.

Thanks, but still

[nicolo@mabragor ~]$ doas reboot
doas (nicolo@mabragor) password:

[nicolo@mabragor ~]$ doas xi -Su
doas (nicolo@mabragor) password:
Duncaen commented 3 years ago

probably because PATH prefers /bin over /usr/bin, so don't specify the full path in doas.conf, i.e.:

permit nopass :wheel cmd xi args -Su
dkwo commented 3 years ago

Still something I do not understand:

[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit nopass :wheel cmd xi args -Su
[nicolo@mabragor ~]$ doas xi -Su
doas: Operation not permitted
[nicolo@mabragor ~]$ xi -Su
doas (nicolo@mabragor) password:
Duncaen commented 3 years ago

Test with doas -C /etc/doas.conf xi -Su, also is xi installed in /usr/bin or in your own path, or is it a alias or something like that?

dkwo commented 3 years ago

Now I get

[nicolo@mabragor ~]$ doas -C /etc/doas.conf xi -Su
permit
[nicolo@mabragor ~]$ doas xi -Su
doas (nicolo@mabragor) password:

xi is intalled by xtools regular package

dkwo commented 3 years ago

What should be the correct line in /etc/doas.conf that allows a user in wheel to just use xi -Su?

Duncaen commented 3 years ago 
permit :wheel as root cmd xi args -Su
Duncaen commented 3 years ago

The last rule that matches applies, so the order is important.

dkwo commented 3 years ago

With that, it still asks me for password:

[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit :wheel as root cmd xi args -Su
[nicolo@mabragor ~]$ xi -Su
doas (nicolo@mabragor) password:
dkwo commented 3 years ago

is it working differently for you?

dkwo commented 3 years ago

(What I meant is: being able to use xi -Su without being asked for password.)

Duncaen commented 3 years ago

You asked for allows a user to use, it will ask for the password, add nopass if you don't want to be asked.

permit nopass :wheel as root cmd xi args -Su
dkwo commented 3 years ago

Still, I get asked for it

[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit nopass :wheel as root cmd xi args -Su
[nicolo@mabragor ~]$ xi -Su
doas (nicolo@mabragor) password:
Duncaen commented 3 years ago

This allows you to execute doas xi -Su.

To allow just xi -Su you would have to whitelist all arguments the xi script adds in the rule, which includes relative directories as repositories so it won't be safe.

dkwo commented 3 years ago

I see, but not even that works:

[nicolo@mabragor ~]$ doas xi -Su
doas: Operation not permitted
dkwo commented 3 years ago

is it enough to just edit the file, or am I supposed to restart something for the change to take effect?

Duncaen commented 3 years ago 
cat /etc/doas.conf
doas -C /etc/doas.conf xi -Su
type xi
which xi
echo $PATH
dkwo commented 3 years ago 
[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit nopass :wheel as root cmd xi args -Su
[nicolo@mabragor ~]$ doas -C /etc/doas.conf xi -Su
permit nopass
[nicolo@mabragor ~]$ type xi
xi is /usr/bin/xi
[nicolo@mabragor ~]$ which xi
/usr/bin/xi
[nicolo@mabragor ~]$ echo $PATH
/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin:/usr/local/bin
[nicolo@mabragor ~]$ doas xi -Su
doas: Operation not permitted
Duncaen commented 3 years ago

its xi executing doas again as root. https://github.com/leahneukirchen/xtools/pull/208

Duncaen commented 3 years ago

You could work around this by allow root to execute it as root until there is a release of xtools.

permit nopass root as root

or

permit nopass root as root cmd xbps-install

You could also apply the patch to /usr/bin/xi.

dkwo commented 3 years ago

I see, many thanks for helping with this!