Closed dkwo closed 3 years ago
permit nopass dkwo cmd /usr/bin/xi args -Su
Thank you.
If I remove sudo
, then something weird happens:
[nicolo@mabragor ~]$ groups nicolo
nicolo : nicolo wheel
[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit nopass :wheel cmd /usr/bin/xi args -Su
[nicolo@mabragor ~]$ xi -Su
doas (nicolo@mabragor) password:
Do you know why it is asking for password?
You are executing xi
without doas
, xi
itself executes doas xbps-install
for which you are asked to authenticate yourself.
Either use doas xi -Su
or allow permit nopass :wheel cmd /usr/bin/xbps-install args -Su
.
edit: Sorry, I was dumb.
Thanks, but still
[nicolo@mabragor ~]$ doas reboot
doas (nicolo@mabragor) password:
[nicolo@mabragor ~]$ doas xi -Su
doas (nicolo@mabragor) password:
probably because PATH prefers /bin
over /usr/bin
, so don't specify the full path in doas.conf
, i.e.:
permit nopass :wheel cmd xi args -Su
Still something I do not understand:
[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit nopass :wheel cmd xi args -Su
[nicolo@mabragor ~]$ doas xi -Su
doas: Operation not permitted
[nicolo@mabragor ~]$ xi -Su
doas (nicolo@mabragor) password:
Test with doas -C /etc/doas.conf xi -Su
, also is xi installed in /usr/bin or in your own path, or is it a alias or something like that?
Now I get
[nicolo@mabragor ~]$ doas -C /etc/doas.conf xi -Su
permit
[nicolo@mabragor ~]$ doas xi -Su
doas (nicolo@mabragor) password:
xi
is intalled by xtools regular package
What should be the correct line in /etc/doas.conf
that allows a user in wheel
to just use xi -Su
?
permit :wheel as root cmd xi args -Su
The last rule that matches applies, so the order is important.
With that, it still asks me for password:
[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit :wheel as root cmd xi args -Su
[nicolo@mabragor ~]$ xi -Su
doas (nicolo@mabragor) password:
is it working differently for you?
(What I meant is: being able to use xi -Su
without being asked for password.)
You asked for allows a user to use, it will ask for the password, add nopass
if you don't want to be asked.
permit nopass :wheel as root cmd xi args -Su
Still, I get asked for it
[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit nopass :wheel as root cmd xi args -Su
[nicolo@mabragor ~]$ xi -Su
doas (nicolo@mabragor) password:
This allows you to execute doas xi -Su
.
To allow just xi -Su
you would have to whitelist all arguments the xi script adds in the rule, which includes relative directories as repositories so it won't be safe.
I see, but not even that works:
[nicolo@mabragor ~]$ doas xi -Su
doas: Operation not permitted
is it enough to just edit the file, or am I supposed to restart something for the change to take effect?
cat /etc/doas.conf
doas -C /etc/doas.conf xi -Su
type xi
which xi
echo $PATH
[nicolo@mabragor ~]$ cat /etc/doas.conf
permit :wheel
permit nopass :wheel cmd /usr/bin/reboot
permit nopass :wheel as root cmd xi args -Su
[nicolo@mabragor ~]$ doas -C /etc/doas.conf xi -Su
permit nopass
[nicolo@mabragor ~]$ type xi
xi is /usr/bin/xi
[nicolo@mabragor ~]$ which xi
/usr/bin/xi
[nicolo@mabragor ~]$ echo $PATH
/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin:/usr/local/bin
[nicolo@mabragor ~]$ doas xi -Su
doas: Operation not permitted
its xi executing doas again as root. https://github.com/leahneukirchen/xtools/pull/208
You could work around this by allow root to execute it as root until there is a release of xtools.
permit nopass root as root
or
permit nopass root as root cmd xbps-install
You could also apply the patch to /usr/bin/xi
.
I see, many thanks for helping with this!
What is the correct syntax to permit a command like
in doas.conf? If I try with single quotation marks ' it gives an error.
Thanks.