always full path on command line required ?

Duncaen / OpenDoas

A portable fork of the OpenBSD `doas` command

Other

610 stars 35 forks source link

always full path on command line required ? #75

Closed Tunoac closed 2 years ago

Tunoac commented 2 years ago

Coming from sudo, a config like %plugdev ALL=(ALL:ALL) NOPASSWD: /usr/bin/smartctl allows a user to execute sudo smartctl without password.

The same in doas, a config like permit nopass :plugdev as root cmd /usr/bin/smartctl requires doas /usr/bin/smartctl with full path on the command line, without full path it does not work.

Is this behaviour a bug, configurable or by design ?

Duncaen commented 2 years ago

Use the path search, don't specify the absolute path, this way it will allow to execte the program from the "safe" path or the path you define with setenv.

See man doas.conf:

     cmd command  The command the user is allowed or denied to run.  The
                  default is all commands.  Be advised that it is best to
                  specify absolute paths.  If a relative path is specified,
                  only a restricted PATH will be searched.

shahab-vahedi commented 2 years ago

@Duncaen Could you elaborate how this restricted/safe PATH is derived? I've looked into the man pages, but found nothing in that regard.

EDIT I see in the code that the safe (restricted) path is set to the following hardcoded paths:

/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin