Closed Tunoac closed 2 years ago
Use the path search, don't specify the absolute path, this way it will allow to execte the program from the "safe" path or the path you define with setenv
.
See man doas.conf
:
cmd command The command the user is allowed or denied to run. The
default is all commands. Be advised that it is best to
specify absolute paths. If a relative path is specified,
only a restricted PATH will be searched.
@Duncaen Could you elaborate how this restricted/safe PATH is derived? I've looked into the man pages, but found nothing in that regard.
EDIT I see in the code that the safe (restricted) path is set to the following hardcoded paths:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
Coming from sudo, a config like
%plugdev ALL=(ALL:ALL) NOPASSWD: /usr/bin/smartctl
allows a user to executesudo smartctl
without password.The same in doas, a config like
permit nopass :plugdev as root cmd /usr/bin/smartctl
requiresdoas /usr/bin/smartctl
with full path on the command line, without full path it does not work.Is this behaviour a bug, configurable or by design ?