Closed NapoleonWils0n closed 2 years ago
Duncaen
commented
2 years ago Not really possible because doas does not support pattern matching on arguments. If that is not what you are trying to "emulate", then you are probably missing a rule to allow root to switch to the specific user.
NapoleonWils0n
commented
2 years ago Cheers for clearing that up the issue is running a command as root and then running another command as a regular user
not to worry i can keep sudo around for that one script and use doas for everything else
i find doas particular useful to run apt update and upgrade, mount and unmount drive and use with the zfs and zpool commands
Duncaen
commented
2 years ago the issue is running a command as root and then running another command as a regular user
This works if you add a rule that allows the user to run something as root and then another one that allows root to execute something as user. The only thing that does not work is pattern matching the arguments.
NapoleonWils0n
commented
2 years ago if run create a simple script like this with whoami and run it with doas
doas thescript
`
whoami && doas -u djwilcox whoami ` i get this output
root doas: Operation not permitted
so obviously the script is run as root as shown by the first whoami but i cant then run doas as another and execute whoami as that user
is that because because of the pattern matching in the arguments
Duncaen
commented
2 years ago No that's because you have no rule that allows root to switch to any or the specific user.
NapoleonWils0n
commented
2 years ago so i need a rule in my doas.conf that allows root to switch to my user
i tried this but no joy
permit root cmd doas args -u djwilcox
i have been through lots of permutations i just havent found the right one yet
Duncaen
commented
2 years ago One of the following:
permit root
permit root as djwilcoxEureka, got it working :)
added the following to my doas.conf
permit nopass root as djwilcox
otherwise id have to type my root password
and added the following to my namespace script
`
ip netns exec vpn doas -u djwilcox -- "$@" `
so now i can run: doas namespace firefox
and it runs firefox in a seperate vpn network namespace or any other command i specify i use the command in a .desktop file to launch firefox in a vpn network namespace
i have the following in my doas.conf so i can run the namespace command without a password
permit nopass djwilcox cmd namespace
one thing i did notice is that if i change the script to
`
doas ip netns exec vpn doas -u djwilcox -- "$@" `
and then run: namespace firefox
it prompts me for my password, i guess you cant have doas in the script and have to prefix the command with doas for the no pass option to work
im just lazy and its easier to type: namespace firefox than: doas namespace firefox
many thanks for you help mate, i can completely switch to doas now
im going to make a video about opendoas and how to build and install it and the advantages over sudo
distrotube on youtube covered doas but it was the slicer69 port which isnt going to be in the ubuntu repos and has a different syntax than opendoas
i was going to cover how to allow users and groups and the different syntax, groups are prefixed with : and users arent, how to allow single command or a command with arguments
doas doesnt have a visudo mode like sudo to check the syntax if case you make an error, so if you make typo and save the doas.conf file its easy to lock yourself out
my solution is to have 2 terminals open ( or use tmux ) and make changes in the doas.conf file and save but dont exit the editor and then in another terminal check the doas config by running
doas -C /etc/doas.conf
and if you get an error you still have the doas.conf file open in the editor and can fix the issue and then save and close the file, or is there a better way
am i right in thinking if you use args you have to specify the exact argument and cant use wildcards
i have a script which i have got working with doas with the following code
permit nopass djwilcox cmd vpn-netns
the actual command i run in the terminal would be
doas vpn-netns -a auth.txt -c us_west.ovpn
if i specify the name of the ovpn file in my doas.conf it works
permit nopass djwilcox cmd vpn-netns args -a auth.txt -c us_west.ovpn
what i was wondering is if you can use a wildcard as an option
permit nopass djwilcox cmd vpn-netns args -a auth.txt -c *.ovpn
its not really an issue as i can just run the command without specifying the args but i was just curious if its possible
again many thanks for your help and have a happy christmas
is there anything youd like me to mention about opendoas in the video
HI Mate
more of a question than an issue
i have a script that runs sudo with the ip command and netns to run an application in another network namespace
so i can run namespace (which is the name of the script) firefox and it then runs that application in the vpn network namespace
the ip command is run with sudo then i run sudo with the -u "$whoami" option to run the rest of the command as my user so that firefox runs as my user and not as root
this is the namespace script i use
`
!/bin/sh
sudo ip netns exec vpn sudo -u $(whoami) -- "$@" `
and in my sudoers file i have this line
djwilcox ALL=(ALL:ALL) NOPASSWD: /usr/bin/ip netns exec vpn sudo -u djwilcox -- *im been trying variations on this command without any luck
doas ip netns exec vpn doas -u $(whoami) -- "$@"the issue is running doas as root and executing a command, and then running doas again as my user and executing another command, if that makes sense
thought id check if its possible rather than banging my head against the wall
im running ubuntu 20.04 and manually built and installed doas, because its not in the repo but i see that doas is in the 21.10 repo (congrats on that)
i was going to make a youtube video about opendoas and how to manually build it or install it from your repo if its in and some of the useful options like running apt update and upgrade without a password
my doas.conf
and have a happy a Christmas as possible
quick tip:
i use emacs with tramp and doas and my shell is zsh, i found that the doas prompt in emacs would timeout with my shell set to zsh
so setting my shell to /usr/bin/sh in my emacs config fixed the issue with the doas prompt not working
(eval-after-load 'tramp '(setenv "SHELL" "/usr/bin/sh"))