search

Duncaen / OpenDoas

A portable fork of the OpenBSD `doas` command
Other
611 stars 35 forks source link

ordering of rules affects operation #99

Closed nekopsykose closed 2 years ago

nekopsykose commented 2 years ago

example:

sakura [~]# cat /etc/doas.conf
# This file is actually located at /etc/doas.d/doas.conf, and reflects
# the system doas configuration.  It may have been migrated from its
# previous location, /etc/doas.conf, automatically.
# see doas.conf(5) for configuration details
#

permit nopass root
permit persist :wheel

permit nopass acme cmd service args nginx reload
sakura [~]# doas -u acme /usr/local/bin/acme-update-certs 
doas (root@sakura.ayaya.dev) password: 

sakura [~]# vim /etc/doas.conf
sakura [~]# cat /etc/doas.conf
# This file is actually located at /etc/doas.d/doas.conf, and reflects
# the system doas configuration.  It may have been migrated from its
# previous location, /etc/doas.conf, automatically.
# see doas.conf(5) for configuration details
#

permit persist :wheel
permit nopass root

permit nopass acme cmd service args nginx reload
sakura [~]# doas -u acme /usr/local/bin/acme-update-certs 
info: starting cert renewal at: Mon Apr 18 16:50:37 UTC 2022
info: getting cert for img.ayaya.dev
uacme: version 1.7.1 starting on Mon, 18 Apr 2022 16:50:37 +0000
uacme: loading key from /etc/ssl/uacme/private/key.pem

(placing the nopass root before the persist :wheel makes it not apply anymore, and root still needs a password to doas as others)

i noticed this a while ago, but i didn't realise it might be a bug until another user reported something similar on the alpine mailing list: https://lists.alpinelinux.org/~alpine/users/%3CYlzPobImpOvbm01m%40ws%3E

(version 6.8.2, from alpine edge, in my case. it does contain our doas.d patch, so maybe that breaks it, i did not check vanilla doas yet)

nekopsykose commented 2 years ago

update: reproduced on latest master, without the alpine patch, built with: 

./configure \
  --prefix=/usr \
  --without-pam \
  --with-timestamp
make
make install
nekopsykose commented 2 years ago

ah, reading the manpage again:

The last matching rule determines the action taken. If no rule matches, the action is denied.

i guess it's not actually an error then, and this behaviour is intended. oh well..