doas.conf without full path

ghostbsd / networkmgr

NetworkMgr is a Python GTK3 network manager for FreeBSD, GhostBSD, TrueOS and DragonFlyBSD

BSD 3-Clause "New" or "Revised" License

95 stars 30 forks source link

doas.conf without full path #9

Closed mirehi closed 6 years ago

rakor commented 6 years ago

Having no full paths for the cmd set in doas.conf means that every user permitted to run the command can run any script with root-privileges. So in your example every user beeing in :wheel can run anything with root-privileges without being prompted for a passwort. All she has to do is change her own $PATH to show up the prepared script first. Try the following:

echo -e "#!/bin/sh\necho Who am I?\nid" > /tmp/netcardmgr chmod 777 /tmp/netcardmgr PATH=/tmp:$PATH doas netcardmgr

rakor commented 6 years ago

The Problem should be gone (haven't tested yet) . https://github.com/slicer69/doas/pull/13