dos-sudo-shim : sudo is by default insecure.. use doas

[mckaygerhard]

Is your feature request related to a problem? Please describe.

sudo is insecure by default.. distros like alpine very famous by security focused uses doas now

Describe the solution you'd like

change sudo invokation, dont use sudo

Describe alternatives you've considered

change any su** by doas https://packages.debian.org/search?searchon=names&keywords=doas invocation, OMV now does not allows GUI installed so we can use it without problems

Additional context

There is also doas-sudo-shim that emulates almost 99% of su** at https://github.com/jirutka/doas-sudo-shim

[votdev]

Actually a good idea, but the OMV project has no control over whether Debian derivatives like Raspberry Pi OS, Armbian or Debian itself install the package in their distributions. Therefore it makes little sense for OMV to support another tool. OMV can also not simply uninstall the sudo package as this will cause scripts of ARM distributions to stop working.

Other packages that are installed via dependencies or by the user can have sudo package dependencies themselves. This is beyond the control of OMV. If OMV now uses doas, sudo is still installed, which increases the attack surface. Also, the doas package in Debian is probably not yet a drop-in replacement for sudo.

Note that OMV is not a distribution but is installed on top of other distributions. Because of that i think it makes no sense to use doas in OMV when the distros on which OMV is installed are still based and require sudo.

[mckaygerhard]

It's a matter of time men°! It's a matter of time! so be prepared!

sudo has a bunch of security problems across time, doas due much simpler is by default full secure

you cited packages that installed sudo.. that is not true, only GUI packages forces sudo.. and none of package need per se sudo, this is easy to see

[mckaygerhard]

i change it by doas-sudo-shim and seems works perfectly.. i tested only oficial plugins. seems command is uses only in few cases so i dont know about OMV-extras plugins

seems the change is just in the depdnency of packjage, so to do the trick i pinned a new package made by me names "doas-sudo-shim" over the one, this package provides the one and then ctdb and openmediavault just install without problems and any other package also installs perfectly

[ryecoaaron]

This is not a ticking timebomb. I work in the enterprise and we have done MANY security audits. sudo is not a problem. Sure it can be configured to be bad. In its default install on Debian, no one has sudo privileges. If an OMV user just adds a user to the sudo group, this is quite safe if they have a secure password.

[votdev]

I think I have explained in detail why I decided against the proposal. Since sudo is the de facto standard in the Linux world, more eyes will be on the tool. In case of a security problem, this will certainly be fixed faster than anywhere else.

Another point i don't like is that the Debian package is a fork of a fork and then not even from the original OpenBSD author. I have more confidence in the sudo package.

As Aaron has already described, the problem usually lies in front of the screen. Even doas can be configured by a user in such a way that it is wrong.

This concludes the discussion on my part.

[mckaygerhard]

ok no problem but clarification: sudo is not the de facto standard in the Linux world, only promoted by Canonical and Redhat/Suse.. and due most developer of Canonical are also in debian it was adopted since Debian sarge due the massive migration of etch release package mantainers..

[ryecoaaron]

Debian, Ubuntu, Suse, Redhat are the the four largest Linux distros along with their many derivatives. After 26+ years of using Linux, I don't know how a de facto standard is set in the Linux world but if the four largest distros are using it, that tells me something.