NixOS: use sudo as the default over doas

[mariaa144]

I think more people are going to familiar with sudo and might be confused if doas is installed instead of sudo. I would go with sudo as the default.

[ghost]

sudo has had multiple security breaches in the past. https://lwn.net/Articles/844257/

Many have recommended the much simpler and better audited doas as replacement. Also, we should not judge the choice solely on whether it would cause confusion or not, such as "zfs is confusing to use, lets just use ext4 instead".

I suggest that an alias from sudo to doas should be added. What do you think?

Maria @.***> writes:

I think more people are going to familiar with sudo and might be confused if doas is installed instead of sudo. I would go with sudo as the default.

-- Reply to this email directly or view it on GitHub: https://github.com/openzfs/openzfs-docs/issues/416 You are receiving this because you are subscribed to this thread.

Message ID: @.***>

[mariaa144]

I think an alias would be more confusing. I would keep it as is, if you want to stick with doas as the default. I just like sudo better and I figure a lot of people will as well. It's just my opinion.

When I use doas it doesn't cache my password temporarily. Is that by design? That's why I switched right away. I also couldn't find a way to do sudo -i to go into the root user with doas. I wanted to just use doas to get an interactive prompt as the root user but I couldn't figure out how.

[ghost]

When I use doas it doesn't cache my password temporarily. Is that by design?

I think that's by design. However I do not have sources to back up my claim.

That's why I switched right away. I also couldn't find a way to do sudo -i to go into the root user with doas.

That would be 'doas -s'.

[ghost]

When I use doas it doesn't cache my password temporarily. Is that by design?

I just found some information on this. Quote from Arch Linux wiki:

Tips and tricks, doas persist feature.

doas provides a persist feature: after the user successfully authenticates, they will not be prompted for a password again for some time. It is disabled by default, enable it with the persist option:

/etc/doas.conf

permit persist :wheel

Note: The persist feature is disabled by default and because it is new and potentially dangerous. In the original doas, a kernel API is used to set and clear timeouts. This API is OpenBSD specific and no similar API is available on other operating systems. As a workaround, the persist feature is implemented using timestamp files similar to sudo.

[SuperSandro2000]

I think it is completely out of scope of the zfs docs to suggest a program to manage sudo permissions, this should be part of some guide or the nixos wiki.

[ghost]

Please move this issue and all issues related to the template configuration to my repo. The OpenZFS-docs repo is exclusively used to track disk partitioning and ZFS dataset layout issues.

[ghost]

I think it is completely out of scope of the zfs docs to suggest a program to manage sudo permissions, this should be part of some guide or the nixos wiki.

I should mention that, in the guide, by default, non-root user is not even added. The point is moot.