Make nsh re-exec itself as root when the 'enable' command is used by a non-root user. Rely on doas(1) or su(1) for authentication to root, once the enable secret, if present, has been entered correctly. A new nsh child process runs as root and starts out in privileged mode while the parent process waits for the child to exit.
A behaviour change is that the 'enable' command will fail if root access cannot be obtained. Either knowledge of the root password or lines in /etc/doas.conf such as the following are needed to enter privileged mode.
permit keepenv user as root cmd /usr/local/bin/nsh args -e
permit keepenv :group as root cmd /usr/local/bin/nsh args -e
Of course the above lines essentially allow arbitrary command execution as root because the nsh ! command could be used in privileged mode. We could try to restrict this, but I am not sure if trying to restrict nsh users makes a lot of sense in the current single-process design of nsh.
An absolute path to the installed nsh binary must be known at compile-time because finding the path to the executable which started a program is not possible on OpenBSD (and won't work 100% reliably on other systems either). The default rexec-path is /usr/local/bin/nsh. This default can be changed at compile-time by setting the NSH_REXEC_PATH macro in CFLAGS during the build.
No documentation updates yet as there is already extensive documentation for other approaches to running nsh as root, all of which needs to be re-considered and perhaps deprecated or removed.
The idea to have nsh re-exec itself as root during 'enable' came from claudio@
Make nsh re-exec itself as root when the 'enable' command is used by a non-root user. Rely on doas(1) or su(1) for authentication to root, once the enable secret, if present, has been entered correctly. A new nsh child process runs as root and starts out in privileged mode while the parent process waits for the child to exit.
A behaviour change is that the 'enable' command will fail if root access cannot be obtained. Either knowledge of the root password or lines in /etc/doas.conf such as the following are needed to enter privileged mode.
permit keepenv user as root cmd /usr/local/bin/nsh args -e permit keepenv :group as root cmd /usr/local/bin/nsh args -e
Of course the above lines essentially allow arbitrary command execution as root because the nsh ! command could be used in privileged mode. We could try to restrict this, but I am not sure if trying to restrict nsh users makes a lot of sense in the current single-process design of nsh.
An absolute path to the installed nsh binary must be known at compile-time because finding the path to the executable which started a program is not possible on OpenBSD (and won't work 100% reliably on other systems either). The default rexec-path is /usr/local/bin/nsh. This default can be changed at compile-time by setting the NSH_REXEC_PATH macro in CFLAGS during the build.
No documentation updates yet as there is already extensive documentation for other approaches to running nsh as root, all of which needs to be re-considered and perhaps deprecated or removed.
The idea to have nsh re-exec itself as root during 'enable' came from claudio@