duncaen / opendoas Goto Github PK

View Code? Open in Web Editor NEW

This project forked from nholstein/opendoas

593.0 15.0 34.0 245 KB

A portable fork of the OpenBSD `doas` command

License: Other

Makefile 0.84% C 86.03% Yacc 6.35% Roff 6.78%

doas

opendoas's Introduction

OpenDoas: a portable version of OpenBSD's `doas` command

doas is a minimal replacement for the venerable sudo. It was initially written by Ted Unangst of the OpenBSD project to provide 95% of the features of sudo with a fraction of the codebase.

Building and Installation Warnings

There are a few steps you have to carefully consider before building and installing OpenDoas:

There are fewer eyes on random doas ports, just because sudo had a vulnerability does not mean random doas ports are more secure if they are not reviewed or PAM is configured incorrectly.
- If you want to use PAM; You have to configure PAM and failing to do so correctly might leave a big open door.
Use the configure script.
Use the default make target.
If you really want to install a setuid binary that depends on PAM being correctly configured, use the make install target to install the software.

About the OpenDoas Port

This is not an official port/project from OpenBSD!

As much as possible I've attempted to stick to doas as tedu desired it. As things stand it's essentially just code lifted from OpenBSD with PAM or shadow based authentication glommed on to it.

Compatibility functions in libopenbsd come from OpenBSD directly (strtonum.c, reallocarray.c, strlcpy.c, strlcat.c), from openssh (readpassphrase.c) or from sudo (closefrom.c).

The PAM and shadow authentication code does not come from the OpenBSD project.

PAM Configuration

I will not ship PAM configuration files, they are distribution specific and its simply not safe or productive to ship and install those files.

If you want to use OpenDoas on your system and there is no package that ships with a working PAM configuration file, then you have to write and test it yourself.

A good starting point is probably the distribution maintained /etc/pam.d/sudo file.

Persist/Timestamp/Timeout

The persist feature is disabled by default and can be enabled with the --with-timestamp configure flag.

This feature is new and potentially dangerous, in the original doas, a kernel API is used to set and clear timeouts. This API is OpenBSD specific and no similar API is available on other operating systems.

As a workaround, the persist feature is implemented using timestamp files similar to sudo.

See the comment block in timestamp.c for an in-depth description on how timestamps are created and checked to be as safe as possible.

opendoas's People

Contributors

Stargazers

Watchers

opendoas's Issues

Support for bash-completion

Can you please add support for bash-completion to OpenDoas. Would anyone be interested in setting this up? That would really help in making doas a good drop-in alternative for sudo. I have already opened a bug report in Debian and an issue in bash-completion.

permit extended command

What is the correct syntax to permit a command like

/usr/bin/xi -Su

in doas.conf?
If I try with single quotation marks ' it gives an error.

stat -c %a /etc/doas.conf
440

cat /etc/doas.conf
permit :wheel
permit nopass dkwo cmd /usr/bin/brightness
permit nopass dkwo cmd /usr/bin/reboot
permit nopass dkwo cmd /usr/bin/poweroff

Thanks.

please support systemd-homed

sudo already does that

Build failure due to warning

When bsd_auth is not available, build fails due to login_style being an unused variable.

getpwuid_r failed: no such file or directory

Hi, I am trying to use opendoas with /etc/shadow, but I am getting the error: doas: getpwuid_r failed: No such file or directory.
I can reproduce the error with the example program from the getpwuid_r documentation. However, while trying to build that, I noticed the following linker warning:

warning: Using 'getpwnam_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

I am not very familiar with this, is there a way I can statically compile opendoas and not need to include shared libraries on the target machine?

Publish release signatures

Can you publish release signatures please?

/etc/doas.conf syntax error if not ends with new line

Better be fixed or if it's intended behavior then mention it in man page

Researching how to configure PAM.d for Manjaro Linux to be used with Opendoas

I've been reading through the arch wiki trying to determine the approach to configure pam.d to work with Opendoas. So far I have seen comments to use the /etc/pam.d/sudo (e.g. cp /etc/pam.d/sudo /etc/pam.d/doas).

/etc/pam.d/sudo Contents fro Manjaro Gnome:

#%PAM-1.0

auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
auth		include		system-auth
account		include		system-auth
session		include		system-auth

/etc/doas.conf

permit testuser as root

Question:

(1) How do I determine what configuration lines should be kept in this file?

(2) I am aware as I go down the road of testing I will be trying to:
(a) Sign in as a non Root user.
(b) Sign in as Root.
(c) Sign in with the finger print reader.
(d) Install applications with doas.
(e) Run System Update (doas -- pacman -Syyu).
(f) Repeat all tests (A to E) with sudo uninstalled.

Are there other tests I should run?

Source:
https://likegeeks.com/linux-pam-easy-guide/
https://wiki.archlinux.org/index.php/List_of_applications/Security

OpenDoas keepenv on macOS

Hi
doas.conf contains the line -' permit keepenv grylem as root'
But vim does not recognize .vimrc etc in grylem $HOME if run 'doas vim file'
Regards.

What is the difference between opendoas and the doas in AUR?

Are they different?

New release

Excellent work on OpenDoas!

Are there any plans for a new release in the near future, and/or are there any outstanding issues blocking a release?

persist option does not work

I am using this config:

permit persist keepenv arctic as root

Though when I try to use doas multiple times in a row I have to enter my password every time still.
I am using version 6.6.1 installed from Gentoo repos.

pipeline sensitive data to doas, like sudo

Hi,

How can I convert this 'echo ', Password, ' | sudo -S sh -c "command"' line, to work with doas?

Regards

OpenDoas keeps current PATH variable

OpenDoas version: 6.8
System: Gentoo, Debian 10
/etc/doas.conf content: permit :wheel

man doas says that variable PATH is set to value appropriate for the target user, but current value preserves:

user@gentoo /etc
> $ env | grep ^PATH
PATH=/home/user/.local/bin:/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib/llvm/10/bin

user@gentoo /etc
> $ doas env | grep ^PATH
doas (user@gentoo) password:
PATH=/home/user/.local/bin:/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib/llvm/10/bin

expected value:

user@gentoo /etc
> $ su -l
Password:
gentoo ~ # env | grep ^PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib/llvm/10/bin

A few werror issues

gcc 6.1.1
glibc 2.24

Normally I'd just turn off -Werror but felt you should probably know about these issues since you're including it by default.

Environments:

CPPFLAGS="-D_FORTIFY_SOURCE=2"
CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto"
LDFLAGS="-flto -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"

Building with ./configure --prefix=/usr and running make.

Checking for explicit_bzero ...     no.
Checking for strlcat ...        no.
Checking for strlcpy ...        no.
Checking for errc ...           no.
Checking for verrc ...          no.
Checking for setprogname ...        no.
Checking for readpassphrase ...     no.
Checking for strtonum ...       no.
Checking for reallocarray ...       no.
Checking for bsd_auth_h ...     no.
Checking for pam_appl_h ...     no.
Checking for shadow_h ...       no.
Checking for execvpe ...        no.
Checking for setresuid ...      no.
Checking for pledge ...         no.
Checking for __attribute__ ...      no.
yacc  parse.y 
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o doas.o doas.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o env.o env.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/explicit_bzero.o libopenbsd/explicit_bzero.c
mv -f y.tab.c parse.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/strlcat.o libopenbsd/strlcat.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/strlcpy.o libopenbsd/strlcpy.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/errc.o libopenbsd/errc.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/verrc.o libopenbsd/verrc.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/progname.o libopenbsd/progname.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/readpassphrase.o libopenbsd/readpassphrase.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/strtonum.o libopenbsd/strtonum.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/reallocarray.o libopenbsd/reallocarray.c
cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -flto -g -fvar-tracking-assignments -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -std=c11 -MD -MP -Wno-unused-result -DVERSION="\"0.3.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -DNO_ATTRIBUTE_ON_RETURN_TYPE=1 -D_FORTIFY_SOURCE=2  -c -o libopenbsd/execvpe.o libopenbsd/execvpe.c
In file included from env.c:19:0:
env.c:47:20: error: ‘envtree_RB_PREV’ defined but not used [-Werror=unused-function]
 RB_GENERATE_STATIC(envtree, envnode, node, envcmp)
                    ^
./libopenbsd/sys-tree.h:687:1: note: in definition of macro ‘RB_GENERATE_INTERNAL’
 name##_RB_PREV(struct type *elm)     \
 ^~~~
env.c:47:1: note: in expansion of macro ‘RB_GENERATE_STATIC’
 RB_GENERATE_STATIC(envtree, envnode, node, envcmp)
 ^~~~~~~~~~~~~~~~~~
env.c:47:20: error: ‘envtree_RB_NFIND’ defined but not used [-Werror=unused-function]
 RB_GENERATE_STATIC(envtree, envnode, node, envcmp)
                    ^
./libopenbsd/sys-tree.h:644:1: note: in definition of macro ‘RB_GENERATE_INTERNAL’
 name##_RB_NFIND(struct name *head, struct type *elm)   \
 ^~~~
env.c:47:1: note: in expansion of macro ‘RB_GENERATE_STATIC’
 RB_GENERATE_STATIC(envtree, envnode, node, envcmp)
 ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make: *** [<builtin>: env.o] Error 1
make: *** Waiting for unfinished jobs....
doas.c: In function ‘main’:
doas.c:238:6: error: variable ‘nflag’ set but not used [-Werror=unused-but-set-variable]
  int nflag = 0;
      ^~~~~
cc1: all warnings being treated as errors
make: *** [<builtin>: doas.o] Error 1
libopenbsd/execvpe.c: In function ‘execvpe’:
libopenbsd/execvpe.c:58:5: error: nonnull argument ‘name’ compared to NULL [-Werror=nonnull-compare]
  if (name == NULL || *name == '\0') {
     ^
cc1: all warnings being treated as errors
make: *** [<builtin>: libopenbsd/execvpe.o] Error 1
rm parse.c

I'd claim a lot of these warnings are a bit too pendantic, such as non-null comparisons, but such is gcc these days.

How to add time-stamp in config file?

Do I just add --time-stamp in it?
Should I add s or m behind the number? Such as 10 seconds and 2 minutes.

REQ: sssd integration

My use case: currently I have sudo configured to retrieve its rules from FreeIPA via sssd/nss. I'd like to replace sudo. As I had to recompile sudo with "--with-sssd", I assume there is something that needs to happen in doas to achieve this.

I haven't looked at the sudo source yet. I also assume support would be needed from the sssd and FreeIPA projects --- perhaps I have this backwards, but I thought OpenDoas would be the place to start.

Thanks for reading.

Consider preserving LANG and LC_ environments

As far as I understand it, these environments are perhaps not as necessary under OpenBSD due to their UTF-8 only approach. But I find it necessary to often preserve them as there isn't a C.UTF-8 available yet from either glibc or musl.

Would it make sense for OpenDoas to preserve these environments?

Build failure in Fedora (crypt())

On at least Fedora 28, crypt() is not defined in unistd.h (see https://sourceware.org/ml/libc-alpha/2017-08/msg01257.html and here.

Build log (after make):

CC=gcc
CFLAGS="-Wall -Werror -Wextra -pedantic -Werror -fno-builtin"

cc -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -MD -MP -Wno-unused-result -DVERSION="\"6.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -O0 -g -DHAVE_EXPLICIT_BZERO -DHAVE_REALLOCARRAY -DHAVE_EXECVPE -DHAVE_SETRESUID -DHAVE_SYSCONF -DHAVE_PROC_PID -DHAVE_DIRFD -DHAVE_FCNTL_H -DHAVE_DIRENT_H -DHAVE_SYS_DIR_H -DHAVE___ATTRIBUTE__ -DHAVE_SHADOW_H   -c -o parse.o parse.c
cc -I. -I./libopenbsd -Wall -Wextra -Werror -pedantic -MD -MP -Wno-unused-result -DVERSION="\"6.2\"" -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -DUID_MAX=60000 -DGID_MAX=60000 -O0 -g -DHAVE_EXPLICIT_BZERO -DHAVE_REALLOCARRAY -DHAVE_EXECVPE -DHAVE_SETRESUID -DHAVE_SYSCONF -DHAVE_PROC_PID -DHAVE_DIRFD -DHAVE_FCNTL_H -DHAVE_DIRENT_H -DHAVE_SYS_DIR_H -DHAVE___ATTRIBUTE__ -DHAVE_SHADOW_H   -c -o doas.o doas.c
doas.c: In function ‘authuser’:
doas.c:302:20: error: implicit declaration of function ‘crypt’; did you mean ‘chroot’? [-Werror=implicit-function-declaration]
  if (!(encrypted = crypt(response, hash)))
                    ^~~~~
                    chroot
doas.c:302:18: error: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  if (!(encrypted = crypt(response, hash)))
                  ^
cc1: all warnings being treated as errors
make: *** [<builtin>: doas.o] Error 1

how can i do "SUDO_ASKPASS" in doas?

Accept password from stdin

A flag to accept password from stdin so it can be piped in would be very helpful for using doas in scripts (for example I am working on a bash doasedit a counterpart to sudoedit for doas), would you consider adding a flag like that?

Keywords can conflict with user names

For this simple example we have a user called nopass:

# /etc/doas.conf
permit nopass nopass as wheel

Running doas -C /etc/doas.conf will result in syntax errors (syntax error at line 1).

This likely extends to all the keywords such as keepenv. Is there a workaround or is this a known limitation of the grammar?

Add support for including configuration from multiple files

Can you please add support for including rules from files in a directory (e.g. /etc/doas.d/*)? This is basically essential feature for using doas as a sudo replacement in packages.

doas thunar failing

Hi , Thunar (and all other components of xfce desktop ) cant be run with doas , running with sudo is OK.
Arch Linux , Kernel 5.10.11 , XFCE 4.16 , opendoas 6.8.1

/etc/doas.conf :

permit persist :wheel

Error log :

$ doas thunar
Invalid MIT-MAGIC-COOKIE-1 keyUnable to init server: Could not connect: Connection refused

(thunar:6902): Gtk-WARNING **: 18:03:16.326: cannot open display: :0.0
$ _

$ doas xfce4-terminal    
Invalid MIT-MAGIC-COOKIE-1 keyUnable to init server: Could not connect: Connection refused

(xfce4-terminal:7674): Gtk-WARNING **: 18:09:50.338: cannot open display: :0.0
$ _

(I'm not sure if this is fault of XFCE or Doas.)

Piping output causes doas to hang

Recetly I tried to pipe a nftables output to neovim and noticed that doas hung up. It seems piping anything causes this issue.
Try :
doas echo hello | nvim

Redirecting the output to a file (eg doas echo hello > newfile) works file though.
Is this expected behaviour?
This does not happen with sudo.

I am using opendoas 6.8.1 in arch linux.

Timestamp path gets created with primary group of user who invokes doas

When I enable the persist keyword and run doas, /run/doas gets created with the user root and the group djmattyg007. The permissions are correct (0600), so my non-privileged user account doesn't have access to the directory. It just seems strange that the group on the directory wouldn't also be root.

Doas does not handle variables well

When trying to use for example visudo with nano and doing it with sudo, sudo handles it just fine when written as sudo EDITOR=nano visudo. doas on the other hand complains doas: EDITOR=nano: command not found when attempting to run doas EDITOR=nano visudo

Timestamp are created with mode 000

I was giving a try to doas on Linux (Guix), all went well until I used persist.
The first call is fine, but the timestamp is created with mode 000 and subsequent call to doas return: doas: timestamp uid, gid or mode wrong.

Here is the state of /run/doas, after a first call using a rule with persist:

# ls -la /run/doas/
total 0
drwx------ 1 root root  62 29 janv. 09:03 .
drwxr-xr-x 1 root root 234 29 janv. 09:03 ..
---------- 1 root root   0 29 janv.  2021 11635-11635-34832-60385884-1000

Support the -v argument

Sudo has a -v argument, this allows the use of --sudoloop in yay unless there's an equivalent and I'm stupid.

Consider adding environment variables from PAM.

Get environment variables from pam modules with pam_getenvlist or pam_getenv.
Should doas keep all variables or only those that are specified in doas.conf by keepenv?

Too many PATH changes ?

Hi,

I tried to understand how the PATH is changed by opendoas. What I found is that opendoas update the path several times; the place that I found were:

OpenDoas/env.c

Line 207 in 9474e41

if (strcmp(val + 1, "PATH") == 0)
OpenDoas/env.c

Line 213 in 9474e41

if (strcmp(name, "PATH") == 0)
OpenDoas/doas.c

Line 372 in 9474e41

if (setenv("PATH", safepath, 1) == -1)

and

OpenDoas/doas.c

Line 419 in 9474e41

if (setenv("PATH", safepath, 1) == -1)

Where only the last one should matter. My understanding is that 3) become useless, because the following lines were removed in the porting from openbsd doas:

426:       if (unveilcommands(getenv("PATH"), cmd) == 0)
427:                   goto fail;

(from https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doas/doas.c?annotate=1.89)

Instead my understanding about 1) and 2) is that there was a merging of two unrelated changes in the original "openbsd doas".

What about simplifying the code removing the unneeded PATH setting ? Then I would like to discuss how insert the /sbin and /usr/sbin paths in the PATH before invoking the command; currently if I as user don't have /usr/sbin in my path, I have to explicit it in the doas invoking if I want to call a command which is under /sbin:/usr/sbin:

$ doas /usr/sbin/reboot

instead of

$ doas reboot

But this is another story...

`make clean` requires config.mk to be present.

Hey,
make clean for some reason requires config.mk to be present, and that has caused some issues with debian packaging.
Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982065

not working for users with password set to "!" (exclamation mark)

I'm trying to port a rule from sudo to doas for an application. In sudo you can run commands as other user even when the user is disabled (has its password set to an exclamation mark). doas just freezes on such users on the nopass option. Is this intentional design of doas or a bug? Any workaround other than setting a password for the user?

`make install` doesn't work

I get:

...
+ make install DESTDIR=/home/pkgmk/work/doas/pkg
fatal: Not a git repository (or any parent up to mount point /home/pkgmk/work)
Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set).
cp doas .doas.chmod
chown root:wheel .doas.chmod
chmod 4511 .doas.chmod
mv .doas.chmod /home/pkgmk/work/doas/pkg/usr/bin/doas
mv: cannot move '.doas.chmod' to '/home/pkgmk/work/doas/pkg/usr/bin/doas': No such file or directory
bsd.prog.mk:28: recipe for target '/home/pkgmk/work/doas/pkg/usr/bin/doas' failed
make: *** [/home/pkgmk/work/doas/pkg/usr/bin/doas] Error 1
rm .doas.chmod
=======> ERROR: Building '/home/pkgmk/packages/doas#git-e246f9e-1.pkg.tar.xz' failed.

I was trying to build it via the CRUX Pkgfile:

# Description: OpenDoas

name=doas
version=git-e246f9e
release=1
source=(https://github.com/Duncaen/OpenDoas/archive/${version:4:13}.tar.gz)

build() {
        cd OpenDoas-${version:4:13}*
        ./configure
        make
        make install DESTDIR=$PKG
}

to easily manage this pkg.

How about to change the install target to something like this:

install:
  mkdir -p -m 0755 ${DESTDIR}${BINDIR}
  mkdir -p -m 0755 ${DESTDIR}${PAMDIR}
  mkdir -p -m 0755 ${DESTDIR}${MANDIR}/man{1,5}

  cp -f doas ${DESTDIR}${BINDIR}
  chown ${BINOWN}:${BINGRP} ${DESTDIR}${BINDIR}/doas
  chmod ${BINMODE} ${DESTDIR}${BINDIR}/doas

  cp -f ${PAM_DOAS} ${DESTDIR}${PAMDIR}/doas
  chmod 0444 ${DESTDIR}${PAMDIR}/doas/${PAM_DOAS}

  cp -f doas.1 ${DESTDIR}${MANDIR}/man1
  chmod 0444 ${DESTDIR}${MANDIR}/man1/doas.1

  cp -f doas.conf.5 ${DESTDIR}${MANDIR}/man5
  chmod 0444 ${DESTDIR}${MANDIR}/man5/doas.conf.5

yay creates new timestamp

not too sure if this is ment to happen or not but when using yay and having doas symlinked to be sudo (as yay requires sudo to be installed) it seems to create a new timestamp each time and not use the current timestamp (same issue with paru)

ZSH aliases when using doas

How should I configure setenv in doas.conf to preserve my .zshrc aliases? I have set my $ZDOTDIR to ~/.config/zsh if that's relevant at all.

Figured it out. Adding the alias doas='doas ' to my .zshrc does the trick.

Build failure on Linux

gcc 6.1.1
glibc 2.24

Using ./configure --prefix=/usr and make COPTS=-Wno-error (Why?) (I've also removed -flto from CFLAGS and LDFLAGS for a slightly better error message.)

[...SNIP...]
ar: creating libopenbsd.a
In file included from /usr/include/stdio.h:938:0,
                 from env.c:22:
/usr/include/bits/stdio2.h: In function ‘sprintf’:
/usr/include/bits/stdio2.h:33:10: error: invalid use of ‘__builtin_va_arg_pack ()’
   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       __bos (__s), __fmt, __va_arg_pack ());
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/bits/stdio2.h: In function ‘snprintf’:
/usr/include/bits/stdio2.h:64:10: error: invalid use of ‘__builtin_va_arg_pack ()’
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/bits/stdio2.h: In function ‘fprintf’:
/usr/include/bits/stdio2.h:97:10: error: invalid use of ‘__builtin_va_arg_pack ()’
   return __fprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1, __fmt,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    __va_arg_pack ());
    ~~~~~~~~~~~~~~~~~
/usr/include/bits/stdio2.h: In function ‘printf’:
/usr/include/bits/stdio2.h:104:10: error: invalid use of ‘__builtin_va_arg_pack ()’
   return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/bits/stdio2.h: In function ‘dprintf’:
/usr/include/bits/stdio2.h:141:10: error: invalid use of ‘__builtin_va_arg_pack ()’
   return __dprintf_chk (__fd, __USE_FORTIFY_LEVEL - 1, __fmt,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    __va_arg_pack ());
    ~~~~~~~~~~~~~~~~~
/usr/include/bits/stdio2.h: In function ‘asprintf’:
/usr/include/bits/stdio2.h:178:10: error: invalid use of ‘__builtin_va_arg_pack ()’
   return __asprintf_chk (__ptr, __USE_FORTIFY_LEVEL - 1, __fmt,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     __va_arg_pack ());
     ~~~~~~~~~~~~~~~~~
/usr/include/bits/stdio2.h: In function ‘__asprintf’:
/usr/include/bits/stdio2.h:186:10: error: invalid use of ‘__builtin_va_arg_pack ()’
   return __asprintf_chk (__ptr, __USE_FORTIFY_LEVEL - 1, __fmt,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     __va_arg_pack ());
     ~~~~~~~~~~~~~~~~~
/usr/include/bits/stdio2.h: In function ‘obstack_printf’:
/usr/include/bits/stdio2.h:194:10: error: invalid use of ‘__builtin_va_arg_pack ()’
   return __obstack_printf_chk (__obstack, __USE_FORTIFY_LEVEL - 1, __fmt,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           __va_arg_pack ());
           ~~~~~~~~~~~~~~~~~
make: *** [<builtin>: env.o] Error 1
make: *** Waiting for unfinished jobs....
rm parse.c

command executed successfully after authentication fail

how is this possible?

sorry i have no slightest idea what steps i should have taken to debug this

opendoas 6.6-1
on arch linux

feel free to ask for any other info, i will help as much as i can

Setting rlimit

On linux su doesn't reset any rlimits, sudo sets RLIMIT_NRPOC temporarly.

From sudos source:

/*
 * Unlimit the number of processes since Linux's setuid() will
 * apply resource limits when changing uid and return EAGAIN if
 * nproc would be exceeded by the uid switch.
 */

More useful parse errors

Currently the function yyerror() could prefix the program's name, like err() does.

Seeing simply syntax error at line 1 in a stream doesn't help very much.

segfault with -L

Running doas -L causes a segfault.

check of seccomp.h

here pledge-seccomp.c:23 includes seccomp.h;

here a check includes linux/seccomp.h.

Typo ?

Is it possible to translate doas?

It is English only now.

Permissions on the doas binary

In Makefile:10 , you currently set the installed doas to be only executable. Is there a reason for that? If I'm not mistaken, openbsd themselves ship it with world-readable permissions.

"Authorization Failed" on Debian 10

For the latest release, v6.8 the install runs successfully and it is able to recognize the /etc/doas.conf file, however running any command as the non-root user results in a doas: Authorization failed error. This seems to be a regression from v6.6.1 as that version install and runs perfectly fine. This was done on a fresh Debian 10 install in a VM and I was also able to reproduce on my Ubuntu 20.04 based install.

/etc/doas.conf

permit user as root

Let me know if you need any other information.

Group ID leak when creating timestamp directory

When timestamp files are enabled, doas will by default attempt to create the timestamp directory if it doesn't already exist:

OpenDoas/timestamp.c

Lines 265 to 272 in 9a25a6d

 if (stat(TIMESTAMP_DIR, &st) == -1) { 

 if (errno != ENOENT) 

 return -1; 

 if (mkdir(TIMESTAMP_DIR, 0700) == -1) 

 return -1; 

 } else if (st.st_uid != 0 || st.st_mode != (S_IFDIR | 0700)) { 

 return -1; 

 }

The build files install doas with mode 4755, i.e. setuid root, so that the effective user ID is set to root when the binary is executed:

OpenDoas/configure

Line 135 in 9a25a6d

: ${BINMODE:=4755}

This means, however, that the process's real and effective group ID are set to that of the invoking user when doas is run. When the timestamp directory is then created, it is owned by the invoking user's primary group:

molly on flywheel ~/s/c/opendoas> # tested on Debian 10, with timestamps enabled and PAM disabled
molly on flywheel ~/s/c/opendoas> sudo chown root:root doas
molly on flywheel ~/s/c/opendoas> sudo chmod 4755 doas
molly on flywheel ~/s/c/opendoas> sudo rm -rf /run/doas
molly on flywheel ~/s/c/opendoas> ./doas true  # doas.conf contains "permit persist molly"
doas (molly@flywheel) password: 
molly on flywheel ~/s/c/opendoas> ls -ld /run/doas
drwx------ 2 root molly 60 Mar 27 11:29 /run/doas

This doesn't appear to be a big problem at first glance, though it may be unexpected behaviour, given that it discloses the group of the user who ran doas when the timestamp directory was created.

(Additionally, the timestamp files themselves inherit the invoking user's group ID. This appears to be intentional (though I'm not immediately sure why), as there is an explicit check against the process's group ID here:

OpenDoas/timestamp.c

Line 224 in 9a25a6d

if (st.st_uid != 0 || st.st_gid != getgid() || st.st_mode != (S_IFREG | 0000))

)

Lacking persist keyword

In the doas mastery article Tedu describes the a persist keyword which essentially acts as the timeout seen in sudo.

This doesn't appear to be available with opendoas; is this due to upstream being further ahead?

Missing config.h and config.mk files

Hello. I am trying to compile OpenDoas from source and have noticed the config.h and config.mk files are missing. I am assuming that the config.mk file isn't that important as it is included in the .gitignore but it seems as the config.h file contains important function calls and fails to compile without it. I am running Gentoo version 5.10.27 with gcc 10.2.0 if that is necessary to know.

OpenDoas on NetBSD

@Duncaen https://mail-index.netbsd.org/pkgsrc-changes/2021/01/01/msg225996.html

Regards,
pin

Check write(2) return value on Debian 10

On Debian 10(buster), with _FORTIFY_SOURCE=2 and Werror, the compiler mandates checking write(2) return value and a void cast isn't adequate...

pkgsrc/wip/opendoas$ uname -a
Linux debian 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
pkgsrc/wip/opendoas$ bmake
[...]
===> Building for opendoas-6.6.1
yacc parse.y
mv -f y.tab.c parse.c
cc -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -I. -Ilibopenbsd -Wall -Wextra -Werror -pedantic -I/usr/pkg/include -I/usr/include -c -o parse.o parse.c
cc -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -I. -Ilibopenbsd -Wall -Wextra -Werror -pedantic -I/usr/pkg/include -I/usr/include -c -o doas.o doas.c
cc -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -I. -Ilibopenbsd -Wall -Wextra -Werror -pedantic -I/usr/pkg/include -I/usr/include -c -o env.o env.c
cc -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -I. -Ilibopenbsd -Wall -Wextra -Werror -pedantic -I/usr/pkg/include -I/usr/include -c -o libopenbsd/strlcat.o libopenbsd/strlcat.c
cc -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -I. -Ilibopenbsd -Wall -Wextra -Werror -pedantic -I/usr/pkg/include -I/usr/include -c -o libopenbsd/strlcpy.o libopenbsd/strlcpy.c
cc -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -I. -Ilibopenbsd -Wall -Wextra -Werror -pedantic -I/usr/pkg/include -I/usr/include -c -o libopenbsd/errc.o libopenbsd/errc.c
cc -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -I. -Ilibopenbsd -Wall -Wextra -Werror -pedantic -I/usr/pkg/include -I/usr/include -c -o libopenbsd/verrc.o libopenbsd/verrc.c
cc -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -I. -Ilibopenbsd -Wall -Wextra -Werror -pedantic -I/usr/pkg/include -I/usr/include -c -o libopenbsd/progname.o libopenbsd/progname.c
cc -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -D__linux__ -D_DEFAULT_SOURCE -D_GNU_SOURCE -I. -Ilibopenbsd -Wall -Wextra -Werror -pedantic -I/usr/pkg/include -I/usr/include -c -o libopenbsd/readpassphrase.o libopenbsd/readpassphrase.c
libopenbsd/readpassphrase.c: In function 'readpassphrase':
libopenbsd/readpassphrase.c:135:9: error: ignoring return value of 'write', declared with attribute warn_unused_result [-Werror=unused-result]
(void)write(output, prompt, strlen(prompt));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libopenbsd/readpassphrase.c:154:9: error: ignoring return value of 'write', declared with attribute warn_unused_result [-Werror=unused-result]
(void)write(output, "\n", 1);
^~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make: *** [: libopenbsd/readpassphrase.o] Error 1
rm parse.c
*** Error code 2

Stop.
bmake[1]: stopped in /home/skn/pkgsrc/wip/opendoas
*** Error code 1

Stop.
bmake: stopped in /home/skn/pkgsrc/wip/opendoas

skn@debian:~/pkgsrc/wip/opendoas$ cc -v
Using built-in specs.
COLLECT_GCC=cc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-6' --with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-8 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 8.3.0 (Debian 8.3.0-6)

With the surrounding signal handlers and tty settings, returning a NULL on -1 with the following diff feels inadequate. However, callers of readpassphrase exit on NULL so at least signal handlers aren't a problem, not sure about tty settings though.

diff --git a/libopenbsd/readpassphrase.c b/libopenbsd/readpassphrase.c
index 87675aa..2d10554 100644
--- a/libopenbsd/readpassphrase.c
+++ b/libopenbsd/readpassphrase.c
@@ -132,7 +132,9 @@ restart:
        (void)sigaction(SIGTTOU, &sa, &savettou);
 
        if (!(flags & RPP_STDIN))
-               (void)write(output, prompt, strlen(prompt));
+               if (write(output, prompt, strlen(prompt)) == -1)
+                       return(NULL);
+
        end = buf + bufsiz - 1;
        p = buf;
        while ((nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r') {
@@ -151,7 +153,8 @@ restart:
        *p = '\0';
        save_errno = errno;
        if (!(term.c_lflag & ECHO))
-               (void)write(output, "\n", 1);
+               if (write(output, "\n", 1) == -1)
+                       return(NULL);
 
        /* Restore old terminal settings and signals. */
        if (memcmp(&term, &oterm, sizeof(term)) != 0) {

	if (stat(TIMESTAMP_DIR, &st) == -1) {
	if (errno != ENOENT)
	return -1;
	if (mkdir(TIMESTAMP_DIR, 0700) == -1)
	return -1;
	} else if (st.st_uid != 0 \|\| st.st_mode != (S_IFDIR \| 0700)) {
	return -1;
	}