Interesting sudo(8) versus doas(1) case.

While I always prefer doas(1) over sudo(8) there is at least one case where doas(1) is useless.

Allow group member to just install packages and not remove them.

Details in the FEATURE REQUEST here:

https://github.com/slicer69/doas/issues/117

#sudo #doas

@littlefox also since it's in #Userspace I hope there will be a way to forego any need for #sudo / #su / #doas ... entirely and thus lock down a system when needed.

https://www.howtogeek.com/devops/how-to-create-a-ram-drive-in-linux/

There's a point: https://portal.mozz.us/gemini/thrig.me/blog/2023/03/12/feature-poor-sudo-replacement.gmi #sudo #doas #security

Ciao #sudo es war schön mit dir, du hast mich lange Zeit auf vielen #Distributionen begleitet, warst immer eines meiner top #tools ,kommst aus den "guten" alten 80ern und bist immer noch auf vielen #unixoiden Systeme aufrufbar😉.
Da bei mir die #freebsd Wochen laufen und mein System gut läuft, hab ich #doas für mich entdeckt und muss sagen, es ist sehr schlank übersichtlich leicht konfigurierbar und wird nicht nur als Test SW auf meinen #freebsd bleiben👍. Ciao #doas

https://www.linux-community.de/ausgaben/linuxuser/2021/08/mit-doas-statt-sudo-administrative-aufgaben-erledigen/

I use doas btw

#doas #sudo #superuser #linux #linuxmeme #linuxmemes #meme #meme #fosserytech

I never understood why, at least in Linux, #doas does not have the "persist" function working. Or the support is shaky: #AlpineLinux seems to get it right, but some others don't, so I have to type the password a lot more often.

But at least it seems that Debian #Sid has a version with the feature working. Hopefully it gets into other distros too!

@brynet @benjamineskola @judfilm @brightside

You in fact _are_ talking about PAM, though, because that's where 50% of the the #ifdef __Linux__ conditional compilation actually is, and 25% of it is in comments. (-:

Example: https://github.com/slicer69/doas/blob/master/doas.c#L423

#doas #LinuxPAM #PAM

@brynet @benjamineskola @judfilm @brightside

Of course it's going to have #ifdefs. It does PAM on systems with OpenPAM and LinuxPAM and BSD Auth on OpenBSD. It's a fairly superficial analysis to say that something is problematic because it has #ifdef __Linux__. Indeed, that's the same level of analysis as the OpenDoas author wholesale deleting all the code that's behind #ifdef __OpenBSD__, the exact commit for which is earlier in this very thread.

#OpenBSD #doas

@brynet @benjamineskola @judfilm @mark @brightside

Ironically, one of its open bugs is completely down to #PAM, specifically #LinuxPAM not doing what #OpenPAM does.

https://github.com/slicer69/doas/issues/17#issuecomment-1553249174

The other open bug has a very simple and blunt answer: #doas cannot compile an ioctl() out of the Linux kernel. This is a bug against #Linux, the world knows it, and the bug filer should know it.

https://github.com/slicer69/doas/issues/110

#OpenBSD

@brynet @benjamineskola @judfilm @mark @brightside

The slicer69 #doas has, however, retained most of the tedu code, and added an #OpenBSD library compatibility layer to avoid changing some stuff. strlcpy() is in there, using millert's code.

Indeed, it has stuck to its guns over those very ioctl()s, pointing out that if one wants that functionality one needs OpenBSD for it.

As I've already pointed out, OpenDoas just wholesale deleted everything that conditionally compiled for non-Linux.

@benjamineskola @judfilm @mark @brightside

I pointed out the AUR having the other #doas package, earlier. So a good start for the #Debian and #Ubuntu and whatnots would be following #ArchLinux . Interestingly, Debian renamed its OpenDoas package away from the name "doas", although it still installs the command under that name, so the now unused package name is presumably reassignable. I think even the transition package is gone, now, although I haven't checked.

#OpenBSD

@mark @brightside

No. Someone took the portable #doas source code that targetted multiple operating systems, gutted all of the #OpenBSD parts from it, on the somewhat dubious grounds that the portable bits for other operating systems didn't build on Linux, and replaced them with mechanisms that work how sudo works. And they decided to name it "Opendoas".

And the people who put together #ArchLinux, #Debian, et al. decided that that was what they were going to officially ship as "doas".

@brightside @mark

... or #Debian (and probably several of its derivatives) where the non-OpenBSD version of #doas is the only choice and the one with the portable code that covers #OpenBSD and others is not packaged.

https://tracker.debian.org/pkg/opendoas

@brightside @mark

... except when you are using #ArchLinux, where the AUR #doas package has the #OpenBSD code, but the "official" doas package has had all of the OpenBSD code taken out and the timestamp files and other mechanisms from sudo substituted in.

https://github.com/Duncaen/OpenDoas/commit/74449f015ff7a72300be5a27680d2c70af309328

https://github.com/Duncaen/OpenDoas/commit/1899c37ea48dd1932edd913c510411ee4c9c242f

https://github.com/slicer69/doas/issues/15

@JdeBP

Are they using Linux-only syscalls? Is that why it's not portable anymore?

@pixelherodev

#doas #freebsd #openbsd

@pixelherodev

The only reason I'm not running #doas is that the persist option only works in #OpenBSD

@Antitrust @lobsters

In the end, a sudo replacement that (a) keeps the same configuration file syntax with its surprising meanings for the '#' character that trip up administrators, and (b) only works on Linux-based operating systems; is not an improvement, whatever language it is written in. Picking the programming language choice as the thing to fix, at the expense of thereby eliminating portability, is missing the elephant in the room.

#rust #sudo #doas

Setting #doas with passwordless authentication

https://kzimmermann.0x.no/updates/20230223_2210.html

I was banging my head against the wall with this for the longest of times... until I learned about this bit of absolute paths!

Tried using #doas but seems it will require password every time even withing the same session unlike #sudo 🤷‍♂️

So after the vulnerability and the video of Mental outlaw, i have moved from sudo 170K lines of code to opendoas 3k line of code.

And to mitigate the decade of sudo muscle memory, i've made an alias sudo -> doas.

Don't forget to actually make doas yourpackagemanager remove sudo.

Like that if your doas is broken it won't remove sudo.

#security #linux #doas #sudo #vulnerability