On Sun, Jul 26, 2015 at 02:27:55PM +0300, Vadim Zhukov wrote: > 2015-07-26 14:15 GMT+03:00 Marc Espie <es...@nerim.net>: > > > > I don't think it falls on the side of bloat, and it's a pretty nifty option > > to sudo... > > > > > > Index: doas.1 > > =================================================================== > > RCS file: /build/data/openbsd/cvs/src/usr.bin/doas/doas.1,v > > retrieving revision 1.10 > > diff -u -p -r1.10 doas.1 > > --- doas.1 21 Jul 2015 17:49:33 -0000 1.10 > > +++ doas.1 26 Jul 2015 11:13:52 -0000 > > @@ -21,7 +21,7 @@ > > .Nd execute commands as another user > > .Sh SYNOPSIS > > .Nm doas > > -.Op Fl s > > +.Op Fl ns > > .Op Fl C Ar config > > .Op Fl u Ar user > > .Ar command > > @@ -38,6 +38,10 @@ Parse and check the configuration file > > .Ar config , > > then exit. > > No command is executed. > > +.It Fl n > > +Non interactive mode, fail if > > +.Nm > > +would prompt for password. > > .It Fl s > > Execute the shell from > > .Ev SHELL > > Index: doas.c > > =================================================================== > > RCS file: /build/data/openbsd/cvs/src/usr.bin/doas/doas.c,v > > retrieving revision 1.21 > > diff -u -p -r1.21 doas.c > > --- doas.c 24 Jul 2015 06:36:42 -0000 1.21 > > +++ doas.c 26 Jul 2015 11:13:52 -0000 > > @@ -295,9 +295,10 @@ main(int argc, char **argv, char **envp) > > int ngroups; > > int i, ch; > > int sflag = 0; > > + int nflag = 0; > > > > uid = getuid(); > > - while ((ch = getopt(argc, argv, "C:su:")) != -1) { > > + while ((ch = getopt(argc, argv, "C:nsu:")) != -1) { > > switch (ch) { > > case 'C': > > setresuid(uid, uid, uid); > > @@ -307,6 +308,9 @@ main(int argc, char **argv, char **envp) > > if (parseuid(optarg, &target) != 0) > > errx(1, "unknown user"); > > break; > > + case 'n': > > + nflag = 1; > > + break; > > case 's': > > sflag = 1; > > break; > > @@ -361,7 +365,7 @@ main(int argc, char **argv, char **envp) > > } > > > > if (!(rule->options & NOPASS)) { > > - if (!auth_userokay(myname, NULL, NULL, NULL)) { > > + if (nflag || !auth_userokay(myname, NULL, NULL, NULL)) { > > syslog(LOG_AUTHPRIV | LOG_NOTICE, > > "failed password for %s", myname); > > fail(); > > > Can't this be achieved with "doas -C /etc/doas.conf command ..." and > checking if doas will print "permit nopass", as it's done in "Check if > command is permitted by doas" thread on hackers@? I see you want to > fail later rather than sooner, though... >
Possibly. What's the point ? that's one sudo option that takes about zero code to emulate 100%. So why not ?