On Sun, Jul 26, 2015 at 02:27:55PM +0300, Vadim Zhukov wrote:
> 2015-07-26 14:15 GMT+03:00 Marc Espie <es...@nerim.net>:
> >
> > I don't think it falls on the side of bloat, and it's a pretty nifty option
> > to sudo...
> >
> >
> > Index: doas.1
> > ===================================================================
> > RCS file: /build/data/openbsd/cvs/src/usr.bin/doas/doas.1,v
> > retrieving revision 1.10
> > diff -u -p -r1.10 doas.1
> > --- doas.1 21 Jul 2015 17:49:33 -0000 1.10
> > +++ doas.1 26 Jul 2015 11:13:52 -0000
> > @@ -21,7 +21,7 @@
> > .Nd execute commands as another user
> > .Sh SYNOPSIS
> > .Nm doas
> > -.Op Fl s
> > +.Op Fl ns
> > .Op Fl C Ar config
> > .Op Fl u Ar user
> > .Ar command
> > @@ -38,6 +38,10 @@ Parse and check the configuration file
> > .Ar config ,
> > then exit.
> > No command is executed.
> > +.It Fl n
> > +Non interactive mode, fail if
> > +.Nm
> > +would prompt for password.
> > .It Fl s
> > Execute the shell from
> > .Ev SHELL
> > Index: doas.c
> > ===================================================================
> > RCS file: /build/data/openbsd/cvs/src/usr.bin/doas/doas.c,v
> > retrieving revision 1.21
> > diff -u -p -r1.21 doas.c
> > --- doas.c 24 Jul 2015 06:36:42 -0000 1.21
> > +++ doas.c 26 Jul 2015 11:13:52 -0000
> > @@ -295,9 +295,10 @@ main(int argc, char **argv, char **envp)
> > int ngroups;
> > int i, ch;
> > int sflag = 0;
> > + int nflag = 0;
> >
> > uid = getuid();
> > - while ((ch = getopt(argc, argv, "C:su:")) != -1) {
> > + while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
> > switch (ch) {
> > case 'C':
> > setresuid(uid, uid, uid);
> > @@ -307,6 +308,9 @@ main(int argc, char **argv, char **envp)
> > if (parseuid(optarg, &target) != 0)
> > errx(1, "unknown user");
> > break;
> > + case 'n':
> > + nflag = 1;
> > + break;
> > case 's':
> > sflag = 1;
> > break;
> > @@ -361,7 +365,7 @@ main(int argc, char **argv, char **envp)
> > }
> >
> > if (!(rule->options & NOPASS)) {
> > - if (!auth_userokay(myname, NULL, NULL, NULL)) {
> > + if (nflag || !auth_userokay(myname, NULL, NULL, NULL)) {
> > syslog(LOG_AUTHPRIV | LOG_NOTICE,
> > "failed password for %s", myname);
> > fail();
>
>
> Can't this be achieved with "doas -C /etc/doas.conf command ..." and
> checking if doas will print "permit nopass", as it's done in "Check if
> command is permitted by doas" thread on hackers@? I see you want to
> fail later rather than sooner, though...
>
Possibly. What's the point ? that's one sudo option that takes about zero
code to emulate 100%. So why not ?
