Martijn van Duren wrote: > > But what would it hurt to allow root usage ? > > Specifically, > > > > doas -u ${BUILDUSER} some unquoted command > > > > as run by root. This would not open any security hole, would it ? > > I don't see any and I've been bitten by having a rootshell open and > typing doas out of habit.
The reason there's no builtin config is to prevent confusion, even if it sometimes causes mild annoyance. When there are invisible rules, it becomes harder to know which rule is actually being taken. For example, your rule below doesn't include keepenv. So next week we're going to get bug reports that things work when run as a user, but not as root. And for exactly the same reason, people only half set things up. The fact that the default appears to work sometimes makes things even more annoying. And I don't think the default should just be changed to include keepenv, because maybe that's not what people want and then we'd need to explain how to undo that. > + static struct rule allowroot = { > + .action = PERMIT, > + .options = NOPASS, > + .ident = NULL, > + .target = NULL, > + .cmd = NULL, > + .cmdargs = NULL, > + .envlist = NULL > + };