Martijn van Duren wrote:
> > But what would it hurt to allow root usage ?
> > Specifically,
> >
> > doas -u ${BUILDUSER} some unquoted command
> >
> > as run by root. This would not open any security hole, would it ?
>
> I don't see any and I've been bitten by having a rootshell open and
> typing doas out of habit.
The reason there's no builtin config is to prevent confusion, even if it
sometimes causes mild annoyance. When there are invisible rules, it becomes
harder to know which rule is actually being taken.
For example, your rule below doesn't include keepenv. So next week we're going
to get bug reports that things work when run as a user, but not as root. And
for exactly the same reason, people only half set things up. The fact that the
default appears to work sometimes makes things even more annoying. And I
don't think the default should just be changed to include keepenv, because
maybe that's not what people want and then we'd need to explain how to undo
that.
> + static struct rule allowroot = {
> + .action = PERMIT,
> + .options = NOPASS,
> + .ident = NULL,
> + .target = NULL,
> + .cmd = NULL,
> + .cmdargs = NULL,
> + .envlist = NULL
> + };
