On Tue, Feb 14, 2017 at 03:57:43PM +0100, Paul de Weerd wrote:
> Consider the following:
>
> 1 [weerd@despair] $ doas true
> 2 doas ([email protected]) password:
> 3 [weerd@despair] $ doas true
> 4 [weerd@despair] $ doas -n true
> 5 doas: Authorization required
>
> I have 'persist' to allow doas to not prompt for a password on
> subsequent invocations. However, then using 'doas -n' complains
> "Authorization required" while the manpage says for -n: "Non
> interactive mode, fail if doas would prompt for password."
>
> Doas wouldn't prompt for a password if -n wasn't specified (see line
> 3), so why does it fail in line 4?
>
> Is this a bug in doas or in the manpage?
>
I think it's a bug in doas, even if the combination of -n and persist is
a bit iffy. Here's a simple fix:
Index: doas.c
===================================================================
RCS file: /var/cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.69
diff -u -p -r1.69 doas.c
--- doas.c 14 Jan 2017 18:51:24 -0000 1.69
+++ doas.c 14 Feb 2017 15:07:05 -0000
@@ -194,7 +194,7 @@ checkconfig(const char *confpath, int ar
}
static void
-authuser(char *myname, char *login_style, int persist)
+authuser(char *myname, char *login_style, int persist, int nflag)
{
char *challenge = NULL, *response, rbuf[1024], cbuf[128];
auth_session_t *as;
@@ -207,6 +207,9 @@ authuser(char *myname, char *login_style
goto good;
}
+ if (nflag)
+ errx(1, "Authorization required");
+
if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
&challenge)))
errx(1, "Authorization failed");
@@ -357,12 +360,8 @@ main(int argc, char **argv)
errc(1, EPERM, NULL);
}
- if (!(rule->options & NOPASS)) {
- if (nflag)
- errx(1, "Authorization required");
-
- authuser(myname, login_style, rule->options & PERSIST);
- }
+ if (!(rule->options & NOPASS))
+ authuser(myname, login_style, rule->options & PERSIST, nflag);
if (pledge("stdio rpath getpw exec id", NULL) == -1)
err(1, "pledge");
