Otto Moerbeek wrote: > On Tue, Feb 14, 2017 at 02:56:01PM -0500, Ted Unangst wrote: > > > Paul de Weerd wrote: > > > Well, in my case I can simply not use doas -n and ensure my script > > > works without prompting for passwords more than once (which is what I > > > care about). However, I have to say that doas works great in > > > scripting setups: it asks for a password once and then all subsequent > > > invocations of doas do not. Once the script ends, the process group > > > is gone and with it, the persist ticket. So, yeah, persist works > > > great for scripting. > > > > I must admit this usage is kind of strange, but that doesn't mean bad. > > Unexpected though. :) > > > > However, do you need to use -n in this case? You've set things up so that > > the > > first invocation asks for a password and then it relies on persist > > throughout. > > So leave off of the -n? > > Hmmmm, isn't that a big race condition? What if the script takes > longer than the persists time?
So that's the rationale for why it takes precendence. You can test the script and get reliable results. Depends on whether one interprets -n to mean "don't ask" or "don't wait". As an alternative, let me mention the changes that were recently done to the build system. Instead of using doas to elevate privileges during operations like install, start as root and use doas to drop privileges to the build user. This may require reworking the script somewhat, but I think it's a safer way to do things.
