On Mon, Jul 27, 2015 at 10:44:00PM +0200, Alexander Hall wrote: > > > On July 27, 2015 3:22:13 PM GMT+02:00, Theo Buehler > <[email protected]> wrote: > >On Mon, Jul 27, 2015 at 03:13:55PM +0200, Marc Espie wrote: > >> On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote: > >> > >> > So omitting [as identity] allows me to run as every user, not > >> > just > >as > >> > root? Is this intentional? > >> > >> I think it's intentional. It's definitely what I would expect [as > >identity] > >> is a restrictive modifier. If you want to only be able to run as > >root, you > >> write "as root". > > > >Ok thanks, this makes sense, but it is not quite clear (to me) from > >the docs that this is a "restrictive quantifier". > > > >The the bit I quoted from the man page on "as target" sais "The > >default is root.", not "root and everybody else". (Sorry I should > >have written "as target", not "as identity" in my mail) > > > >> How would you phrase things if it wasn't the case ?.. > > > >As indicated above I would probably write something like "as root and > >every other user" instead of simply "as root". > > Assuming you are properly quoting the docs, and I have no reason to > believe otherwise, it should certainly not say "as root", but rather > "as anyone".
This was resolved by tedu@'s most recent commit to doas.conf.5: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doas/doas.conf.5.diff?r1=1.12&r2=1.13 Thanks to espie@ and halex@ for helping me understand where my confusion came from.
