Hello, I didn't know, when to reply, I have to specify CC address as misc@openbsd.org.
I'm so sorry. Best regards, Hajime Edakawa ---------- Forwarded message --------- From: Hajime Edakawa <hajime.edak...@gmail.com> Date: 2018年9月13日(木) 3:12 Subject: Re: doas.conf(5) question: when password required To: <s...@spacehopper.org> Thank you for your kind reply, Mr. Henderson. I am verry sorry, I mistook my first e-mail. There was two my mistook. The correction is as follows; Mistook(1/2): > > Hello to all, > > > > I am sorry to say that I could not understand this behavior intuitively. > > > > $ id -Gn > > hajime wheel > > $ cat /etc/doas.conf > > permit nopass hajime as root cmd mg # A > > permit keepenv :wheel # B > > $ doas mg /etc/doas.conf # no password, ok. > > ... > > Correct(1/2): $ id -Gn hajime wheel $ cat /etc/doas.conf permit nopass hajime as root cmd mg # A permit keepenv :wheel # B $ doas mg /etc/doas.conf # require password, ok? doas (***) password: ... $ Mistook(2/2): > > But, > > > > $ id -Gn > > hajime wheel > > $ cat /etc/doas.conf > > permit keepenv :wheel # B > > permit nopass hajime as root cmd mg # A > > $ doas mg /etc/doas.conf # require password, ok? > > doas (***) password: > > ... > > $ > > > > I understand the former, but I could not understand the letter. > > My question is whether is this correct behavior? Correct(2/2): $ id -Gn hajime wheel $ cat /etc/doas.conf permit keepenv :wheel # B permit nopass hajime as root cmd mg # A $ doas mg /etc/doas.conf # no password, ok. ... $ Excuse me for taking up your time over such my mistook. I am very grateful that you explained that to me politely. My bad. I apologize again. Sincerely yours, Hajime Edakawa 2018年9月13日(木) 1:57 Stuart Henderson <s...@spacehopper.org>: > > On 2018-09-12, Hajime Edakawa <hajime.edak...@gmail.com> wrote: > > Hello to all, > > > > I am sorry to say that I could not understand this behavior intuitively. > > > > $ id -Gn > > hajime wheel > > $ cat /etc/doas.conf > > permit nopass hajime as root cmd mg # A > > permit keepenv :wheel # B > > $ doas mg /etc/doas.conf # no password, ok. > > ... > > $ > > Something seems wrong here, because it is documented as "last match > wins", and that is how it works for me (amd64 -current, FWIW). > Last match is "permit keepenv :wheel", so it should ask for a password. > > $ printf 'permit nopass sthen as root cmd mg\npermit keepenv :wheel\n' > test > $ doas -C test mg > permit > > > But, > > > > $ id -Gn > > hajime wheel > > $ cat /etc/doas.conf > > permit keepenv :wheel # B > > permit nopass hajime as root cmd mg # A > > $ doas mg /etc/doas.conf # require password, ok? > > doas (***) password: > > ... > > $ > > > > I understand the former, but I could not understand the letter. > > My question is whether is this correct behavior? > > This seems wrong too, that isn't what I see (the last match here > is the "nopass" line) > > $ printf 'permit keepenv :wheel\npermit nopass sthen as root cmd mg\n' > test > $ doas -C test mg > permit nopass > > > And, > > > > $ id -Gn > > hajime wheel > > $ cat /etc/doas.conf > > permit keepenv :games # New B: other than wheel group > > permit nopass hajime as root cmd mg # A > > $ doas mg /etc/doas.conf # no password, ok. > > ... > > $ > > This one is working how I expect, last match is "nopass" and that's > what you get. > > $ printf 'permit keepenv :games\npermit nopass sthen as root cmd mg\n' > test > $ doas -C test mg > permit nopass > > > > Excuse me if you not understand or you feel bad with my poor English. > > There is absolutely no problem with your English in this mail, > it's very clear :) What isn't clear, is why doas is behaving like > this. Which version are you running? (dmesg is always a good idea). > >