may I humbly suggest the addition of an alias switch in the doas command. It
would serve to shorten the command into something shorter and perhaps more
memorable. I don’t think there are security implications as such but I’m no
expert on security. I think it’s neater to have this functoinality tied to the
doas.conf file.
I don’t think this complicates the simple design of doas. It can add a lot to
the usability experience though. The alias name could serve as a self
documenting name of the custom intention as defined by the administrator and
executed by the user.
An aside: is it possible to configure a doas.conf rule that ignores additional
switches added at the command line? I’m not seeing it in the man page for
doas.conf. doas.conf states that having an empty args option would satisfy the
requirement:
> args [argument ...]
Arguments to command. The command arguments provided by the
user need to match those specified. The keyword args alone
means that command must be run without any arguments.
On the other hand, doas man page doesn’t have an entry defining what happens
when [args] are specified:
> doas [-Lns] [-a style] [-C config] [-u user] command [args]
regards to all
example man page snippets for proposed alias configuration option:
#man doas
NAME
doas - execute commands as another user
SYNOPSIS
doas [-Lns] [-a style] [-C config] [-u user] command [args]
DESCRIPTION
The doas utility executes the given command as another user. The command
argument is mandatory unless -A, -C, -L, or -s is specified.
The options are as follows:
-a style Use the specified authentication style when validating the
. . .
-A alias Accept the alias name instead of the full command path when
invoking doas.
———
#man doas.conf
The rules have the following format:
permit|deny [options] identity [as target] [cmd command [args …]
[alias name]]
. . .
alias name A shorter name with which to invoke the command and options.
