Re: doas prompting for password in script

2016-12-20 Thread Stuart Henderson
On 2016-12-15, Ax0n  wrote:
> I don't know how doas is keeping track of a session.

It's using a kernel "verified auth" feature. See tty(4) :

   TIOCCHKVERAUTH void
   Check the verified auth status of this session.  The calling
   process must have the same real user ID and parent process as
   the process which called TIOCSETVERAUTH.  A zero return
   indicates success.



Re: doas prompting for password in script

2016-12-15 Thread jungle Boogie
On 15 December 2016 at 10:42, trondd  wrote:
> On Thu, December 15, 2016 12:28 pm, Ax0n wrote:
>> I don't know how doas is keeping track of a session. If it's by
>> interactive
>> tty session only, that could cause problems with non-interactive scripts.
>> I'll let someone closer to the code answer that question.
>>
>
> It's tied to the shell.
>
> http://www.tedunangst.com/flak/post/doas-mastery
>
> "If you have multiple shell logins to a machine, each login will require
> authentication. Additionally, the authentication information includes the
> parent shell process ID. This means that executing doas again in a shell
> script will require authentication."
>


Ah, I knew I should have checked Ted's blog!



Re: doas prompting for password in script

2016-12-15 Thread trondd
On Thu, December 15, 2016 12:28 pm, Ax0n wrote:
> I don't know how doas is keeping track of a session. If it's by
> interactive
> tty session only, that could cause problems with non-interactive scripts.
> I'll let someone closer to the code answer that question.
>

It's tied to the shell.

http://www.tedunangst.com/flak/post/doas-mastery

"If you have multiple shell logins to a machine, each login will require
authentication. Additionally, the authentication information includes the
parent shell process ID. This means that executing doas again in a shell
script will require authentication."

> On Thu, Dec 15, 2016 at 11:25 AM, jungle Boogie 
> wrote:
>
>> On 15 December 2016 at 09:21, Ax0n  wrote:
>> > In -CURRENT, doas.conf has a "persist" keyword that will only prompt
>> once
>> > per session. This isn't available in OpenBSD 6.0, but should work when
>> 6.1
>> > is released. Here's a fairly minimal rule that would allow wheel group
>> users
>> > to do whatever they want with doas after authenticating once:
>>
>> DOH! I forgot to mention that I'm running a snapshot from this morning.
>>
>> OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016
>> bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>>
>> by doas.conf:
>> permit persist :wheel
>> permit persist keepenv jungle as root
>>
>> With this, should I be re-prompted for the password?
>>
>>
>> --
>> ---
>> inum: 883510009027723
>> sip: jungleboo...@sip2sip.info



Re: doas prompting for password in script

2016-12-15 Thread Ax0n
I don't know how doas is keeping track of a session. If it's by interactive
tty session only, that could cause problems with non-interactive scripts.
I'll let someone closer to the code answer that question.

On Thu, Dec 15, 2016 at 11:25 AM, jungle Boogie 
wrote:

> On 15 December 2016 at 09:21, Ax0n  wrote:
> > In -CURRENT, doas.conf has a "persist" keyword that will only prompt once
> > per session. This isn't available in OpenBSD 6.0, but should work when
> 6.1
> > is released. Here's a fairly minimal rule that would allow wheel group
> users
> > to do whatever they want with doas after authenticating once:
>
> DOH! I forgot to mention that I'm running a snapshot from this morning.
>
> OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016
> bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> by doas.conf:
> permit persist :wheel
> permit persist keepenv jungle as root
>
> With this, should I be re-prompted for the password?
>
>
> --
> ---
> inum: 883510009027723
> sip: jungleboo...@sip2sip.info



Re: doas prompting for password in script

2016-12-15 Thread jungle Boogie
On 15 December 2016 at 09:21, Ax0n  wrote:
> In -CURRENT, doas.conf has a "persist" keyword that will only prompt once
> per session. This isn't available in OpenBSD 6.0, but should work when 6.1
> is released. Here's a fairly minimal rule that would allow wheel group users
> to do whatever they want with doas after authenticating once:

DOH! I forgot to mention that I'm running a snapshot from this morning.

OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016
bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

by doas.conf:
permit persist :wheel
permit persist keepenv jungle as root

With this, should I be re-prompted for the password?


-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info



Re: doas prompting for password in script

2016-12-15 Thread Ax0n
For now, you may want to use the "nopass" keyword and set up
highly-restrictive rules. The last matching rule determines the action
taken, so you can have more general rules up top, and more specific ones
that don't require a password toward the end. For example, my wireless
network manager script relies on the ability to kill off the DHCP client
and do some other things with ifconfig.

permit nopass :wheel as root cmd /usr/bin/pkill args dhclient
permit nopass :wheel as root cmd /sbin/ifconfig
permit nopass :wheel as root cmd /sbin/dhclient

In -CURRENT, doas.conf has a "persist" keyword that will only prompt once
per session. This isn't available in OpenBSD 6.0, but should work when 6.1
is released. Here's a fairly minimal rule that would allow wheel group
users to do whatever they want with doas after authenticating once:

permit persist :wheel


On Thu, Dec 15, 2016 at 10:56 AM, jungle Boogie 
wrote:

> Hi All,
>
> Should I be prompted for a password during this scenario?
>
> $ doas date
> doas (jun...@openbsd.my.domain) password:
> Thu Dec 15 08:55:39 PST 2016
> $ ./date.sh
> doas (jun...@openbsd.my.domain) password:
> Thu Dec 15 08:55:46 PST 2016
>
> As you see, only seconds past from both commands and yet, I'm prompted
> for my password again.
>
> --
> ---
> inum: 883510009027723
> sip: jungleboo...@sip2sip.info



doas prompting for password in script

2016-12-15 Thread jungle Boogie
Hi All,

Should I be prompted for a password during this scenario?

$ doas date
doas (jun...@openbsd.my.domain) password:
Thu Dec 15 08:55:39 PST 2016
$ ./date.sh
doas (jun...@openbsd.my.domain) password:
Thu Dec 15 08:55:46 PST 2016

As you see, only seconds past from both commands and yet, I'm prompted
for my password again.

-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info