Re: doas failsafe

[lists]

Figured out one can use an alias if the name of the command is
difficult to type to somebody, and the author of the software is the
one deciding how is the utility called. I have to think more instead of
posting.

 I don't think we need the wrapper, but a config-check mode like pfctl
 has could be very useful.

Interesting point for a configuration checker, seems very reasonable to
me too.

Re: doas failsafe

[lists]

so, why not type su rather than doas? I will not type doas. Do you?

Re: doas failsafe

[Chris Bennett]

On Tue, Jul 21, 2015 at 05:42:54PM +0300, li...@wrant.com wrote:
 doas is extremely foul to type, compared to sudo or su
 
 stop inventing reasons not to make it right first time
 

I don't know why you are sending so many foul messages to this list. I
have gotten to the point of not wanting to read any message from
li...@wrant.com. This is a serious mailing list. tech@openbsd.org and
ports@openbsd are for important diffs and important questions.

I don't like writing messages like this. I would like you to follow one
of these four options:

1. Contribute something useful. It doesn't matter if your diff fails to
meet approval.

2. Ask questions that actually contribute something to moving OpenBSD
forward. Developers and others less capable like myself, are trying to
contribute. Neither they nor I want to waste our time with your
bullshit.

3. Just read this mailing list and be quiet. No messages sent.

4. Worst or best option: Go away.

I hope you choose well.

Chris Bennett

Re: doas failsafe

[Karel Gardas]

On Tue, Jul 21, 2015 at 5:30 PM,  li...@wrant.com wrote:
 so, why not type su rather than doas? I will not type doas. Do you?

If doas supplies kind of sudo functionality than I would rather use it
instead of su and being root all the time. So yes, I will.

Re: doas failsafe

[Kent R. Spillner]

Your diff doesn't apply here, can you resend?

Re: doas failsafe

[lists]

 Your diff doesn't apply here, can you resend?

You can kiss anybody's ass. Are you traditionally ridiculing your
origin or the general state of software? Idiot.

Quit the crapping and do some real thinking and work actually.

Re: doas failsafe

[Manuel Giraud]

tekk t...@parlementum.net writes:

 I've never used a fully qualified path with doas and it works just fine.
 (doas mount, doas pkg_add, doas mg.) Do you mean in the config file
 or something? Requiring you to specify a full path on filtered commands
 or whatever? This may just be a recent change though, I only updated
 my system 2 days ago.

Ok my bad (again): as advised by the man page, I used an absolute path
as command in /etc/doas.conf:
   permit nopass :wheel cmd /sbin/mount
with this, I should doas /sbin/mount.

Changing to:
   permit nopass :wheel cmd mount
works as you said.
-- 
Manuel Giraud

Re: doas failsafe

[Theo de Raadt]

 Ability to define alias in the doas config file might be nice. Just
 like ssh with the ssh_config file.

I have always wanted a .lsrc file, which would allow me to override
the special options for ls, as well.  That's kind of what you are
talking about, right?

No, I think you are serious.

And so let's say code is written to support an alias.  And let's
say it has a bug.  It runs as setuid root.

Do you understand what happens next?

If you want software to do everything, eventually it will do everything
including what you cannot afford.

Re: doas failsafe

[ludovic coues]

2015-07-21 10:56 GMT+02:00 Theo de Raadt dera...@cvs.openbsd.org:
 Ability to define alias in the doas config file might be nice. Just
 like ssh with the ssh_config file.

 I have always wanted a .lsrc file, which would allow me to override
 the special options for ls, as well.  That's kind of what you are
 talking about, right?

 No, I think you are serious.

 And so let's say code is written to support an alias.  And let's
 say it has a bug.  It runs as setuid root.

 Do you understand what happens next?

 If you want software to do everything, eventually it will do everything
 including what you cannot afford.


To be honest, I haven't thought about what would happen if there is a bug.

The idea was to allow a set of key which would be replaced with
another value. Nothing more. I would call 'doas pkg' and doas would
work with /usr/sbin/pkg_add instead of pkg.

But it is a better idea to let the job of expand value to the shell.
Less code running with setuid root, the better.

Thanks for correcting me.

Re: doas failsafe

[Theo de Raadt]

 Less code running with setuid root, the better.

That is the entire point.

Re: doas failsafe

[tekk]

On Mon, Jul 20, 2015 at 11:58:34PM -0700, Manuel Giraud wrote:
 
 Ted Unangst t...@tedunangst.com writes:
 
  Manuel Giraud wrote:
  Hi,
  
  I've just shot myself in the foot after /etc/doas.conf tweaking. This
  patch adds a failsafe permit :wheel rule in case of syntax error. Is
  this safe enough? Should it be done elsewhere (with some kind of
  visudo)?
 
  I think the failsafe is run su. Since it is possible to configure doas to
  even less than permit :wheel this would in some cases be a fail
  open.
 
 You're right. I forgot about su and should have asked first. Another
 question before I give this a shot: doas requires an absolute path for
 command, is it feature or a behaviour that can be modified (i.e. I
 prefer to type doas mount instead of doas /sbin/mount)?
 -- 
 Manuel Giraud
 

I've never used a fully qualified path with doas and it works just fine.
(doas mount, doas pkg_add, doas mg.) Do you mean in the config file
or something? Requiring you to specify a full path on filtered commands
or whatever? This may just be a recent change though, I only updated
my system 2 days ago.

Re: doas failsafe

[Manuel Giraud]

Ted Unangst t...@tedunangst.com writes:

 Manuel Giraud wrote:
 Hi,
 
 I've just shot myself in the foot after /etc/doas.conf tweaking. This
 patch adds a failsafe permit :wheel rule in case of syntax error. Is
 this safe enough? Should it be done elsewhere (with some kind of
 visudo)?

 I think the failsafe is run su. Since it is possible to configure doas to
 even less than permit :wheel this would in some cases be a fail
 open.

You're right. I forgot about su and should have asked first. Another
question before I give this a shot: doas requires an absolute path for
command, is it feature or a behaviour that can be modified (i.e. I
prefer to type doas mount instead of doas /sbin/mount)?
-- 
Manuel Giraud

Re: doas failsafe

[ludovic coues]

2015-07-21 8:58 GMT+02:00 Manuel Giraud man...@ledu-giraud.fr:
 Ted Unangst t...@tedunangst.com writes:

 Manuel Giraud wrote:
 Hi,

 I've just shot myself in the foot after /etc/doas.conf tweaking. This
 patch adds a failsafe permit :wheel rule in case of syntax error. Is
 this safe enough? Should it be done elsewhere (with some kind of
 visudo)?

 I think the failsafe is run su. Since it is possible to configure doas to
 even less than permit :wheel this would in some cases be a fail
 open.

 You're right. I forgot about su and should have asked first. Another
 question before I give this a shot: doas requires an absolute path for
 command, is it feature or a behaviour that can be modified (i.e. I
 prefer to type doas mount instead of doas /sbin/mount)?

Ability to define alias in the doas config file might be nice. Just
like ssh with the ssh_config file.

-- 

Cordialement, Coues Ludovic
+336 148 743 42

Re: doas failsafe

[lists]

doas is extremely foul to type, compared to sudo or su

stop inventing reasons not to make it right first time

 once again, please ignore this if you are emotional

doas failsafe

[Manuel Giraud]

Hi,

I've just shot myself in the foot after /etc/doas.conf tweaking. This
patch adds a failsafe permit :wheel rule in case of syntax error. Is
this safe enough? Should it be done elsewhere (with some kind of
visudo)?

Index: doas.c
===
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.14
diff -u -p -u -r1.14 doas.c
--- doas.c  20 Jul 2015 01:04:37 -  1.14
+++ doas.c  20 Jul 2015 12:16:11 -
@@ -138,12 +138,13 @@ permit(uid_t uid, gid_t *groups, int ngr
return (*lastr)-action == PERMIT;
 }
 
-static void
+static int
 parseconfig(const char *filename)
 {
extern FILE *yyfp;
extern int yyparse(void);
struct stat sb;
+   int ret;
 
yyfp = fopen(filename, r);
if (!yyfp) {
@@ -158,8 +159,9 @@ parseconfig(const char *filename)
if (sb.st_uid != 0)
errx(1, %s is not owned by root, filename);
 
-   yyparse();
+   ret = yyparse();
fclose(yyfp);
+   return ret;
 }
 
 static int
@@ -201,7 +203,7 @@ copyenv(const char **oldenvp, struct rul
int ei;
int nsafe, nbad;
int nextras = 0;
-   
+
nbad = arraylen(badset);
if ((rule-options  KEEPENV)  !rule-envlist) {
size_t i, ii;
@@ -280,8 +282,18 @@ main(int argc, char **argv, char **envp)
int ngroups;
int i, ch;
int sflag = 0;
+   const char *safeident = :wheel;
 
-   parseconfig(/etc/doas.conf);
+   if (parseconfig(/etc/doas.conf) != 0) {
+   fprintf(stderr, using failsafe rule\n);
+   if (!(rules = reallocarray(rules, 1, sizeof(*rules
+   errx(1, can't allocate rules);
+   if (!(rules[0] = calloc(1, sizeof(struct rule
+   errx(1, can't allocate rule);
+   rules[0]-action = PERMIT;
+   rules[0]-ident = safeident;
+   nrules = 1;
+   }
 
while ((ch = getopt(argc, argv, su:)) != -1) {
switch (ch) {
Index: parse.y
===
RCS file: /cvs/src/usr.bin/doas/parse.y,v
retrieving revision 1.6
diff -u -p -u -r1.6 parse.y
--- parse.y 19 Jul 2015 22:11:41 -  1.6
+++ parse.y 20 Jul 2015 12:16:11 -
@@ -149,7 +149,7 @@ yyerror(const char *fmt, ...)
va_list va;
 
va_start(va, fmt);
-   verrx(1, fmt, va);
+   vwarnx(fmt, va);
 }
 
 struct keyword {

-- 
Manuel Giraud

Re: doas failsafe

[Ted Unangst]

Manuel Giraud wrote:
 Hi,
 
 I've just shot myself in the foot after /etc/doas.conf tweaking. This
 patch adds a failsafe permit :wheel rule in case of syntax error. Is
 this safe enough? Should it be done elsewhere (with some kind of
 visudo)?

I think the failsafe is run su. Since it is possible to configure doas to
even less than permit :wheel this would in some cases be a fail open.

Re: doas failsafe

[lists]

 I'm a lowly user but I ++ this, when testing out doas I did this a few
 times. allow : deny, permit : forbid

Is that you, Flynn?

Re: doas failsafe

[lists]

 I think the failsafe is run su.

Visudo(8) style wrapper for doas(1) that would respect the editor
preferences... is only a suggestion, no? We're 2015 here.

 Since it is possible to configure doas to
 even less than permit :wheel this would in some cases be a fail open.

I'm not sure how much exactly flak I'd get about this, but: is the
permit word specifically chosen in the DSL for this?

P.S. My opinion has zero value but why can't su(1) work this purpose?
Not trying to be funny just reasoning about the basics.

(I'm not anonymous).

Re: doas failsafe

[Ted Unangst]

li...@wrant.com wrote:
  I think the failsafe is run su.
 
 Visudo(8) style wrapper for doas(1) that would respect the editor
 preferences... is only a suggestion, no? We're 2015 here.

and vipf after that? there are countless config files, even more dangerous
than doas.conf, that you edit at your own peril.

  Since it is possible to configure doas to
  even less than permit :wheel this would in some cases be a fail open.
 
 I'm not sure how much exactly flak I'd get about this, but: is the
 permit word specifically chosen in the DSL for this?

there's not a of meaning behind permit, other than that it's a word that
seems appropriate.

 P.S. My opinion has zero value but why can't su(1) work this purpose?

The semantics of su are different in a couple and people seem to like using
sudo. Trying to share code with su risks muddying up that code and introducing
mistakes.

Re: doas failsafe

[lists]

   I think the failsafe is run su.
  
  Visudo(8) style wrapper for doas(1) that would respect the editor
  preferences... is only a suggestion, no? We're 2015 here.
 
 and vipf after that? there are countless config files, even more dangerous
 than doas.conf, that you edit at your own peril.

With respect, Ted, I hope it was clear the intention was to bring into
attention the inadequacy of the $visualsth concept as a means of
safety.
 
   Since it is possible to configure doas to
   even less than permit :wheel this would in some cases be a fail open.
  
  I'm not sure how much exactly flak I'd get about this, but: is the
  permit word specifically chosen in the DSL for this?
 
 there's not a of meaning behind permit, other than that it's a word that
 seems appropriate.

So why can't allow fit as opposite to deny? (normally silence means
no change in security model, hopefully).

Can we formalise the DSL, or read about it and prevent me from making
incoherent guesses?

  P.S. My opinion has zero value but why can't su(1) work this purpose?
 
 The semantics of su are different in a couple and people seem to like using
 sudo. Trying to share code with su risks muddying up that code and introducing
 mistakes.

Yet it may be the same feel place to be of something dealing with
who's what doing why when escalation. Please have others say about it,
I'm nobody of significance to suggest here.

Re: doas failsafe

[tekk]

On Mon, Jul 20, 2015 at 04:36:45PM -0700, lists wrote:
 So why can't allow fit as opposite to deny? (normally silence means
 no change in security model, hopefully).

I'm a lowly user but I ++ this, when testing out doas I did this a few
times. allow : deny, permit : forbid

Re: doas failsafe

[Stuart Henderson]

On 2015/07/20 19:18, Ted Unangst wrote:
 li...@wrant.com wrote:
   I think the failsafe is run su.
  
  Visudo(8) style wrapper for doas(1) that would respect the editor
  preferences... is only a suggestion, no? We're 2015 here.
 
 and vipf after that? there are countless config files, even more dangerous
 than doas.conf, that you edit at your own peril.

I don't think we need the wrapper, but a config-check mode like pfctl
has could be very useful.