Re: More useful: something like doasedit

2018-02-28 Thread Emille Blanc

On 28.02.2018 15:10, Ingo Schwarze wrote:

Hi,

Felix Maschek wrote on Wed, Feb 28, 2018 at 08:24:19PM +0100:

How would you prevent that something like 'doas vi /etc/fstab' 
(which
will run as root) doesn't offer the user to enter a root shell 
within vi

(by typing '.sh')?


The sudo(8) utility has become able, over the decades, to do very
complex things and supports fine granularity for assigning rights
to administrators.  As a consequence, it has also become somewhat
large and complicated.  As a consequence, Michael Lucas has become
able to write a book about it and to hold tutorials about it at BSD
conferences.

The design goal of doas(1) is not to reproduce the full range
of sudo(8) functionality, but to provide a smaller tool that
is easier to maintain, use, and audit.  When writing it, it was
intentional that tedu@ did not include doasedit(1) functionality -
because providing selective editing capabilities of certain
root-owned files to certain non-root administrators is among the
things that can be considered complex, fine-grained control.

During the Cambridge Hackathon, one OpenBSD developer actually
implemented doasedit(1) nevertheless.  But the result was indeed
complicated enough that committing it wasn't a no-brainer, several
developers doubted whether we should have it at all, and nobody
tried very hard to hammer the diff into a form that might meet
consensus for commit.

The question comes up now and again, but not all that often...

Yours,
  Ingo


I've run into this more than a few times, but found it's easier to just 
setup sudo for the few cases where needed as a supplement to doas for 
those cases.
I appreciate the idea of leaving the complexity of sudo where it is, 
and keeping doas neat and tidy.
Otherwise, the hardest part in living with doas so far, is coping with 
muscle memory.  'sudo something' always comes out first, other times 
'doas -e /file', both of which make me feel stupid for a brief moment. 
But that's my problem, not doas'.




Re: More useful: something like doasedit

2018-02-28 Thread Ingo Schwarze
Hi,

Felix Maschek wrote on Wed, Feb 28, 2018 at 08:24:19PM +0100:

> How would you prevent that something like 'doas vi /etc/fstab' (which 
> will run as root) doesn't offer the user to enter a root shell within vi 
> (by typing '.sh')?

The sudo(8) utility has become able, over the decades, to do very
complex things and supports fine granularity for assigning rights
to administrators.  As a consequence, it has also become somewhat
large and complicated.  As a consequence, Michael Lucas has become
able to write a book about it and to hold tutorials about it at BSD
conferences.

The design goal of doas(1) is not to reproduce the full range
of sudo(8) functionality, but to provide a smaller tool that
is easier to maintain, use, and audit.  When writing it, it was
intentional that tedu@ did not include doasedit(1) functionality -
because providing selective editing capabilities of certain
root-owned files to certain non-root administrators is among the
things that can be considered complex, fine-grained control.

During the Cambridge Hackathon, one OpenBSD developer actually
implemented doasedit(1) nevertheless.  But the result was indeed
complicated enough that committing it wasn't a no-brainer, several
developers doubted whether we should have it at all, and nobody
tried very hard to hammer the diff into a form that might meet
consensus for commit.

The question comes up now and again, but not all that often...

Yours,
  Ingo



Re: More useful: something like doasedit (was: Utility to safely edit doas.conf)

2018-02-28 Thread Felix Maschek

Hi,

possibly there is only some missing enlightenment for me.

How would you prevent that something like 'doas vi /etc/fstab' (which 
will run as root) doesn't offer the user to enter a root shell within vi 
(by typing '.sh')?


You may direct me to appropriate man pages.

Thank you!

Kind regards
Felix

On 28.02.2018 19:32, Michael Price wrote:
Perhaps I am just dense, but what problem does sudoedit solve that is 
not

easily solved with groups and chmod?

Michael

On Wed, Feb 28, 2018 at 12:57 PM Felix Maschek  
wrote:



Hi,

to prevent privilege escalation by allowing 'sudo vi' (simple by
invoking a shell from within vi) there is a special command 
'sudoedit'.

So far I can see this is missing currently if I use doas instead of
sudo.

So adding a similar command is more helpful to secure a system than
special editors for every config file.

Kind regards
Felix

On 28.02.2018 18:22, Frans Haarman wrote:
> I've wondered about the usefulness of something like 'rcctl edit
> bgpd'and a
> bgpd_conf=/etc/bgpd.conf in rc.conf.
>
> Together with a 'rcctl clone' creating rc.d/bgpd symlink and
> rc.conf.local
> flags.
>
> Might make it easier running multiple of the same daemons?
>
> Add more cool stuff later like 'rcctl edit bgpd commit' and 'rcctl edit
> bgpd confirm'.
>
> Just wondering out loud now :)
>
> Regards,
> Frans
>
> Op woensdag 28 februari 2018 heeft Theo de Raadt 
> het
> volgende geschreven:
>> Yeah.
>>
>> And I suppose we also need seperate programs for all the other files
>> in /etc?
>>
>> Such as visysctl.conf, vivm.conf, vigroup, vishells, virc.conf.local,
>> visshd, vissh, etc
>>
>> After all, someone could create unsafe configurations, and lots of
> handholding
>> is needed everywhere, yes?
>>
>> I'm sorry, but I disagree.  The tooling already exists to let you do
>> this carefully.  It is up to people to use their brains. And your
>> script doesn't have any locking, so it is still error prone.
>>
>> I really don't see the point of these wrappers.
>>
>>> The following is a shell script to safely edit /etc/doas.conf so that
>>> you
> avoid locking yourself out with a bad config. I managed to do this
> myself,
> so thought it might be useful to a wider audience.
>>>
>>> It is inspired by the 'visudo' tool: it copies doas.conf to a
>>> temporary
> directory then opens it in vi. When you exit vi it checks the format of
> the
> config file, and if it passes then it will overwrite the original one
> then
> delete the copy. If it fails a warning is shown, and the file is
> re-opened
> for editing.
>>>
>>> It will not create /etc/doas.conf if it does not already exist (I
>>> could
> add a separate warning for this if needed).
>>>
>>> diff -u /dev/null usr.bin/doas/vidoas
>>> --- /dev/null2018-02-22 08:14:04.607259461 +
>>> +++ usr.bin/doas/vidoas2018-02-28 15:50:35.358895700 +
>>> @@ -0,0 +1,36 @@
>>> +#!/bin/sh
>>> +
>>> +# $OpenBSD$
>>> +#
>>> +# Copyright (c) 2018 Anthony Perkins 
>>> +#
>>> +# Permission to use, copy, modify, and distribute this software for
>>> any
>>> +# purpose with or without fee is hereby granted, provided that the
>>> above
>>> +# copyright notice and this permission notice appear in all copies.
>>> +#
>>> +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
> WARRANTIES
>>> +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
>>> +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE
>>> LIABLE FOR
>>> +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
>>> DAMAGES
>>> +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
>>> AN
>>> +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
>>> OUT OF
>>> +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
>>> +
>>> +doasconf=/etc/doas.conf
>>> +tempfile=$(mktemp -t doas. || exit 1)
>>> +if [ -w $doasconf ]; then
>>> +cp $doasconf $tempfile
>>> +vi $tempfile
>>> +while ! doas -C $tempfile; do
>>> +echo "Press Enter to retry, Ctrl-C to abort."
>>> +read
>>> +vi $tempfile
>>> +done
>>> +if doas -C $tempfile; then
>>> +cp -f $tempfile $doasconf
>>> +rm -f $tempfile
>>> +fi
>>> +else
>>> +echo "$doasconf is not writable by this user."
>>> +exit 1
>>> +fi
>>> diff -u /dev/null usr.bin/doas/vidoas.1
>>> --- /dev/null2018-02-22 08:14:04.607259461 +
>>> +++ usr.bin/doas/vidoas.12018-02-28 15:31:20.825930370 +
>>> @@ -0,0 +1,44 @@
>>> +.\" $OpenBSD$
>>> +.\"
>>> +.\"Copyright (c) 2018 Anthony Perkins 
>>> +.\"
>>> +.\"Permission to use, copy, modify, and distribute this software for
>>> any
>>> +.\"purpose with or without fee is hereby granted, provided that the
>>> above
>>> +.\"copyright notice and this permission notice appear in all copies.
>>> +.\"
>>> +.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
> WARRANTIES
>>> +.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
>>> +.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE
>>> LIABLE
> FOR
>>> +.\"ANY SPECIAL, DIRECT,

Re: More useful: something like doasedit (was: Utility to safely edit doas.conf)

2018-02-28 Thread Michael Price
Perhaps I am just dense, but what problem does sudoedit solve that is not
easily solved with groups and chmod?

Michael

On Wed, Feb 28, 2018 at 12:57 PM Felix Maschek  wrote:

> Hi,
>
> to prevent privilege escalation by allowing 'sudo vi' (simple by
> invoking a shell from within vi) there is a special command 'sudoedit'.
> So far I can see this is missing currently if I use doas instead of
> sudo.
>
> So adding a similar command is more helpful to secure a system than
> special editors for every config file.
>
> Kind regards
> Felix
>
> On 28.02.2018 18:22, Frans Haarman wrote:
> > I've wondered about the usefulness of something like 'rcctl edit
> > bgpd'and a
> > bgpd_conf=/etc/bgpd.conf in rc.conf.
> >
> > Together with a 'rcctl clone' creating rc.d/bgpd symlink and
> > rc.conf.local
> > flags.
> >
> > Might make it easier running multiple of the same daemons?
> >
> > Add more cool stuff later like 'rcctl edit bgpd commit' and 'rcctl edit
> > bgpd confirm'.
> >
> > Just wondering out loud now :)
> >
> > Regards,
> > Frans
> >
> > Op woensdag 28 februari 2018 heeft Theo de Raadt 
> > het
> > volgende geschreven:
> >> Yeah.
> >>
> >> And I suppose we also need seperate programs for all the other files
> >> in /etc?
> >>
> >> Such as visysctl.conf, vivm.conf, vigroup, vishells, virc.conf.local,
> >> visshd, vissh, etc
> >>
> >> After all, someone could create unsafe configurations, and lots of
> > handholding
> >> is needed everywhere, yes?
> >>
> >> I'm sorry, but I disagree.  The tooling already exists to let you do
> >> this carefully.  It is up to people to use their brains. And your
> >> script doesn't have any locking, so it is still error prone.
> >>
> >> I really don't see the point of these wrappers.
> >>
> >>> The following is a shell script to safely edit /etc/doas.conf so that
> >>> you
> > avoid locking yourself out with a bad config. I managed to do this
> > myself,
> > so thought it might be useful to a wider audience.
> >>>
> >>> It is inspired by the 'visudo' tool: it copies doas.conf to a
> >>> temporary
> > directory then opens it in vi. When you exit vi it checks the format of
> > the
> > config file, and if it passes then it will overwrite the original one
> > then
> > delete the copy. If it fails a warning is shown, and the file is
> > re-opened
> > for editing.
> >>>
> >>> It will not create /etc/doas.conf if it does not already exist (I
> >>> could
> > add a separate warning for this if needed).
> >>>
> >>> diff -u /dev/null usr.bin/doas/vidoas
> >>> --- /dev/null2018-02-22 08:14:04.607259461 +
> >>> +++ usr.bin/doas/vidoas2018-02-28 15:50:35.358895700 +
> >>> @@ -0,0 +1,36 @@
> >>> +#!/bin/sh
> >>> +
> >>> +# $OpenBSD$
> >>> +#
> >>> +# Copyright (c) 2018 Anthony Perkins 
> >>> +#
> >>> +# Permission to use, copy, modify, and distribute this software for
> >>> any
> >>> +# purpose with or without fee is hereby granted, provided that the
> >>> above
> >>> +# copyright notice and this permission notice appear in all copies.
> >>> +#
> >>> +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
> > WARRANTIES
> >>> +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> >>> +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE
> >>> LIABLE FOR
> >>> +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
> >>> DAMAGES
> >>> +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
> >>> AN
> >>> +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
> >>> OUT OF
> >>> +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> >>> +
> >>> +doasconf=/etc/doas.conf
> >>> +tempfile=$(mktemp -t doas. || exit 1)
> >>> +if [ -w $doasconf ]; then
> >>> +cp $doasconf $tempfile
> >>> +vi $tempfile
> >>> +while ! doas -C $tempfile; do
> >>> +echo "Press Enter to retry, Ctrl-C to abort."
> >>> +read
> >>> +vi $tempfile
> >>> +done
> >>> +if doas -C $tempfile; then
> >>> +cp -f $tempfile $doasconf
> >>> +rm -f $tempfile
> >>> +fi
> >>> +else
> >>> +echo "$doasconf is not writable by this user."
> >>> +exit 1
> >>> +fi
> >>> diff -u /dev/null usr.bin/doas/vidoas.1
> >>> --- /dev/null2018-02-22 08:14:04.607259461 +
> >>> +++ usr.bin/doas/vidoas.12018-02-28 15:31:20.825930370 +
> >>> @@ -0,0 +1,44 @@
> >>> +.\" $OpenBSD$
> >>> +.\"
> >>> +.\"Copyright (c) 2018 Anthony Perkins 
> >>> +.\"
> >>> +.\"Permission to use, copy, modify, and distribute this software for
> >>> any
> >>> +.\"purpose with or without fee is hereby granted, provided that the
> >>> above
> >>> +.\"copyright notice and this permission notice appear in all copies.
> >>> +.\"
> >>> +.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
> > WARRANTIES
> >>> +.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> >>> +.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE
> >>> LIABLE
> > FOR
> >>> +.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
> >>> DAMAGES
> >>> +.\"WHATSOEVER R