Re: More useful: something like doasedit (was: Utility to safely edit doas.conf)

2018-02-28 Thread Felix Maschek

Hi,

possibly there is only some missing enlightenment for me.

How would you prevent that something like 'doas vi /etc/fstab' (which 
will run as root) doesn't offer the user to enter a root shell within vi 
(by typing '.sh')?


You may direct me to appropriate man pages.

Thank you!

Kind regards
Felix

On 28.02.2018 19:32, Michael Price wrote:
Perhaps I am just dense, but what problem does sudoedit solve that is 
not

easily solved with groups and chmod?

Michael

On Wed, Feb 28, 2018 at 12:57 PM Felix Maschek  
wrote:



Hi,

to prevent privilege escalation by allowing 'sudo vi' (simple by
invoking a shell from within vi) there is a special command 
'sudoedit'.

So far I can see this is missing currently if I use doas instead of
sudo.

So adding a similar command is more helpful to secure a system than
special editors for every config file.

Kind regards
Felix

On 28.02.2018 18:22, Frans Haarman wrote:
> I've wondered about the usefulness of something like 'rcctl edit
> bgpd'and a
> bgpd_conf=/etc/bgpd.conf in rc.conf.
>
> Together with a 'rcctl clone' creating rc.d/bgpd symlink and
> rc.conf.local
> flags.
>
> Might make it easier running multiple of the same daemons?
>
> Add more cool stuff later like 'rcctl edit bgpd commit' and 'rcctl edit
> bgpd confirm'.
>
> Just wondering out loud now :)
>
> Regards,
> Frans
>
> Op woensdag 28 februari 2018 heeft Theo de Raadt 
> het
> volgende geschreven:
>> Yeah.
>>
>> And I suppose we also need seperate programs for all the other files
>> in /etc?
>>
>> Such as visysctl.conf, vivm.conf, vigroup, vishells, virc.conf.local,
>> visshd, vissh, etc
>>
>> After all, someone could create unsafe configurations, and lots of
> handholding
>> is needed everywhere, yes?
>>
>> I'm sorry, but I disagree.  The tooling already exists to let you do
>> this carefully.  It is up to people to use their brains. And your
>> script doesn't have any locking, so it is still error prone.
>>
>> I really don't see the point of these wrappers.
>>
>>> The following is a shell script to safely edit /etc/doas.conf so that
>>> you
> avoid locking yourself out with a bad config. I managed to do this
> myself,
> so thought it might be useful to a wider audience.
>>>
>>> It is inspired by the 'visudo' tool: it copies doas.conf to a
>>> temporary
> directory then opens it in vi. When you exit vi it checks the format of
> the
> config file, and if it passes then it will overwrite the original one
> then
> delete the copy. If it fails a warning is shown, and the file is
> re-opened
> for editing.
>>>
>>> It will not create /etc/doas.conf if it does not already exist (I
>>> could
> add a separate warning for this if needed).
>>>
>>> diff -u /dev/null usr.bin/doas/vidoas
>>> --- /dev/null2018-02-22 08:14:04.607259461 +
>>> +++ usr.bin/doas/vidoas2018-02-28 15:50:35.358895700 +
>>> @@ -0,0 +1,36 @@
>>> +#!/bin/sh
>>> +
>>> +# $OpenBSD$
>>> +#
>>> +# Copyright (c) 2018 Anthony Perkins 
>>> +#
>>> +# Permission to use, copy, modify, and distribute this software for
>>> any
>>> +# purpose with or without fee is hereby granted, provided that the
>>> above
>>> +# copyright notice and this permission notice appear in all copies.
>>> +#
>>> +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
> WARRANTIES
>>> +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
>>> +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE
>>> LIABLE FOR
>>> +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
>>> DAMAGES
>>> +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
>>> AN
>>> +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
>>> OUT OF
>>> +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
>>> +
>>> +doasconf=/etc/doas.conf
>>> +tempfile=$(mktemp -t doas. || exit 1)
>>> +if [ -w $doasconf ]; then
>>> +cp $doasconf $tempfile
>>> +vi $tempfile
>>> +while ! doas -C $tempfile; do
>>> +echo "Press Enter to retry, Ctrl-C to abort."
>>> +read
>>> +vi $tempfile
>>> +done
>>> +if doas -C $tempfile; then
>>> +cp -f $tempfile $doasconf
>>> +rm -f $tempfile
>>> +fi
>>> +else
>>> +echo "$doasconf is not writable by this user."
>>> +exit 1
>>> +fi
>>> diff -u /dev/null usr.bin/doas/vidoas.1
>>> --- /dev/null2018-02-22 08:14:04.607259461 +
>>> +++ usr.bin/doas/vidoas.12018-02-28 15:31:20.825930370 +
>>> @@ -0,0 +1,44 @@
>>> +.\" $OpenBSD$
>>> +.\"
>>> +.\"Copyright (c) 2018 Anthony Perkins 
>>> +.\"
>>> +.\"Permission to use, copy, modify, and distribute this software for
>>> any
>>> +.\"purpose with or without fee is hereby granted, provided that the
>>> above
>>> +.\"copyright notice and this permission notice appear in all copies.
>>> +.\"
>>> +.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
> WARRANTIES
>>> +.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
>>> +.\"MERCHANTABILITY AND 

Re: More useful: something like doasedit (was: Utility to safely edit doas.conf)

2018-02-28 Thread Michael Price
Perhaps I am just dense, but what problem does sudoedit solve that is not
easily solved with groups and chmod?

Michael

On Wed, Feb 28, 2018 at 12:57 PM Felix Maschek  wrote:

> Hi,
>
> to prevent privilege escalation by allowing 'sudo vi' (simple by
> invoking a shell from within vi) there is a special command 'sudoedit'.
> So far I can see this is missing currently if I use doas instead of
> sudo.
>
> So adding a similar command is more helpful to secure a system than
> special editors for every config file.
>
> Kind regards
> Felix
>
> On 28.02.2018 18:22, Frans Haarman wrote:
> > I've wondered about the usefulness of something like 'rcctl edit
> > bgpd'and a
> > bgpd_conf=/etc/bgpd.conf in rc.conf.
> >
> > Together with a 'rcctl clone' creating rc.d/bgpd symlink and
> > rc.conf.local
> > flags.
> >
> > Might make it easier running multiple of the same daemons?
> >
> > Add more cool stuff later like 'rcctl edit bgpd commit' and 'rcctl edit
> > bgpd confirm'.
> >
> > Just wondering out loud now :)
> >
> > Regards,
> > Frans
> >
> > Op woensdag 28 februari 2018 heeft Theo de Raadt 
> > het
> > volgende geschreven:
> >> Yeah.
> >>
> >> And I suppose we also need seperate programs for all the other files
> >> in /etc?
> >>
> >> Such as visysctl.conf, vivm.conf, vigroup, vishells, virc.conf.local,
> >> visshd, vissh, etc
> >>
> >> After all, someone could create unsafe configurations, and lots of
> > handholding
> >> is needed everywhere, yes?
> >>
> >> I'm sorry, but I disagree.  The tooling already exists to let you do
> >> this carefully.  It is up to people to use their brains. And your
> >> script doesn't have any locking, so it is still error prone.
> >>
> >> I really don't see the point of these wrappers.
> >>
> >>> The following is a shell script to safely edit /etc/doas.conf so that
> >>> you
> > avoid locking yourself out with a bad config. I managed to do this
> > myself,
> > so thought it might be useful to a wider audience.
> >>>
> >>> It is inspired by the 'visudo' tool: it copies doas.conf to a
> >>> temporary
> > directory then opens it in vi. When you exit vi it checks the format of
> > the
> > config file, and if it passes then it will overwrite the original one
> > then
> > delete the copy. If it fails a warning is shown, and the file is
> > re-opened
> > for editing.
> >>>
> >>> It will not create /etc/doas.conf if it does not already exist (I
> >>> could
> > add a separate warning for this if needed).
> >>>
> >>> diff -u /dev/null usr.bin/doas/vidoas
> >>> --- /dev/null2018-02-22 08:14:04.607259461 +
> >>> +++ usr.bin/doas/vidoas2018-02-28 15:50:35.358895700 +
> >>> @@ -0,0 +1,36 @@
> >>> +#!/bin/sh
> >>> +
> >>> +# $OpenBSD$
> >>> +#
> >>> +# Copyright (c) 2018 Anthony Perkins 
> >>> +#
> >>> +# Permission to use, copy, modify, and distribute this software for
> >>> any
> >>> +# purpose with or without fee is hereby granted, provided that the
> >>> above
> >>> +# copyright notice and this permission notice appear in all copies.
> >>> +#
> >>> +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
> > WARRANTIES
> >>> +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> >>> +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE
> >>> LIABLE FOR
> >>> +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
> >>> DAMAGES
> >>> +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
> >>> AN
> >>> +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
> >>> OUT OF
> >>> +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> >>> +
> >>> +doasconf=/etc/doas.conf
> >>> +tempfile=$(mktemp -t doas. || exit 1)
> >>> +if [ -w $doasconf ]; then
> >>> +cp $doasconf $tempfile
> >>> +vi $tempfile
> >>> +while ! doas -C $tempfile; do
> >>> +echo "Press Enter to retry, Ctrl-C to abort."
> >>> +read
> >>> +vi $tempfile
> >>> +done
> >>> +if doas -C $tempfile; then
> >>> +cp -f $tempfile $doasconf
> >>> +rm -f $tempfile
> >>> +fi
> >>> +else
> >>> +echo "$doasconf is not writable by this user."
> >>> +exit 1
> >>> +fi
> >>> diff -u /dev/null usr.bin/doas/vidoas.1
> >>> --- /dev/null2018-02-22 08:14:04.607259461 +
> >>> +++ usr.bin/doas/vidoas.12018-02-28 15:31:20.825930370 +
> >>> @@ -0,0 +1,44 @@
> >>> +.\" $OpenBSD$
> >>> +.\"
> >>> +.\"Copyright (c) 2018 Anthony Perkins 
> >>> +.\"
> >>> +.\"Permission to use, copy, modify, and distribute this software for
> >>> any
> >>> +.\"purpose with or without fee is hereby granted, provided that the
> >>> above
> >>> +.\"copyright notice and this permission notice appear in all copies.
> >>> +.\"
> >>> +.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
> > WARRANTIES
> >>> +.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> >>> +.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE
> >>> LIABLE
> > FOR
> >>> +.\"ANY SPECIAL,