Re: doas failsafe
Figured out one can use an alias if the name of the command is difficult to type to somebody, and the author of the software is the one deciding how is the utility called. I have to think more instead of posting. I don't think we need the wrapper, but a config-check mode like pfctl has could be very useful. Interesting point for a configuration checker, seems very reasonable to me too.
Re: doas failsafe
so, why not type su rather than doas? I will not type doas. Do you?
Re: doas failsafe
On Tue, Jul 21, 2015 at 05:42:54PM +0300, li...@wrant.com wrote: doas is extremely foul to type, compared to sudo or su stop inventing reasons not to make it right first time I don't know why you are sending so many foul messages to this list. I have gotten to the point of not wanting to read any message from li...@wrant.com. This is a serious mailing list. tech@openbsd.org and ports@openbsd are for important diffs and important questions. I don't like writing messages like this. I would like you to follow one of these four options: 1. Contribute something useful. It doesn't matter if your diff fails to meet approval. 2. Ask questions that actually contribute something to moving OpenBSD forward. Developers and others less capable like myself, are trying to contribute. Neither they nor I want to waste our time with your bullshit. 3. Just read this mailing list and be quiet. No messages sent. 4. Worst or best option: Go away. I hope you choose well. Chris Bennett
Re: doas failsafe
On Tue, Jul 21, 2015 at 5:30 PM, li...@wrant.com wrote: so, why not type su rather than doas? I will not type doas. Do you? If doas supplies kind of sudo functionality than I would rather use it instead of su and being root all the time. So yes, I will.
Re: doas failsafe
Your diff doesn't apply here, can you resend?
Re: doas failsafe
Your diff doesn't apply here, can you resend? You can kiss anybody's ass. Are you traditionally ridiculing your origin or the general state of software? Idiot. Quit the crapping and do some real thinking and work actually.
Re: doas failsafe
tekk t...@parlementum.net writes: I've never used a fully qualified path with doas and it works just fine. (doas mount, doas pkg_add, doas mg.) Do you mean in the config file or something? Requiring you to specify a full path on filtered commands or whatever? This may just be a recent change though, I only updated my system 2 days ago. Ok my bad (again): as advised by the man page, I used an absolute path as command in /etc/doas.conf: permit nopass :wheel cmd /sbin/mount with this, I should doas /sbin/mount. Changing to: permit nopass :wheel cmd mount works as you said. -- Manuel Giraud
Re: doas failsafe
Ability to define alias in the doas config file might be nice. Just like ssh with the ssh_config file. I have always wanted a .lsrc file, which would allow me to override the special options for ls, as well. That's kind of what you are talking about, right? No, I think you are serious. And so let's say code is written to support an alias. And let's say it has a bug. It runs as setuid root. Do you understand what happens next? If you want software to do everything, eventually it will do everything including what you cannot afford.
Re: doas failsafe
2015-07-21 10:56 GMT+02:00 Theo de Raadt dera...@cvs.openbsd.org: Ability to define alias in the doas config file might be nice. Just like ssh with the ssh_config file. I have always wanted a .lsrc file, which would allow me to override the special options for ls, as well. That's kind of what you are talking about, right? No, I think you are serious. And so let's say code is written to support an alias. And let's say it has a bug. It runs as setuid root. Do you understand what happens next? If you want software to do everything, eventually it will do everything including what you cannot afford. To be honest, I haven't thought about what would happen if there is a bug. The idea was to allow a set of key which would be replaced with another value. Nothing more. I would call 'doas pkg' and doas would work with /usr/sbin/pkg_add instead of pkg. But it is a better idea to let the job of expand value to the shell. Less code running with setuid root, the better. Thanks for correcting me.
Re: doas failsafe
Less code running with setuid root, the better. That is the entire point.
Re: doas failsafe
On Mon, Jul 20, 2015 at 11:58:34PM -0700, Manuel Giraud wrote: Ted Unangst t...@tedunangst.com writes: Manuel Giraud wrote: Hi, I've just shot myself in the foot after /etc/doas.conf tweaking. This patch adds a failsafe permit :wheel rule in case of syntax error. Is this safe enough? Should it be done elsewhere (with some kind of visudo)? I think the failsafe is run su. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open. You're right. I forgot about su and should have asked first. Another question before I give this a shot: doas requires an absolute path for command, is it feature or a behaviour that can be modified (i.e. I prefer to type doas mount instead of doas /sbin/mount)? -- Manuel Giraud I've never used a fully qualified path with doas and it works just fine. (doas mount, doas pkg_add, doas mg.) Do you mean in the config file or something? Requiring you to specify a full path on filtered commands or whatever? This may just be a recent change though, I only updated my system 2 days ago.
Re: doas failsafe
Ted Unangst t...@tedunangst.com writes: Manuel Giraud wrote: Hi, I've just shot myself in the foot after /etc/doas.conf tweaking. This patch adds a failsafe permit :wheel rule in case of syntax error. Is this safe enough? Should it be done elsewhere (with some kind of visudo)? I think the failsafe is run su. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open. You're right. I forgot about su and should have asked first. Another question before I give this a shot: doas requires an absolute path for command, is it feature or a behaviour that can be modified (i.e. I prefer to type doas mount instead of doas /sbin/mount)? -- Manuel Giraud
Re: doas failsafe
2015-07-21 8:58 GMT+02:00 Manuel Giraud man...@ledu-giraud.fr: Ted Unangst t...@tedunangst.com writes: Manuel Giraud wrote: Hi, I've just shot myself in the foot after /etc/doas.conf tweaking. This patch adds a failsafe permit :wheel rule in case of syntax error. Is this safe enough? Should it be done elsewhere (with some kind of visudo)? I think the failsafe is run su. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open. You're right. I forgot about su and should have asked first. Another question before I give this a shot: doas requires an absolute path for command, is it feature or a behaviour that can be modified (i.e. I prefer to type doas mount instead of doas /sbin/mount)? Ability to define alias in the doas config file might be nice. Just like ssh with the ssh_config file. -- Cordialement, Coues Ludovic +336 148 743 42
Re: doas failsafe
doas is extremely foul to type, compared to sudo or su stop inventing reasons not to make it right first time once again, please ignore this if you are emotional
Re: doas failsafe
Manuel Giraud wrote: Hi, I've just shot myself in the foot after /etc/doas.conf tweaking. This patch adds a failsafe permit :wheel rule in case of syntax error. Is this safe enough? Should it be done elsewhere (with some kind of visudo)? I think the failsafe is run su. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open.
Re: doas failsafe
I'm a lowly user but I ++ this, when testing out doas I did this a few times. allow : deny, permit : forbid Is that you, Flynn?
Re: doas failsafe
I think the failsafe is run su. Visudo(8) style wrapper for doas(1) that would respect the editor preferences... is only a suggestion, no? We're 2015 here. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open. I'm not sure how much exactly flak I'd get about this, but: is the permit word specifically chosen in the DSL for this? P.S. My opinion has zero value but why can't su(1) work this purpose? Not trying to be funny just reasoning about the basics. (I'm not anonymous).
Re: doas failsafe
li...@wrant.com wrote: I think the failsafe is run su. Visudo(8) style wrapper for doas(1) that would respect the editor preferences... is only a suggestion, no? We're 2015 here. and vipf after that? there are countless config files, even more dangerous than doas.conf, that you edit at your own peril. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open. I'm not sure how much exactly flak I'd get about this, but: is the permit word specifically chosen in the DSL for this? there's not a of meaning behind permit, other than that it's a word that seems appropriate. P.S. My opinion has zero value but why can't su(1) work this purpose? The semantics of su are different in a couple and people seem to like using sudo. Trying to share code with su risks muddying up that code and introducing mistakes.
Re: doas failsafe
I think the failsafe is run su. Visudo(8) style wrapper for doas(1) that would respect the editor preferences... is only a suggestion, no? We're 2015 here. and vipf after that? there are countless config files, even more dangerous than doas.conf, that you edit at your own peril. With respect, Ted, I hope it was clear the intention was to bring into attention the inadequacy of the $visualsth concept as a means of safety. Since it is possible to configure doas to even less than permit :wheel this would in some cases be a fail open. I'm not sure how much exactly flak I'd get about this, but: is the permit word specifically chosen in the DSL for this? there's not a of meaning behind permit, other than that it's a word that seems appropriate. So why can't allow fit as opposite to deny? (normally silence means no change in security model, hopefully). Can we formalise the DSL, or read about it and prevent me from making incoherent guesses? P.S. My opinion has zero value but why can't su(1) work this purpose? The semantics of su are different in a couple and people seem to like using sudo. Trying to share code with su risks muddying up that code and introducing mistakes. Yet it may be the same feel place to be of something dealing with who's what doing why when escalation. Please have others say about it, I'm nobody of significance to suggest here.
Re: doas failsafe
On Mon, Jul 20, 2015 at 04:36:45PM -0700, lists wrote: So why can't allow fit as opposite to deny? (normally silence means no change in security model, hopefully). I'm a lowly user but I ++ this, when testing out doas I did this a few times. allow : deny, permit : forbid
Re: doas failsafe
On 2015/07/20 19:18, Ted Unangst wrote: li...@wrant.com wrote: I think the failsafe is run su. Visudo(8) style wrapper for doas(1) that would respect the editor preferences... is only a suggestion, no? We're 2015 here. and vipf after that? there are countless config files, even more dangerous than doas.conf, that you edit at your own peril. I don't think we need the wrapper, but a config-check mode like pfctl has could be very useful.