On Sat, Jul 25, 2015 at 07:25:07AM -0400, Michael Reed wrote:
> Hi Jason,
>
> I've left replies inline and a new patch at the bottom with the
> following changes:
> - dropped the subjective wording and markup changes
> - dropped su.1 change
>
not committing anything because i specifically want a developer to
confirm one part of this (the keepenv bit), but i'll note below what
parts i think are ok:
> On 07/25/15 03:58, Jason McIntyre wrote:
> >> The default is root.
> >> .El
> >> +.Sh FILES
> >> +.Bl -tag -width
> >> /etc/doas.conff
> >> +.It Pa /etc/doas.conf
> >> +configuration file
> >> +.El
> > again it's correct, but doesn;t really add anything.>
>
> Most every utility I looked through which used a configuration file in
> /etc/ had an entry for it in FILES. I figure it's more obvious than a
> comparatively small mention in SEE ALSO.
>
i'm sorry, i'm not adding it.
> >> Index: src/usr.bin/doas/doas.conf.5
> >> ===================================================================
> >> RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
> >> retrieving revision 1.11
> >> diff -u -p -r1.11 doas.conf.5
> >> --- src/usr.bin/doas/doas.conf.5 23 Jul 2015 15:26:37 -0000 1.11
> >> +++ src/usr.bin/doas/doas.conf.5 25 Jul 2015 03:16:26 -0000
> >> @@ -57,27 +57,32 @@ The default is to reset the environment,
> >> .Ev USER
> >> and
> >> .Ev USERNAME .
> >> -.It Ic keepenv { Oo variable names Oc Ic }
> >> -Reset the environment, but keep the space-separated specified variables.
> >> +.It Ic keepenv { Oo Ar variable ... Oc Ic }
> >> +In addition to the variables mentioned above, keep the space-separated
> >> +specified variables.
> >
> > is that correct? is there no way to totally reset your environment
> > keeping only stuff you specify?
>
> I couldn't manage to get around that:
>
> ~ $ cat /etc/doas.conf
> permit keepenv { PKG_PATH CVSROOT } :wheel
> ~ $ doas env
> Password:
> DISPLAY=:0
> HOME=/home/michael
> LOGNAME=michael
> MAIL=/var/mail/michael
> PATH=...
> TERM=st-256color
> USER=michael
> PKG_PATH=...
> CVSROOT=...
> ~ $
>
this is the bit i would like some confirmation of.
>
> >> The default is root.
> >> .It Ic cmd Ar command
> >> -The command the user is allowed or denied to run.
> >> +The command the user is allowed or prohibited to run.
> >
> > why this?
>
> Denied sounds like it's already happened, where as I find `prohibited'
> to be more clearly an opposite of `allowed'.
>
deny is also the keyword in the config file, and something writ large in
our pages. it is clear.
> >> .El
> >> .Pp
> >> The last matching rule determines the action taken.
> >> @@ -109,7 +114,9 @@ variables
> >> .Ev PS1 ,
> >> and
> >> .Ev SSH_AUTH_SOCK ,
> >> -and additionally permits tedu to run procmap as root without a password.
> >> +and additionally permits tedu to run
> >> +.Xr procmap 1
> >> +as root without a password.
> >
> > well it's not as if it helps to refer the reader to the procmap page.
> > again it's not wrong, it just doesn;t feel like it adds anything helpful
>
> Eh, it's admittedly not that helpful, but I don't see any downside to
> it; it makes it clear that procmap(1) is a utility, which seem to be
> marked up like above consistently in the tree.
>
i'm not adding markup unless it makes sense.
>
> Anyways, new (smaller) diff is below.
>
> Regards,
> Michael
>
>
> Index: doas.1
> ===================================================================
> RCS file: /cvs/src/usr.bin/doas/doas.1,v
> retrieving revision 1.10
> diff -u -p -r1.10 doas.1
> --- doas.1 21 Jul 2015 17:49:33 -0000 1.10
> +++ doas.1 25 Jul 2015 11:19:15 -0000
> @@ -44,10 +44,17 @@ Execute the shell from
> or
> .Pa /etc/passwd .
> .It Fl u Ar user
> -Execute the command as
> +Execute
> +.Ar command
> +as
> .Ar user .
no
> The default is root.
> .El
> +.Sh FILES
> +.Bl -tag -width /etc/doas.conff
> +.It Pa /etc/doas.conf
> +configuration file
> +.El
no
> .Sh EXIT STATUS
> .Ex -std doas
> It may fail for one of the following reasons:
> @@ -65,6 +72,7 @@ The password was incorrect.
> The actual program is absent or not executable.
> .El
> .Sh SEE ALSO
> +.Xr su 1 ,
yes
> .Xr doas.conf 5
> .Sh HISTORY
> The
> Index: doas.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
> retrieving revision 1.11
> diff -u -p -r1.11 doas.conf.5
> --- doas.conf.5 23 Jul 2015 15:26:37 -0000 1.11
> +++ doas.conf.5 25 Jul 2015 11:19:15 -0000
> @@ -57,18 +57,20 @@ The default is to reset the environment,
> .Ev USER
> and
> .Ev USERNAME .
> -.It Ic keepenv { Oo variable names Oc Ic }
> -Reset the environment, but keep the space-separated specified variables.
> +.It Ic keepenv { Oo Ar variable ... Oc Ic }
> +In addition to the variables mentioned above, keep the space-separated
> +specified variables.
yes, if an obsd developer confirms
> .El
> .It Ar identity
> The username to match.
> -Groups may be specified by prepending a colon (:).
> +Groups may be specified by prepending a colon
> +.Pq Sq \&: .
yes
> Numeric IDs are also accepted.
> .It Ic as Ar target
> The target user the running user is allowed to run the command as.
> The default is root.
> .It Ic cmd Ar command
> -The command the user is allowed or denied to run.
> +The command the user is allowed or prohibited to run.
no
> The default is all commands.
> Be advised that it's best to specify absolute paths.
> .It Ic args ...
> @@ -109,7 +111,9 @@ variables
> .Ev PS1 ,
> and
> .Ev SSH_AUTH_SOCK ,
> -and additionally permits tedu to run procmap as root without a password.
> +and additionally permits tedu to run
> +.Xr procmap 1
> +as root without a password.
no
> .Bd -literal -offset indent
> # Non-exhaustive list of variables needed to
> # build release(8) and ports(7)
>
i do appreciate the mail - diffs are always welcome. but with markup i
just find myslef less inclined to mark up everything because i can. it's
only my opinion.
jmc
