26 июля 2015 г. 14:43 пользователь "Marc Espie" <es...@nerim.net> написал:
>
> On Sun, Jul 26, 2015 at 02:27:55PM +0300, Vadim Zhukov wrote:
> > 2015-07-26 14:15 GMT+03:00 Marc Espie <es...@nerim.net>:
> > >
> > > I don't think it falls on the side of bloat, and it's a pretty nifty
> > > option
> > > to sudo...
> > >
> > >
> > > Index: doas.1
> > > ===================================================================
> > > RCS file: /build/data/openbsd/cvs/src/usr.bin/doas/doas.1,v
> > > retrieving revision 1.10
> > > diff -u -p -r1.10 doas.1
> > > --- doas.1 21 Jul 2015 17:49:33 -0000 1.10
> > > +++ doas.1 26 Jul 2015 11:13:52 -0000
> > > @@ -21,7 +21,7 @@
> > > .Nd execute commands as another user
> > > .Sh SYNOPSIS
> > > .Nm doas
> > > -.Op Fl s
> > > +.Op Fl ns
> > > .Op Fl C Ar config
> > > .Op Fl u Ar user
> > > .Ar command
> > > @@ -38,6 +38,10 @@ Parse and check the configuration file
> > > .Ar config ,
> > > then exit.
> > > No command is executed.
> > > +.It Fl n
> > > +Non interactive mode, fail if
> > > +.Nm
> > > +would prompt for password.
> > > .It Fl s
> > > Execute the shell from
> > > .Ev SHELL
> > > Index: doas.c
> > > ===================================================================
> > > RCS file: /build/data/openbsd/cvs/src/usr.bin/doas/doas.c,v
> > > retrieving revision 1.21
> > > diff -u -p -r1.21 doas.c
> > > --- doas.c 24 Jul 2015 06:36:42 -0000 1.21
> > > +++ doas.c 26 Jul 2015 11:13:52 -0000
> > > @@ -295,9 +295,10 @@ main(int argc, char **argv, char **envp)
> > > int ngroups;
> > > int i, ch;
> > > int sflag = 0;
> > > + int nflag = 0;
> > >
> > > uid = getuid();
> > > - while ((ch = getopt(argc, argv, "C:su:")) != -1) {
> > > + while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
> > > switch (ch) {
> > > case 'C':
> > > setresuid(uid, uid, uid);
> > > @@ -307,6 +308,9 @@ main(int argc, char **argv, char **envp)
> > > if (parseuid(optarg, &target) != 0)
> > > errx(1, "unknown user");
> > > break;
> > > + case 'n':
> > > + nflag = 1;
> > > + break;
> > > case 's':
> > > sflag = 1;
> > > break;
> > > @@ -361,7 +365,7 @@ main(int argc, char **argv, char **envp)
> > > }
> > >
> > > if (!(rule->options & NOPASS)) {
> > > - if (!auth_userokay(myname, NULL, NULL, NULL)) {
> > > + if (nflag || !auth_userokay(myname, NULL, NULL, NULL)) {
> > > syslog(LOG_AUTHPRIV | LOG_NOTICE,
> > > "failed password for %s", myname);
> > > fail();
> >
> >
> > Can't this be achieved with "doas -C /etc/doas.conf command ..." and
> > checking if doas will print "permit nopass", as it's done in "Check if
> > command is permitted by doas" thread on xxxxxxxx@? I see you want to
> > fail later rather than sooner, though...
> >
>
> Possibly. What's the point ? that's one sudo option that takes about zero
> code to emulate 100%. So why not ?
Do we want one more ls-like synopsis? :)
More seriously, what's your use case? I see this option needed when
you misconfigure sudo/doas and have some event-driven script try to
read password from stdin. But doas:
1) don't use cookies, thus you can always may be sure that if it
didn't request password before, it won't do it later, too - unless you
change config, current user or his groups, of course.
2) can test if command will be run without password prompt. The latter
allows you checking not only manually, but also using
update-my-doas-conf wrappers. But you can redirect </dev/null for
tests, of course...
So what's your root problem you're solving with -n? Maybe there could
be constructed something better than -n flag? I'm not strongly
objecting the idea, just want to understand the whole picture first.
--
Vadim Zhukov
