On 2019/01/22 21:46, Ted Unangst wrote: > The persist feature in doas (actually the kernel side implementation) has some > additional checks. The idea was to prevent accidental usage, but in practice > it seems this is making life more difficult than necessary. It's cost without > benefit. This diff relaxes the session checks so it should be possible to use > doas in ports building, etc.
Fixing this would be very welcome and would stop some ports users from either running with nopass or continuing to use sudo. But it doesn't help: configure doas to use persist set SUDO=doas in mk.conf cd /usr/ports/math/moo # example simple/quick port make reinstall Here you're asked for your password twice. > Index: tty_tty.c > =================================================================== > RCS file: /cvs/src/sys/kern/tty_tty.c,v > retrieving revision 1.24 > diff -u -p -r1.24 tty_tty.c > --- tty_tty.c 2 May 2018 02:24:56 -0000 1.24 > +++ tty_tty.c 23 Jan 2019 02:45:08 -0000 > @@ -128,17 +128,12 @@ cttyioctl(dev_t dev, u_long cmd, caddr_t > return 0; > case TIOCCHKVERAUTH: > /* > - * It's not clear when or what these checks are for. > - * How can we reach this code with a differnt ruid? > - * The ppid check is also more porous than desired. > - * Nevertheless, the checks reflect the original intention; > - * namely, that it be the same user using the same shell. > + * Check that we are the same user that set verauth. > */ > sess = p->p_p->ps_pgrp->pg_session; > - if (sess->s_verauthuid == p->p_ucred->cr_ruid && > - sess->s_verauthppid == p->p_p->ps_pptr->ps_pid) > - return 0; > - return EPERM; > + if (sess->s_verauthuid != p->p_ucred->cr_ruid) > + return EPERM; > + return 0; > } > return (VOP_IOCTL(ttyvp, cmd, addr, flag, NOCRED, p)); > } >
