On 2023-02-02, Jon Fineman wrote:
> I was following the doas.conf example in
><https://man.openbsd.org/OpenBSD-6.0/man5/doas.conf.5>
>
> Specially I added the below:
> permit nopass setenv { \
> FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \
> DESTD
I was following the doas.conf example in
<https://man.openbsd.org/OpenBSD-6.0/man5/doas.conf.5>
Specially I added the below:
permit nopass setenv { \
FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \
DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \
MULTI_PA
On 2019-04-05, Dumitru Moldovan wrote:
> Also, if you need to edit files in /etc, do it with a minimal editor
> from the base system, like vi, not with a full-blown GUI application.
Or copy to a temporary file, run the editor as your user, and copy back.
With sudo there's "sudoedit" that automate
On Fri, Apr 05, 2019 at 10:10:52AM -0400, Bruno Dantas wrote:
There are a handful of GUI applications (file manager, text editor,
terminal emulator) that I go back and forth between running as regular
user and running with doas root.
[…]
Running GUI applications as root is a bad idea in genera
> This is the Unix way.
Thank you, Dumitru. All excellent points. Bad habits from
imposed-Windows-at-work die hard, even for a Unix and OpenBSD lover. I
will try to follow your advice. In the meantime, at least doas is now
configured so that applications don't go berserk when I have relapses.
Ope
of doas. In case it saves someone some trouble,
here is the summary of the problem and solution, worded in a way that
can be copy/pasted into /etc/examples/doas.conf and/or faq10.html:
--
This /etc/doas.conf works as expected for most CLI applications
(specifically, those that either don&
On Oct 31 10:42, Markus Rosjat wrote:
> at this point you are a bit screwed because you cant edit the doas.conf you
> cant reboot you only way seems to be a switch off. Ok maybe there other was
> but hey I'm no pro Im a simple user and its a vm so switch it off. Boot in
> single
c. Yes there's no
direct analogue to visudo(8) but it's perfectly possible to lock
yourself out of sudo access even with a correctly formatted /etc/sudoers
file, and visudo will happily let you shoot yourself in the foot that
way. With the sudoers(5) man page clocking in at about 20x the s
Stuart Henderson wrote:
> On 2018-10-31, Markus Rosjat wrote:
> > just something I notice while trying out stuff with doas and my python
> > scripts. If you do a mistake and have a syntax error in the doas.conf
> > file you can easily look you self out from root privi
On 10/31/18 10:42 AM, Markus Rosjat wrote:
...
doas vi /etc/doas.conf
# Edit in vi
:w
:! doas -C %
You don't even have to leave your editor
smime.p7s
Description: S/MIME Cryptographic Signature
On 2018-10-31, Markus Rosjat wrote:
> just something I notice while trying out stuff with doas and my python
> scripts. If you do a mistake and have a syntax error in the doas.conf
> file you can easily look you self out from root privilages :(
If you aren't sure about a chang
Hi Bruno,
Am 31.10.2018 um 12:23 schrieb Bruno Flueckiger:
On 31.10.18 10:42, Markus Rosjat wrote:
Losing ten minutes time because of a mistake you've made all by yourself
made you write this useles mail. Imagine how many times you could have
read the man page of doas(8) and find out that there
On 31.10.18 10:42, Markus Rosjat wrote:
> Hi all,
>
> just something I notice while trying out stuff with doas and my python
> scripts. If you do a mistake and have a syntax error in the doas.conf
> file you can easily look you self out from root privilages :(
>
> conside
Hi
Am 31.10.2018 um 10:52 schrieb Consus:
Well, that's why we have sudoedit. With doas your are forced to
$ doas cp -p /etc/doas.conf /etc/doas.conf.new
$ doas vi /etc/doas.conf.new
$ doas -C /etc/doas.conf.new
$ doas mv /etc/doas.conf.new /etc/doas.conf
On 10:42 Wed 31 Oct, Markus Rosjat wrote:
> Hi all,
>
> just something I notice while trying out stuff with doas and my python
> scripts. If you do a mistake and have a syntax error in the doas.conf file
> you can easily look you self out from root privilages :(
>
> conside
Hi all,
just something I notice while trying out stuff with doas and my python
scripts. If you do a mistake and have a syntax error in the doas.conf
file you can easily look you self out from root privilages :(
consider a a case where your root has no pw, you are the guy in the
wheel group
Hello,
I didn't know, when to reply, I have to specify CC address as misc@openbsd.org.
I'm so sorry.
Best regards,
Hajime Edakawa
-- Forwarded message -
From: Hajime Edakawa
Date: 2018年9月13日(木) 3:12
Subject: Re: doas.conf(5) question: when password required
To:
On 2018-09-12, Hajime Edakawa wrote:
> Hello to all,
>
> I am sorry to say that I could not understand this behavior intuitively.
>
> $ id -Gn
> hajime wheel
> $ cat /etc/doas.conf
> permit nopass hajime as root cmd mg# A
> permit keepenv :wheel # B
Hello to all,
I am sorry to say that I could not understand this behavior intuitively.
$ id -Gn
hajime wheel
$ cat /etc/doas.conf
permit nopass hajime as root cmd mg# A
permit keepenv :wheel # B
$ doas mg /etc/doas.conf # no password, ok.
...
$
But,
$ id -Gn
Thus said Theo De Raadt on Tue, 27 Mar 2018 22:19:42 -0600
That may hint to people it should be the default.
And it should not be.
That's a very valid point that I can't fault. The documentation is
simple and concise, and after further review, I see it already lists
many config options.
P
t use examples. If the examples become a crutch, it argues that
the examples should be deleted.
> Now that doas.conf supports the persist keyword, I suggest adding it to
> the /etc/examples/doas.conf file.
>
> The persist keyword was added in openBSD 6.1:
> https://www.openbsd.org/6
Hi All,
Now that doas.conf supports the persist keyword, I suggest adding it to
the /etc/examples/doas.conf file.
The persist keyword was added in openBSD 6.1:
https://www.openbsd.org/61.html
https://man.openbsd.org/doas.conf.5#persist
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout
On Tue, 13 Sep 2016 10:28:56 -0400
Eike Lantzsch wrote:
> On Dienstag, 13. September 2016 06:46:04 PYT jungle Boogie wrote:
> > On 13 September 2016 at 05:55, Eike Lantzsch
> > wrote:
> > > but in man doas.conf of 6.0 Release it is not mentioned and using
> > &g
On Dienstag, 13. September 2016 06:46:04 PYT jungle Boogie wrote:
> On 13 September 2016 at 05:55, Eike Lantzsch wrote:
> > but in man doas.conf of 6.0 Release it is not mentioned and using that
> > option rightly results in a syntax error if used.
>
> It's not in -r
On 13 September 2016 at 05:55, Eike Lantzsch wrote:
> but in man doas.conf of 6.0 Release it is not mentioned and using that option
> rightly results in a syntax error if used.
It's not in -release.
If you take a look here:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doa
permit persist :wheel
This rule recreates the common sudo configuration of requiring a password for
wheel users the first time a command is run. "
but in man doas.conf of 6.0 Release it is not mentioned and using that option
rightly results in a syntax error if used.
My question: It seems
A recent change to doas allowed using SETENV blocks in the config file. This
had a side effect of making = a special character. If your doas.conf file
contains = characters (such as for command args) they'll need to be quoted.
On Mon, Apr 04, 2016 at 08:08:19AM +0100, Jason McIntyre wrote:
>
> it is a bit inconsistent, yes.
>
> it is very much less readable with a line break. you could remove the
> offset, but that doesn;t look great either. you could specify a smaller
> offset and juggle the actual text a bit.
>
> th
On Mon, Apr 04, 2016 at 12:26:50AM +0200, Tim van der Molen wrote:
> Philip Guenther (2016-04-01 23:47 +0200):
> > Sooo close. To quote doas.conf(5):
> >
> > The rules have the following format:
> >
> >permit|deny [options] identi
Philip Guenther (2016-04-01 23:47 +0200):
> Sooo close. To quote doas.conf(5):
>
> The rules have the following format:
>
>permit|deny [options] identity [as target] [cmd command [args ...]]
...
> 'args' is *literal* there, so the correct confi
On Fri, Apr 01, 2016 at 02:47:42PM -0700, Philip Guenther wrote:
[snip]
> Sooo close. To quote doas.conf(5):
>
[snip]
> 'args' is *literal* there, so the correct config line would be
> permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd
>
H
see doas.conf(5):
args ... Arguments to command. If specified, the command arguments
provided by the user need to match for the command to be
successful. Specifying args alone means that command should
be run without any arguments
On Fri, Apr 1, 2016 at 2:33 PM, Tor Houghton wrote:
> Now that sudo is out of base, I am wondering -- do I need to add it again,
> or does doas.conf allow for specifying commands with arguments?
>
> Obviously not like this (doas doesn't like that), but akin to:
>
>
Hi,
Now that sudo is out of base, I am wondering -- do I need to add it again,
or does doas.conf allow for specifying commands with arguments?
Obviously not like this (doas doesn't like that), but akin to:
permit nopass support as root cmd /usr/sbin/rcctl restart ntpd
I don'
Sebastian John wrote:
> Hello,
>
> I used sudo wish some expressions in sudoer like:
>
> foo ALL=NOPASSWD: /bin/bar -a [a-zA-Z][a-zA-Z][a-zA-Z]
>
> This matches commands like „/bin/bar abc" for example.
>
>
>
> I try in doas.conf:
>
>
> pe
Hello,
I used sudo wish some expressions in sudoer like:
foo ALL=NOPASSWD: /bin/bar -a [a-zA-Z][a-zA-Z][a-zA-Z]
This matches commands like â/bin/bar abc" for example.
I try in doas.conf:
permit nopass foo as root cmd /bin/bar args -a [a-zA-Z][a-zA-Z][a-zA-Z]
but this does not
On Fri, Jul 31, 2015 at 03:14:44PM +0200, Hikari Boulders wrote:
> Yes, this is resolved. But isn't it still an inconsistency with the line
>
> The last matching rule determines the action taken.
>
> from doas.conf(5)? It seems to me that if you specify a line permittin
he docs, and I have no reason to
believe otherwise, it should certainly not say "as root", but rather
"as anyone".
This was resolved by tedu@'s most recent commit to doas.conf.5:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doas/doas.conf.5.diff?r1=1.12&r2=1.1
How would you phrase things if it wasn't the case ?..
> >
> >As indicated above I would probably write something like "as root and
> >every other user" instead of simply "as root".
>
> Assuming you are properly quoting the docs, and I have no reason to
>
On July 27, 2015 3:22:13 PM GMT+02:00, Theo Buehler wrote:
>On Mon, Jul 27, 2015 at 03:13:55PM +0200, Marc Espie wrote:
>> On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote:
>>
>> > So omitting [as identity] allows me to run as every user, not just
>as
>> > root? Is this intentional?
On Mon, Jul 27, 2015 at 03:13:55PM +0200, Marc Espie wrote:
> On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote:
>
> > So omitting [as identity] allows me to run as every user, not just as
> > root? Is this intentional?
>
> I think it's intentional. It's definitely what I would expect
On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote:
> So omitting [as identity] allows me to run as every user, not just as
> root? Is this intentional?
I think it's intentional. It's definitely what I would expect [as identity]
is a restrictive modifier. If you want to only be able to
I'm not sure whether this is a misunderstanding on my side or a bug.
Suppose I have the following /etc/doas.conf
$ cat /etc/doas.conf
permit nopass theo cmd /usr/bin/touch args /tmp/doastest/foo
I would expect from the excerpt
as targetThe target user the running user is allow
You have to have a newline at the end of the config file.
Am Mi. Juli 22 03:48:16 2015 GMT+0200 schrieb Ed Ahlsen-Girard:
> There seems to be know sample configuration file for doas. I complains
> of not being enabled, and the man pages do not say how to do that.
>
> --
>
> Edward Ahlsen-Girard
On Tue, Jul 21, 2015 at 08:48:16PM -0500, Ed Ahlsen-Girard wrote:
> There seems to be know sample configuration file for doas. I complains
> of not being enabled, and the man pages do not say how to do that.
To `enable' doas(1), you need to have an `/etc/doas.conf' file. It must
There seems to be know sample configuration file for doas. I complains
of not being enabled, and the man pages do not say how to do that.
--
Edward Ahlsen-Girard
Ft Walton Beach, FL
46 matches
Mail list logo
