Hello,
Looking arround in /etc/examples/ I felt like some of those files aren't
as "verbose" as others. For example doas.conf
doas.conf(5) contains more EXAMPLES than /etc/examples/doas.conf
Please let me know if there is a prefered way.
1/ document EXAMPLES in the manpage, only have examples config file for
daemon? (The relayd.conf example file is very verbose in comparaison,
which don't get me wrong is a very good thing)
2/ or try to keep both aligned and consistent (they always point to each
others but yes one change in the EXAMPLES of a manpage could also
require a change in the example config file) so we could arguee it's
duplicating the effort.
And there's probably a middle ground that could be find as well.
I don't know if anyone has a strong opinion or recommandations.
So if that makes sense for you, please find attached a patch for
examples/doas.conf adding the main examples from doas.conf(5) and
bsd.port.mk(5).
Also a quick patch for doas.conf(5) to use an absolute path as
recommended.
Cheers,
--
clematis (0x7e96fd2400fe7b59)
Index: doas.conf
===================================================================
RCS file: /cvs/src/etc/examples/doas.conf,v
retrieving revision 1.1
diff -u -p -r1.1 doas.conf
--- doas.conf 3 Sep 2016 11:58:32 -0000 1.1
+++ doas.conf 25 Apr 2020 16:43:14 -0000
@@ -12,3 +12,28 @@
# Allow wheel by default
permit keepenv :wheel
+
+# Allow user aja to install packages from a prefered mirror via pkg_add(1)
+permit persist setenv { PKG_CACHE PKG_PATH } aja cmd /usr/sbin/pkg_add
+
+# Allow group wheel to execute commands as any user while keeping the
+# environment variables PS1 and SSH_AUTH_SOCK and unsetting ENV
+permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
+
+# Allow user tedu to run procmap(1) as root without a password
+permit nopass tedu as root cmd /usr/sbin/procmap
+
+# Allow root to run unrestricted commands as itself while retaining the
+# original PATH
+permit nopass keepenv setenv { PATH } root as root
+
+# Allow user solene to execute commands as BUILD_USER and FETCH_USER and
+# to run privileged commands without entering a password.
+# See bsd.port.mk(5)
+permit keepenv nopass solene as _pbuild
+permit keepenv nopass solene as _pfetch
+permit nopass solene cmd /usr/bin/touch
+permit nopass setenv { TRUSTED_PKG_PATH TERM } solene cmd \
+ /usr/sbin/pkg_add
+permit nopass setenv { TERM } solene cmd /usr/sbin/pkg_delete
+
Index: doas.conf.5
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
retrieving revision 1.42
diff -u -p -r1.42 doas.conf.5
--- doas.conf.5 10 Feb 2020 13:18:20 -0000 1.42
+++ doas.conf.5 25 Apr 2020 16:46:11 -0000
@@ -133,7 +133,7 @@ permits tedu to run procmap as root with
and additionally permits root to run unrestricted commands as itself
while retaining the original PATH.
.Bd -literal -offset indent
-permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add
+permit persist setenv { PKG_CACHE PKG_PATH } aja cmd /usr/sbin/pkg_add
permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
permit nopass tedu as root cmd /usr/sbin/procmap
permit nopass keepenv setenv { PATH } root as root
