undefined | Better HN

0 pointsjosteink3y ago0 comments

> It looks like doas is missing some important features sudo has … and wildcard and in the newest version regex support for matching arguments.

Sometimes less is more. My immediate response to that is that it sounds like needless complexity which can be a source of errors, bugs and security-vulnerabilities.

What typical use-cases do these particular features have?

0 comments

thayne3y ago

> What typical use-cases do these particular features have?

For the io logs: auditing. And in some cases such logs are necessary for compliance reasons.

For wildcards: allowing to run a command, but only if they supply a specific option that makes it less dangerous. Now, you do have to be very careful when doing that, but there are cases where it is useful and explicitly listing every variation of options that is allowed isn't practical.

I also forgot to mention sudoedit. Although, making something similar for doas would be pretty simple, so I'm kind of surprised there isn't something.

ehutch793y ago

For wildcards;

Allowing a user to use systemctl with specific daemons, so ```systemctl * unit-name```, without a password. But anything outside of that I need a password.

Denvercoder93y ago

It's actually good to not support such things, because it makes it way too easy to give more permissions than you intent to. In your example it effectively gives unlimited root access, as you can do `systemctl edit unit-name` and change the unit to run arbitrary programs as root.

ilyt3y ago

Depends on what you do. If you have app server and use it to give access for developers to restart their apps, them getting root on the server is entirely irrelevant.

It's more so the curious dev don't just go sudo bash and changes stuff willy nilly then forgets what they changed.

We do avoid wildcards like plague but honestly regexp support would be more useful, then our devs could just have say

    ^/bin/systemctl (start|stop|restart|status) app-([a-z0-9\.\-]+)$

and be pretty safe.

2 more replies

claviola3y ago

That's all well and true, but it's an expected downside which you'd see with any software which needs to be properly configured to run. If a user doesn't know they should take this seriously by ensuring that a tool which potentially grants root privileges is correctly configured, that shouldn't stop others who know better.

ehutch793y ago

Yeah, why is that a command anyways...

But the point being that the users who have that also can just sudo anything anyways, and if an attacker is running shell commands, you're already in trouble.

I'm wondering if you're not right at this point though.

j / k navigate · click thread line to collapse

0 comments

thayne3y ago

> What typical use-cases do these particular features have?

For the io logs: auditing. And in some cases such logs are necessary for compliance reasons.

I also forgot to mention sudoedit. Although, making something similar for doas would be pretty simple, so I'm kind of surprised there isn't something.

ehutch793y ago

For wildcards;

Allowing a user to use systemctl with specific daemons, so ```systemctl * unit-name```, without a password. But anything outside of that I need a password.

Denvercoder93y ago

ilyt3y ago

Depends on what you do. If you have app server and use it to give access for developers to restart their apps, them getting root on the server is entirely irrelevant.

It's more so the curious dev don't just go sudo bash and changes stuff willy nilly then forgets what they changed.

We do avoid wildcards like plague but honestly regexp support would be more useful, then our devs could just have say

    ^/bin/systemctl (start|stop|restart|status) app-([a-z0-9\.\-]+)$

and be pretty safe.

2 more replies

claviola3y ago

ehutch793y ago

Yeah, why is that a command anyways...

But the point being that the users who have that also can just sudo anything anyways, and if an attacker is running shell commands, you're already in trouble.

I'm wondering if you're not right at this point though.

j / k navigate · click thread line to collapse