You are not logged in.
EDIT: package removed.
doas(1) is a simple, secure replacement for the `sudo` command that comes from the same team that brought the world OpenSSH, LibreSSL, tmux and sudo itself.
The program has been ported to Linux:
https://github.com/Duncaen/OpenDoas
I have now packaged it for Debian jessie-based systems:
https://software.opensuse.org/download. … e=OpenDoas
To install it in BunsenLabs, use:
sudo tee /etc/apt/sources.list.d/opendoas.list <<< "deb http://download.opensuse.org/repositories/home:/Head_on_a_Stick:/BunsenLabs/Debian_8.0/ /"
sudo apt update
sudo apt install opendoas
The repository key can also be added to allow updates:
wget http://download.opensuse.org/repositories/home:Head_on_a_Stick:BunsenLabs/Debian_8.0/Release.key
sudo apt-key add - < Release.key
rm Release.key
sudo apt update
Once the package is installed, configure the program by creating a file at /etc/doas.conf
This example will allow user Fred to pass commands as root:
permit setenv { PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin } Fred as root
The "setenv" bit is needed to correct root's $PATH for installing packages with APT.
The `doas` command can then be used in exactly the same way as `sudo`, for example:
doas apt update
To attain a root shell, use:
doas -s
The author explains the reasoning behind the program here:
http://www.tedunangst.com/flak/post/doas
With an extended guide ("doas mastery") here:
http://www.tedunangst.com/flak/post/doas-mastery
Warning: this package is just for fun and should *not* be used in production systems, if you are interested in a more secure system see https://www.debian.org/doc/manuals/secu … ian-howto/ or install OpenBSD.
Last edited by Head_on_a_Stick (2018-03-10 23:13:43)
Offline
Good stuff. I recall reading about that not long ago.
Quick question: can it run on a system 'with' sudo and su?
AS in: I won't bork my system will I?
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
can it run on a system 'with' sudo and su?
Yes, that should be fine, I do that on my Arch & Debian systems.
Offline
Oh I gotta try this ... and of course ... expect Q's ... maybe!
Way I look at it if I can get it going - it's a winner!
PS: Noticed you avoided the "bork my system" part quite nicely.
---
Give it to S11 he can bork anything.
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
you avoided the "bork my system" part quite nicely.
I've since added a Warning: to the OP to cover my *ss
EDIT: backup first!
Last edited by Head_on_a_Stick (2016-11-21 22:33:56)
Offline
hahahaha AWESOME! I'm going to finish reading it all tomorrow and have a go at it.
Dinner and wife time now. Later, thank you!
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
I have a quick question for any expert Debian packagers that may be reading:
For this program, the /usr/bin/doas binary needs the setuid bit activated (4111 permissions) but `debuild` strips this away when the executable is installed.
To correct this, I tried
override_dh_strip:
dh_strip --exclude doas # also tried /usr/bin/doas
in debin/rules but the permissions were not altered.
Eventually, I resorted to this in debian/postinst:
#!/bin/sh
chmod 4111 /usr/bin/doas
exit 0
Is this OK?
It feels like a dirty hack, is there a better alternative?
Offline
I have updated the OP with a correction to /etc/doas.conf to include the "setenv" parameter, APT will not work without this change.
I will probably update the package and add some post-install notes to clarify this for the user.
Offline
To correct this, I tried
override_dh_strip: dh_strip --exclude doas # also tried /usr/bin/doas
in debin/rules but the permissions were not altered.
You want dh_fixperms(1).
Eventually, I resorted to this in debian/postinst:
#!/bin/sh chmod 4111 /usr/bin/doas exit 0
Is this OK?
It feels like a dirty hack, is there a better alternative?
I would avoid it in d/postinst. It is preferable in d/rules either to pass -X to dh_fixperms or to chmod explicitly after dh_fixperms is invoked.
Offline
Fantastic, thanks for the tips
Offline
That is tiny!
Yes, isn't it awesome
I'm not sure if I can live without the sudo insults though.
That is the single feature I miss most
EDIT: I will be rebuilding the package using dh_fixperms as soon as I can find the original folder...
Last edited by Head_on_a_Stick (2017-01-08 19:44:30)
Offline
That is tiny!
I'm not sure if I can live without the sudo insults though.
What insults? Am I missing something?
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
....
What insults? Am I missing something?
A simple tweak to the sudoers file and you get insulted if you type the wrong password
damo@graphix ~ $ sudo visudo
[sudo] password for damo:
Listen, burrito brains, I don't have time to listen to this trash.
[sudo] password for damo:
The more you drive -- the dumber you get.
[sudo] password for damo:
sudo: 3 incorrect password attempts
Be Excellent to Each Other...
The Bunsenlabs Lithium Desktop » Here
FORUM RULES and posting guidelines «» Help page for forum post formatting
Artwork on DeviantArt «» BunsenLabs on DeviantArt
Offline
I want that tweak - yesterday! PLEASE! Pretty please!
With all my typos it'll be a source of entertainment all day long!
Never mind:
08 Jan 17 @ 18:58:56 ~
$ up2
[sudo] password for sector11:
My mind is going. I can feel it.
[sudo] password for sector11:
You'll starve!
[sudo] password for sector11:
I LOVE IT! Thank you all!
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
@S11: in /etc/sudoers, add this line:
Defaults insults
I think this should be the stock setting for BunsenLabs, it was for OpenBSD for quite some time
Offline
@S11: in /etc/sudoers, add this line:
Defaults insults
I think this should be the stock setting for BunsenLabs, it was for OpenBSD for quite some time
Yes, please, lets make it a permanent setting in the next release.
See above - Startpage is my friend.
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
For safety, edit the sudoers file by using
sudo visudo
Be Excellent to Each Other...
The Bunsenlabs Lithium Desktop » Here
FORUM RULES and posting guidelines «» Help page for forum post formatting
Artwork on DeviantArt «» BunsenLabs on DeviantArt
Offline
^ Thanks damo, I've been aware of this since early days at #! days ... plus you gave an EXCELLENT hint to all in your post above, to wit, I shall quote and add one last line:
HEY PEOPLE: TAKE NOTE:
damo wrote - except for the last line:
damo@graphix ~ $ sudo visudo
[sudo] password for damo:
Listen, burrito brains, I don't have time to listen to this trash.
[sudo] password for damo:
The more you drive -- the dumber you get.
[sudo] password for damo:
sudo: 3 incorrect password attempts
Tsk tsk, shame on you!
KUDOS for sneaking the hint of hints in there!
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
Just out of curiousity: Has been anyone using it?
I mean OpenDoas, not the insults feature of sudo.
This is one of the things I wanted to test but just forgot about. Now I came across this thread again...
Offline