OpenDoas, a simple, secure `sudo` replacement from OpenBSD

Head_on_a_Stick · 2016-11-21 22:04:48

EDIT: package removed.

doas(1) is a simple, secure replacement for the `sudo` command that comes from the same team that brought the world OpenSSH, LibreSSL, tmux and sudo itself.

The program has been ported to Linux:

https://github.com/Duncaen/OpenDoas

I have now packaged it for Debian jessie-based systems:

https://software.opensuse.org/download. … e=OpenDoas

To install it in BunsenLabs, use:

sudo tee /etc/apt/sources.list.d/opendoas.list <<< "deb http://download.opensuse.org/repositories/home:/Head_on_a_Stick:/BunsenLabs/Debian_8.0/ /"
sudo apt update
sudo apt install opendoas

The repository key can also be added to allow updates:

wget http://download.opensuse.org/repositories/home:Head_on_a_Stick:BunsenLabs/Debian_8.0/Release.key
sudo apt-key add - < Release.key
rm Release.key
sudo apt update

Once the package is installed, configure the program by creating a file at /etc/doas.conf

This example will allow user Fred to pass commands as root:

permit setenv { PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin } Fred as root

The "setenv" bit is needed to correct root's $PATH for installing packages with APT.

The `doas` command can then be used in exactly the same way as `sudo`, for example:

doas apt update

To attain a root shell, use:

doas -s

The author explains the reasoning behind the program here:

http://www.tedunangst.com/flak/post/doas

With an extended guide ("doas mastery") here:

http://www.tedunangst.com/flak/post/doas-mastery

Warning: this package is just for fun and should *not* be used in production systems, if you are interested in a more secure system see https://www.debian.org/doc/manuals/secu … ian-howto/ or install OpenBSD.

Last edited by Head_on_a_Stick (2018-03-10 23:13:43)

Sector11 · 2016-11-21 22:12:33

Good stuff. I recall reading about that not long ago.

Quick question: can it run on a system 'with' sudo and su?

AS in: I won't bork my system will I?

Head_on_a_Stick · 2016-11-21 22:15:27

Sector11 wrote:

can it run on a system 'with' sudo and su?

Yes, that should be fine, I do that on my Arch & Debian systems.

Sector11 · 2016-11-21 22:30:18

Oh I gotta try this ... and of course ... expect Q's ... maybe!

Way I look at it if I can get it going - it's a winner!

PS: Noticed you avoided the "bork my system" part quite nicely.

---
Give it to S11 he can bork anything.

Head_on_a_Stick · 2016-11-21 22:33:01

Sector11 wrote:

you avoided the "bork my system" part quite nicely.

I've since added a Warning: to the OP to cover my *ss

EDIT: backup first!

Last edited by Head_on_a_Stick (2016-11-21 22:33:56)

Sector11 · 2016-11-21 22:43:00

hahahaha AWESOME! I'm going to finish reading it all tomorrow and have a go at it.

Dinner and wife time now. Later, thank you!

Head_on_a_Stick · 2016-11-22 21:17:44

I have a quick question for any expert Debian packagers that may be reading:

For this program, the /usr/bin/doas binary needs the setuid bit activated (4111 permissions) but `debuild` strips this away when the executable is installed.

To correct this, I tried

override_dh_strip:
        dh_strip --exclude doas # also tried /usr/bin/doas

in debin/rules but the permissions were not altered.

Eventually, I resorted to this in debian/postinst:

#!/bin/sh
chmod 4111 /usr/bin/doas
exit 0

Is this OK?

It feels like a dirty hack, is there a better alternative?

Head_on_a_Stick · 2016-11-26 13:19:43

I have updated the OP with a correction to /etc/doas.conf to include the "setenv" parameter, APT will not work without this change.

I will probably update the package and add some post-install notes to clarify this for the user.

crimsun · 2017-01-07 14:33:01

Head_on_a_Stick wrote:

To correct this, I tried
override_dh_strip:
        dh_strip --exclude doas # also tried /usr/bin/doas
in debin/rules but the permissions were not altered.

You want dh_fixperms(1).

Head_on_a_Stick wrote:

Eventually, I resorted to this in debian/postinst:
#!/bin/sh
chmod 4111 /usr/bin/doas
exit 0
Is this OK?
It feels like a dirty hack, is there a better alternative?

I would avoid it in d/postinst. It is preferable in d/rules either to pass -X to dh_fixperms or to chmod explicitly after dh_fixperms is invoked.

Head_on_a_Stick · 2017-01-07 15:04:12

Fantastic, thanks for the tips

o9000 · 2017-01-08 19:40:25

That is tiny!

I'm not sure if I can live without the sudo insults though.

Head_on_a_Stick · 2017-01-08 19:43:27

o9000 wrote:

That is tiny!

Yes, isn't it awesome

I'm not sure if I can live without the sudo insults though.

That is the single feature I miss most

EDIT: I will be rebuilding the package using dh_fixperms as soon as I can find the original folder...

Last edited by Head_on_a_Stick (2017-01-08 19:44:30)

Sector11 · 2017-01-08 21:32:53

o9000 wrote:

That is tiny!
I'm not sure if I can live without the sudo insults though.

What insults? Am I missing something?

damo · 2017-01-08 21:46:21

Sector11 wrote:

....
What insults? Am I missing something?

A simple tweak to the sudoers file and you get insulted if you type the wrong password

damo@graphix ~ $ sudo visudo
[sudo] password for damo: 
Listen, burrito brains, I don't have time to listen to this trash.
[sudo] password for damo: 
The more you drive -- the dumber you get.
[sudo] password for damo: 
sudo: 3 incorrect password attempts

Sector11 · 2017-01-08 21:54:40

I want that tweak - yesterday! PLEASE! Pretty please!
With all my typos it'll be a source of entertainment all day long!

Never mind:

 08 Jan 17 @ 18:58:56 ~
  $ up2
[sudo] password for sector11: 
My mind is going. I can feel it.
[sudo] password for sector11: 
You'll starve!
[sudo] password for sector11:

I LOVE IT! Thank you all!

Head_on_a_Stick · 2017-01-08 21:54:48

@S11: in /etc/sudoers, add this line:

Defaults insults

I think this should be the stock setting for BunsenLabs, it was for OpenBSD for quite some time

Sector11 · 2017-01-08 22:01:37

Head_on_a_Stick wrote:

@S11: in /etc/sudoers, add this line:
Defaults insults
I think this should be the stock setting for BunsenLabs, it was for OpenBSD for quite some time

Yes, please, lets make it a permanent setting in the next release.
See above - Startpage is my friend.

damo · 2017-01-08 22:08:24

For safety, edit the sudoers file by using

sudo visudo

Sector11 · 2017-01-08 22:56:34

^ Thanks damo, I've been aware of this since early days at #! days ... plus you gave an EXCELLENT hint to all in your post above, to wit, I shall quote and add one last line:

HEY PEOPLE: TAKE NOTE:

damo wrote - except for the last line:
damo@graphix ~ $ sudo visudo
[sudo] password for damo:
Listen, burrito brains, I don't have time to listen to this trash.
[sudo] password for damo:
The more you drive -- the dumber you get.
[sudo] password for damo:
sudo: 3 incorrect password attempts
Tsk tsk, shame on you!

KUDOS for sneaking the hint of hints in there!

martix · 2018-03-10 22:20:02

Just out of curiousity: Has been anyone using it?

I mean OpenDoas, not the insults feature of sudo.

This is one of the things I wanted to test but just forgot about. Now I came across this thread again...

#1 2016-11-21 22:04:48

OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#2 2016-11-21 22:12:33

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#3 2016-11-21 22:15:27

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#4 2016-11-21 22:30:18

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#5 2016-11-21 22:33:01

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#6 2016-11-21 22:43:00

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#7 2016-11-22 21:17:44

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#8 2016-11-26 13:19:43

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#9 2017-01-07 14:33:01

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#10 2017-01-07 15:04:12

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#11 2017-01-08 19:40:25

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#12 2017-01-08 19:43:27

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#13 2017-01-08 21:32:53

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#14 2017-01-08 21:46:21

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#15 2017-01-08 21:54:40

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#16 2017-01-08 21:54:48

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#17 2017-01-08 22:01:37

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#18 2017-01-08 22:08:24

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#19 2017-01-08 22:56:34

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

#20 2018-03-10 22:20:02

Re: OpenDoas, a simple, secure `sudo` replacement from OpenBSD

Board footer