Re: doas 101 question

To: debian-user@lists.debian.org
Subject: Re: doas 101 question
From: Greg Wooledge <greg@wooledge.org>
Date: Fri, 17 Dec 2021 23:16:54 -0500
Message-id: <Yb1gttcRKsqqUL/S@wooledge.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 23c1c722-fb44-9368-8b2f-27ace1fdac75@networktest.com>
References: <[🔎] 23c1c722-fb44-9368-8b2f-27ace1fdac75@networktest.com>

On Fri, Dec 17, 2021 at 12:20:43PM -0800, David Newman wrote:
> How to configure /etc/doas.conf so a non-root user gets root's PATH?

This works for me:

unicorn:~$ PATH=/usr/local/bin:/usr/bin:/bin
unicorn:~$ cat /etc/doas.conf
permit setenv { PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin } greg
unicorn:~$ doas env | grep PATH
doas (greg@unicorn) password: 
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

> permit nopass setenv {
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin } dnewman
> as root
> permit nopass keepenv root as root
> 
> permit nopass setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } dnewman as root
> permit nopass keepenv root as root

You've got two contradictory lines for "dnewman as root", with the latter
having a setenv clause without PATH in it.  I would imagine the latter
wins out (because it occurs last), and therefore your PATH variable doesn't
get set.

I don't know how repeated "dnewman as root" lines would be handled if only
one of them had a setenv clause.  You could experiment and find out.  It
would be easier just to get rid of the second line.

Reply to:

Follow-Ups:
- Re: doas 101 question
  - From: David Newman <dnewman@networktest.com>

References:
- doas 101 question
  - From: David Newman <dnewman@networktest.com>

Prev by Date: doas 101 question
Next by Date: Re: doas 101 question
Previous by thread: doas 101 question
Next by thread: Re: doas 101 question
Index(es):
- Date
- Thread