Re: doas 101 question

To: debian-user@lists.debian.org
Subject: Re: doas 101 question
From: David Newman <dnewman@networktest.com>
Date: Fri, 17 Dec 2021 21:20:59 -0800
Message-id: <[🔎] 4dee99bb-7ade-4ce0-8aac-1c7ec0efddbe@networktest.com>
In-reply-to: <Yb1gttcRKsqqUL/S@wooledge.org>
References: <[🔎] 23c1c722-fb44-9368-8b2f-27ace1fdac75@networktest.com> <Yb1gttcRKsqqUL/S@wooledge.org>

On 12/17/21 8:16 PM, Greg Wooledge wrote:

On Fri, Dec 17, 2021 at 12:20:43PM -0800, David Newman wrote:

How to configure /etc/doas.conf so a non-root user gets root's PATH?


This works for me:

unicorn:~$ PATH=/usr/local/bin:/usr/bin:/bin
unicorn:~$ cat /etc/doas.conf
permit setenv { PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin } greg
unicorn:~$ doas env | grep PATH
doas (greg@unicorn) password:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Thanks for this. I get similar results where doas shows root's PATH --but I cannot execute a file called '/usr/local/sbin/s', which is ownedby root:root and has 0750 permissions, unless I specify the full path:


dnewman@coppi:~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
dnewman@coppi:~$ cat /etc/doas.conf

permit nopass setenv {PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin } dnewman

dnewman@coppi:~$ doas env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
dnewman@coppi:~$ doas s mailman3
doas: s: command not found
dnewman@coppi:~$ doas /usr/local/sbin/s mailman3
● mailman3.service - GNU Mailing List Manager
..

permit nopass setenv {
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin } dnewman
as root
permit nopass keepenv root as root

permit nopass setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } dnewman as root
permit nopass keepenv root as root


You've got two contradictory lines for "dnewman as root", with the latter

having a setenv clause without PATH in it.

Clarification: The examples in my previous email were two differenttwo-line configurations. It wasn't a four-line doas.conf file.

The second two-line example was taken from an OpenBSD box where invokingdoas allows execution without the full path. However, in that case Ithink it's because regular users already have /usr/local/sbin in theirPATH, and so possibly unrelated to doas.

I would imagine the latter
wins out (because it occurs last), and therefore your PATH variable doesn't
get set.

I don't know how repeated "dnewman as root" lines would be handled if only
one of them had a setenv clause.  You could experiment and find out.  It
would be easier just to get rid of the second line.


Good idea. Per the example above it's just one line now, similar to yours.

dn

Reply to:

Follow-Ups:
- Re: doas 101 question
  - From: Tim Woodall <debianuser@woodall.me.uk>
- Re: doas 101 question
  - From: Greg Wooledge <greg@wooledge.org>

References:
- doas 101 question
  - From: David Newman <dnewman@networktest.com>
- Re: doas 101 question
  - From: Greg Wooledge <greg@wooledge.org>

Prev by Date: Re: doas 101 question
Next by Date: Re: doas 101 question
Previous by thread: Re: doas 101 question
Next by thread: Re: doas 101 question
Index(es):
- Date
- Thread