Re: doas 101 question

To: debian-user@lists.debian.org
Subject: Re: doas 101 question
From: David Robert Newman <david@davidrobertnewman.com>
Date: Fri, 24 Dec 2021 20:32:14 -0800
Message-id: <[🔎] 42bc3224-66dd-2303-75d0-15555a0e391d@davidrobertnewman.com>
In-reply-to: <[🔎] Yb35VE7dO3MHEiul@wooledge.org>
References: <[🔎] 23c1c722-fb44-9368-8b2f-27ace1fdac75@networktest.com> <Yb1gttcRKsqqUL/S@wooledge.org> <[🔎] 4dee99bb-7ade-4ce0-8aac-1c7ec0efddbe@networktest.com> <[🔎] Yb35VE7dO3MHEiul@wooledge.org>

On 12/18/21 7:08 AM, Greg Wooledge wrote:

On Fri, Dec 17, 2021 at 09:20:59PM -0800, David Newman wrote:

Thanks for this. I get similar results where doas shows root's PATH -- but I
cannot execute a file called '/usr/local/sbin/s', which is owned by
root:root and has 0750 permissions, unless I specify the full path:

dnewman@coppi:~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
dnewman@coppi:~$ cat /etc/doas.conf
permit nopass setenv {
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin } dnewman
dnewman@coppi:~$ doas env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
dnewman@coppi:~$ doas s mailman3
doas: s: command not found
dnewman@coppi:~$ doas /usr/local/sbin/s mailman3
● mailman3.service - GNU Mailing List Manager
..

Same here, and it's not the permissions that are the issue.

unicorn:~$ PATH=/usr/local/bin:/usr/bin:/bin
unicorn:~$ type fdisk
bash: type: fdisk: not found
unicorn:~$ doas fdisk -l | head -n2
doas (greg@unicorn) password:
doas: fdisk: command not found
unicorn:~$ doas /sbin/fdisk -l | head -n2
doas (greg@unicorn) password:
Disk /dev/sda: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: TOSHIBA DT01ACA1

Looks like doas performs the search for the command *before* it sets
the environment.  You'd need to petition the developers to make a change
to the program's behavior in order to get what you want.  Most likely
this would need to be argued upstream, as I cannot imagine Debian writing
a local patch for that.  Not in a setuid program like this, and not after
the bullshit they pulled with su in buster.


I asked doas author Ted Unangst about this. His reply:

Sorry, only very limited env replacement can be done in setenv. root's environment isn't available before the switch.

Ergo, it is just as you suspected. This isn't an issue with OpenBSDbecause regular users's PATHs already include sbin directories. It is anissue with Debian because (a) a regular user's PATH doesn't include sbindirectories and (b) the change in su behavior awhile back restrictedaccess to some root privileges. It's not an issue with sudo, but forvarious reasons I'm more comfortable using doas.

My workaround was to add aliases for a few commands to my .bashrc file,e.g. (but not a real example):


alias ua='doas /usr/sbin/useradd'

Thanks for the sanity check.

dn

Reply to:

Follow-Ups:
- Re: doas 101 question
  - From: Greg Wooledge <greg@wooledge.org>

References:
- doas 101 question
  - From: David Newman <dnewman@networktest.com>
- Re: doas 101 question
  - From: Greg Wooledge <greg@wooledge.org>
- Re: doas 101 question
  - From: David Newman <dnewman@networktest.com>
- Re: doas 101 question
  - From: Greg Wooledge <greg@wooledge.org>

Prev by Date: Re: qmail package in bullseye
Next by Date: Re: Risc-V [OT: Firefox ESR EOL]
Previous by thread: Re: doas 101 question
Next by thread: Re: doas 101 question
Index(es):
- Date
- Thread