[SOLVED] Anyone know how to get doas working properly on devuan?

zapper · 2024-08-17 06:43:27

Like a sample config?

And also, I wanted to make it so, doas poweroff would automatically cause my computer to shut off.

But with one caveat, I want doas poweroff to work without root to users that can use sudo. But only that command will require no password.

stargate-sg1-cheyenne-mtn · 2024-08-17 15:21:44

may/may-not help(but was interesting nevertheless):
https://hackaday.com/2024/05/21/linux-fu-the-root-cause/

keywords:
doas
pkexec
root
run0
sandwich
su
sudo
xkcd

humor:
https://xkcd.com/149/
https://xkcd.com/838/

yeti · 2024-08-17 19:37:00

My experiments on Devuan5 so far...

Two IMO relevant snippets from doas.conf(5):

It may be needed no not allow args for such wired to root commands:

     args [argument ...]
                  Arguments to command.  The command arguments provided by the
                  user need to match those specified.  The keyword args alone
                  means that command must be run without any arguments.

And I sometimes stumble over this one:

     The last matching rule determines the action taken.  If no rule matches,
     the action is denied.

I've a long compile job running so I tried to do this with a more harmless command.

~$ doas -L
~$ doas -L ## clear persistent passwords
~$ grep cmd /etc/doas.conf 
## permit|deny [options] identity [as target] [cmd command [args ...]]
permit nopass :sudo as root cmd date args
~$ doas id
doas (yeti@BEEP) password: (((ctrl-c))) 

~$ ## ok. that asked for a pasword
~$ doas date
Sat Aug 17 19:19:40 UTC 2024
~$ ## ok.   expected.   \o/
~$ doas date +%s
doas (yeti@BEEP) password:  (((ctrl-c)))

~$ ## ;-)  even better!  only allowed witout args.
~$ █

(((I hope I haven't screwed up that too much... the heat costs several IQ points...)))

zapper · 2024-08-18 01:06:40

I figured out that I forgot the nopass part for getting jwmkit to shutdown and reboot properly.

I forget where I looked it up, but yeah, it works now.

I will have to quote myself later.

This is solved tho.

zapper · 2024-09-12 00:37:30

Was solved, but now I can't remember how to do this again. Weird shit I will say...

bilhook · 2024-09-12 07:55:43

# permit user as root
# permit persist user as root
permit persist user as root cmd /root/mac
permit persist user as root cmd ifdown args wlan0
permit persist user as root cmd ifup args wlan0

zapper · 2024-09-12 17:15:09

@bilhook does this work for you on devuan? really? I just want to do this for poweroff and reboot nothing else.

I could have sworn I tried what you suggested though. But I will try again.

I should add I need it have nopass as an option for those two things. That's where my problem is coming in.

I wan to not need a pass to make this work:

doas poweroff or doas /sbin/poweroff

and have the computer shutdown as a result.

Last edited by zapper (2024-09-12 17:15:55)

bilhook · 2024-09-13 09:38:16

zapper,
I just booted refractasnapshot daedalus on one of my boxes.
In /etc/doas.conf I put,
permit persist user as root cmd poweroff args -f

I logged in as user (password is pass.)
I typed, doas poweroff -f
doas requested password (pass,)
I put in password and hit enter and it powered off.

bilhook · 2024-09-13 10:56:51

personally if I was in a GUI I would use shutdown rather than poweroff, I think poweroff from GUI is stress on the hardware.

zapper · 2024-09-15 23:12:36

Yes, but can you figure out how to get doas to use nopassword and make:

doas poweroff go off w ithout asking for password causing it to shutdown

I ask anyone if they can make that happen.

bilhook · 2024-09-16 09:14:46

zapper,
I just booted a live as I done, and put in /etc/doas.conf

permit nopass user as root cmd poweroff args -f

logged in as user
doas poweroff -f
It works

Zapper I don't quite get why you're struggling with this, you're a clever fellow.
man doas.conf args

zapper · 2024-09-16 20:27:49

@Bilhook in Hyperbola it works fine. But in Devuan I run into issues. Its very weird. I might be missing something here. lol.

Edit: I think it might be that I have permission errors of some kind. I tried what you suggested and still nothing. lol.

Last edited by zapper (2024-09-16 20:51:26)

bilhook · 2024-09-17 07:46:08

There's no README, only the man pages.
I would backup my sudo configs, purge sudo, run updatedb, check locate for sudo.
doas.conf is world readable so you could chmod 600, as you're supposed to do with wpasupplicant.conf, although doubt that make difference.
man for doas states variables HOME LOGNAME PATH SHELL USER umask
man for doas.conf references syslogd

I have had it doing what you seek, I hope you persevere with this zapper, you can crack it, this doas is a beautiful little program.

Last edited by bilhook (2024-09-17 08:32:40)

bilhook · 2024-09-17 08:31:21

My guess and it is only a guess is there may be a conflict problem with a log or authentication daemon or something like that.
I would persevere with the docs, look at,
https://github.com/Duncaen/OpenDoas

My ssd and subsequent refractasnapshot is probably as bare bones as possible, I have a ton of shit not installed.

Last edited by bilhook (2024-09-17 08:31:49)

stargate-sg1-cheyenne-mtn · 2024-09-17 13:49:51

https://wiki.debian.org/Doas

JWM-Kit · 2024-09-17 14:34:05

This works for me.
1 use the full path for the commands
2 add a colon before the username
3 2 the args -f seems to fails, and I don't fully understand the syntax here so I left it out. ** Note below

* Code edited for accuracy

permit nopass user as root cmd /sbin/poweroff

On another note, I never configure doas for a specific user, instead I use a group, for example the wheel, or sudo group.

** With a quick look at the documentation, I can see the args syntax works how I thought it did. So I don't know why it causes it to fail for me.

The original number 2 above was marked out due to inaccuracy. Thanks to yeti for his post below. Even though it worked for me it was not correct.

Last edited by JWM-Kit (2024-09-17 17:40:04)

bilhook · 2024-09-17 16:04:17

This is all turning out to be rather interesting and I hope we all persevere with it.
full path sould be tried
colon before user is interesting
as I have written above it has worked for me, they are not lamentable words, I did actually do it for real

yeti · 2024-09-17 16:16:16

bilhook wrote:

colon before user is interesting

doas.conf(5) wrote:

     identity     The username to match.  Groups may be specified by prepend-
                  ing a colon (':').  Numeric IDs are also accepted.

JWM-Kit · 2024-09-17 17:35:25

Thanks yeti!

You are correct, use a colon for groups, and no colon for usernames.

Why did it work for me? you're not gonna believe it. I belong to a group with the same name as as my username. What are the odds. lol.

As I said I usually use groups instead of a username, and since my test with usernames worked with the colons I assumed that was the correct way.

Still my other 2 points are valid. use the full path and the args did not work form me. . . and yes I did test the args after removing the colon.

JWM-Kit · 2024-09-17 17:44:48

@bilhook

they are not lamentable words, I did actually do it for real

I don't think anyone doubts you. It's just that it didn't work for them. The colon worked for me when it should not have because of my system configuration. Things are like that sometimes.

zapper · 2024-09-17 21:38:35

Very strange stuff though it is.

Maybe I need to find a github with instructions for doas somewhere.

That might help explain. Because the odd thing is, it aint working.

Although, I did install devuan on this one computer without installing A DE. I wonder if that means I am missing stuff I would otherwise have.

By this I mean, initially, I deselected all desktop environments. And just installed enough for a terminal, etc...

Last edited by zapper (2024-09-17 21:39:29)

JWM-Kit · 2024-09-18 00:20:34

The system I tested on I only installed the standard system tools or utilities whatever it's called. You know the tasksel menu on the devuan/debian installer. No DE or anything else. It was the only thing selected.

of course then I manually installed the xserver, jwm, and more.

JWM-Kit · 2024-09-18 00:25:40

Oh, One more important thing. This is my experience so I'm not saying this is how it is suppose to behave, just how it does for me. The no pass commands work without a password when NOT started for the command line but if it do them from a terminal it still ask for the password. which is fine for my use case.

So it works with graphical apps, or a menu item, or .desktop file, etc. Just not directly in the terminal.

Last edited by JWM-Kit (2024-09-18 00:30:54)

bilhook · 2024-09-18 07:25:08

I use do my doas ifup wlan0 in UXTerm in icewm (ice window manager GUI.)
The tests for zapper I did in console.
My daedalus refractasnapshot boots into console, then on the fly I sort out interfaces sources.list xinit firefox-esr

maybe this identity user groups is another parameter here, I guess so, I just gone a root and a user from netinstall.iso

bilhook · 2024-09-18 08:03:05

Thanks to JWM-Kit here, perhaps this is identity permissions, as you state zapper Hyperbola OK.
It might not be, hey this is routine computer engineering problem solving, I changed the inverter board and it turned out to be the vga cable, we've all been there, you know what I mean.
I would still backup config & purge sudo.
I would network down and methodically change permissions in a GUI file manager, convenient.

I will repeat what I done in console, but in X.
I'll be back.

The officially official Devuan Forum!

#1 2024-08-17 06:43:27

[SOLVED] Anyone know how to get doas working properly on devuan?

#2 2024-08-17 15:21:44

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#3 2024-08-17 19:37:00

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#4 2024-08-18 01:06:40

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#5 2024-09-12 00:37:30

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#6 2024-09-12 07:55:43

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#7 2024-09-12 17:15:09

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#8 2024-09-13 09:38:16

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#9 2024-09-13 10:56:51

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#10 2024-09-15 23:12:36

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#11 2024-09-16 09:14:46

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#12 2024-09-16 20:27:49

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#13 2024-09-17 07:46:08

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#14 2024-09-17 08:31:21

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#15 2024-09-17 13:49:51

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#16 2024-09-17 14:34:05

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#17 2024-09-17 16:04:17

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#18 2024-09-17 16:16:16

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#19 2024-09-17 17:35:25

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#20 2024-09-17 17:44:48

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#21 2024-09-17 21:38:35

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#22 2024-09-18 00:20:34

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#23 2024-09-18 00:25:40

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#24 2024-09-18 07:25:08

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#25 2024-09-18 08:03:05

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

Board footer