The officially official Devuan Forum!

You are not logged in.

#1 2022-09-02 14:07:42

Excalibur
Member
Registered: 2019-03-07
Posts: 15  

Replacing sudo.

OpenBSD has replaced sudo from its default install with doas. This utility is available in Devuan's package repositories. Once installed you create an /etc/doas.conf file with the needed commands you wish to run as root. An example is given below:-

                permit nopass username as root cmd /sbin/shutdown

To run the command just type, doas /sbin/shutdown -r now.

Further examples can be found at the bottom of the doas.conf man page.

So, to install doas do the following: aptitude purge sudo ; aptitude install doas      (use your preferred package manager)

There may be a caveat in using doas, some heavyweight desktop environments may have a dependency on sudo, so check this out before you try doas. I think you will find doas has a cleaner syntax than sudo and I have found it to be more flexible for my needs.

Offline

#2 2022-09-02 17:06:59

Camtaf
Member
Registered: 2019-11-19
Posts: 408  

Re: Replacing sudo.

It was introduced because a lot of admins had problems configuring sudo properly, & it has a lot less options, which makes it easier.

They introduced doas just after I finally got around to buying Sudo Mastery, just my luck. big_smile

Offline

#3 2022-09-02 17:15:53

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Replacing sudo.

The creator of doas explains their reasons here:

https://flak.tedunangst.com/post/doas


Brianna Ghey — Rest In Power

Offline

#4 2022-09-03 16:03:09

chris2be8
Member
Registered: 2018-08-11
Posts: 264  

Re: Replacing sudo.

Excalibur wrote:

So, to install doas do the following: aptitude purge sudo ; aptitude install doas      (use your preferred package manager)

Or better:
aptitude install doas
Check doas works and does everything you need!
aptitude purge sudo
Now check if everything still works. Eg does the menu option to shut down the system need sudo?

I've spend too many years installing software to risk cutting myself off.

Offline

#5 2022-09-03 18:42:05

brocashelm
Member
Registered: 2020-06-29
Posts: 112  

Re: Replacing sudo.

Head_on_a_Stick wrote:

The creator of doas explains their reasons here:

https://flak.tedunangst.com/post/doas

I've been listening to some of Ted Unangst's talks. He's very thorough about his approach to improving code.

Anyway, I've been playing around with doas and actively considering installing OpenBSD on the side. I like the more minimalist, no-hands-held environment.

Last edited by brocashelm (2022-09-03 18:42:26)

Offline

#6 2022-09-04 09:40:27

Camtaf
Member
Registered: 2019-11-19
Posts: 408  

Re: Replacing sudo.

As far as regular desktop users, & small networks go, doas would be a better option for most distros.

Offline

#7 2022-09-04 12:45:33

delgado
Member
Registered: 2022-07-14
Posts: 151  

Re: Replacing sudo.

Hm, how would the following look in doas style?
(Capt. Obviuos does not want to compile as root)

$ ./configure
$ make
$ sudo make install

Offline

#8 2022-09-04 14:26:51

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Replacing sudo.

^

./configure
make
doas make install

Or add this to your shell initialisation file (eg, ~/.bashrc):

alias sudo='/usr/bin/doas'

Then just carry on using sudo as you always have done.


Brianna Ghey — Rest In Power

Offline

#9 2022-10-03 17:57:53

Devarch
Member
Registered: 2022-10-03
Posts: 62  

Re: Replacing sudo.

I still need password with doas inspite of:

permit username as root
permit nopass username as root

in /etc/doas.conf

Strange

Offline

#10 2022-10-04 08:47:07

Camtaf
Member
Registered: 2019-11-19
Posts: 408  

Re: Replacing sudo.

It's not meant to allow all encompassing usage, that's what su is for. wink

Offline

#11 2022-10-04 15:40:14

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Replacing sudo.

Devarch wrote:

I still need password with doas inspite of

Sorry to ask but you did replace username with the actual username, right?

That syntax works for me with the Debian doas package provided the actual username is supplied.


Brianna Ghey — Rest In Power

Offline

#12 2022-10-04 21:33:57

Devarch
Member
Registered: 2022-10-03
Posts: 62  

Re: Replacing sudo.

Head_on_a_Stick wrote:
Devarch wrote:

I still need password with doas inspite of

Sorry to ask but you did replace username with the actual username, right?

That syntax works for me with the Debian doas package provided the actual username is supplied.

yes.

I've discovered that if this line is present
permit persist keepenv setenv { XAUTHORITY=/home/username/.Xauthority DISPLAY=:0.0 LANG LC_ALL } :username

than this problem is present.

Surprisingly, if this line is removed I do not need to tap password.

But without this line I can not use geany or other staff as root.

Offline

#13 2022-10-05 05:06:47

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Replacing sudo.

If you want to run a graphical text editor as root then either use one that takes advantage of the GVFS admin:// backend:

gedit admin:///full/path/to/file

Or stick with sudo:

SUDO_EDITOR=geany sudoedit /path/to/file

Set $SUDO_EDITOR in /etc/environment to make it permanent then just use plain sudoedit.

Running the entire GUI editor as root is simply ridiculous. Don't do it.


Brianna Ghey — Rest In Power

Offline

#14 2022-10-05 19:18:00

Devarch
Member
Registered: 2022-10-03
Posts: 62  

Re: Replacing sudo.

Head_on_a_Stick, hhank you for this hint.

What is wrong with using XAUTHORITY? Almost every linux distribution lets run editor as root? I use it to edit system files. Is there some security problem?

Last edited by Devarch (2022-10-05 19:18:23)

Offline

#15 2022-10-05 19:34:30

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Replacing sudo.

See https://en.wikipedia.org/wiki/Principle … _privilege — what's the point of running the graphical interface as root if you only need to use elevated priviledges to save the modified file? That's what sudoedit & admin:// do.

Devarch wrote:

Almost every linux distribution lets run editor as root?

Almost every Linux distribution expressly advises against running editor GUIs as root. That's why sudoedit & admin:// exist. The latter is the default for GNOME and can also be used in the file manager so that can be operated without having to run the GUI itself as root.

EDIT: just for the record this works fine in my sway (Wayland) desktop:

doas mousepad /etc/fstab

I didn't think that was supposed to be possible hmm

Last edited by Head_on_a_Stick (2022-10-05 19:37:10)


Brianna Ghey — Rest In Power

Offline

#16 2023-09-11 20:41:25

dpkg
Member
Registered: 2023-09-11
Posts: 1  

Re: Replacing sudo.

Devarch wrote:

Surprisingly, if this line is removed I do not need to tap password.

It is because:

     The last matching rule determines the action taken.  If no rule matches, the ac-
     tion is denied.

https://man.openbsd.org/doas.conf#DESCRIPTION

Devarch wrote:

What is wrong with using XAUTHORITY?

Nothing, but you should have only one line matching the same username.

permit nopass keepenv setenv { XAUTHORITY=/home/username/.Xauthority DISPLAY=:0.0 LANG LC_ALL } username as root

Offline

#17 2023-09-17 02:47:47

czeekaj
Member
Registered: 2019-06-12
Posts: 154  

Re: Replacing sudo.

There is also sudo -i to just pretty much login as root.

to make it request password everytime you might need to set alias in .bashrc when sudo is invoked.
Although I am unsure how to block sudo -i using an alias.

Offline

#18 2023-10-31 17:58:35

czeekaj
Member
Registered: 2019-06-12
Posts: 154  

Re: Replacing sudo.

https://sup.dyne.org/

This is apparently a replacement option

Offline

#19 2023-10-31 19:54:33

yeti
Member
From: I'm not here: U R halucinating
Registered: 2017-02-23
Posts: 304  

Re: Replacing sudo.

sup?  Compile-time configuration smells too much like those suck**ss tools.  Definitely not my taste.

For a while now doas has got persist added on Linux too, so I see no reason any more not to use it.


<𝚋𝚘𝚍𝚢 𝚘𝚗𝚕𝚘𝚊𝚍='𝚍𝚘𝚌𝚞𝚖𝚎𝚗𝚝.𝚋𝚘𝚍𝚢.𝚒𝚗𝚗𝚎𝚛𝙷𝚃𝙼𝙻="𝙳𝚒𝚜𝚊𝚋𝚕𝚎 𝙹𝚂!";'>
𝔓𝔩𝔢𝔞𝔰𝔢 𝔩𝔢𝔞𝔳𝔢 𝔶𝔬𝔲𝔯 𝔣𝔞𝔲𝔩𝔱𝔰 𝔦𝔫 𝔱𝔥𝔢 𝔰𝔢𝔠𝔱𝔦𝔬𝔫 𝔟𝔢𝔩𝔬𝔴 𝔞𝔫𝔡 𝔡𝔬𝔫'𝔱 𝔣𝔬𝔯𝔤𝔢𝔱 𝔱𝔬 𝔲𝔫𝔰𝔲𝔟𝔰𝔠𝔯𝔦𝔟𝔢!

Offline

Board footer