The officially official Devuan Forum!

zapper

Member

Registered: 2017-05-29

Posts: 601  

[SOLVED] doas help,

This could be potentially helpful for me on any operating system as well and other people's too.

Does anyone know how to disallow the parameter that allows the user to become root?

doas -s

keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.

su must remain the same though as a huge edit and as said, the rest of doas as well.

Last edited by zapper (2023-05-23 16:52:17)

---

Black Lives Matter!  I am white, but I prefer equality over hatred.
Haughtiness comes before a fall, pride before destruction.
Peace be with you!
No one can serve two masters. Either you will hate the one and love the other, or you will be devoted to the one and despise the other. You cannot serve both God and mammon!

soren

Member

Registered: 2023-04-30

Posts: 10  

Re: [SOLVED] doas help,

If you just want to disable su then comment the following in /etc/pam.d/su like so...

#auth       sufficient pam_rootok.so

Ive never done this and dont plan to, so buyer beware, could be bugs.

Decided to give this a try to see if it worked and it failed.

A better option contained in the /etc/pam.d/su file would be to do this...

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
auth       required   pam_wheel.so deny group=nosu

You could set up a group called nosu or just use your login group.

Last edited by soren (2023-05-24 11:05:08)

chris2be8

Member

Registered: 2018-08-11

Posts: 197  

Re: [SOLVED] doas help,

I've not used doas (I learnt sudo before doas was available), but you will need to think hard about what you want to do. If you let people run an arbitrary command as root they could just run bash as root to get the same effect as doas -s.

With sudo it's possible to let people run a list of commands as root, but not a shell, as long as none of the commands you allow can spawn a shell. But it's easy to let a way to a root shell slip through.

Forcing people to jump through a few hoops to get to a root shell *might* have some value, but it's more likely to give you a false sense of security.

aitor

Member

From: basque country

Registered: 2016-12-03

Posts: 169  

Website

Re: [SOLVED] doas help,

This could be potentially helpful for me on any operating system as well and other people's too.

Does anyone know how to disallow the parameter that allows the user to become root?

doas -s

keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.

su must remain the same though as a huge edit and as said, the rest of doas as well.

Did you try with the following ruleset in your /etc/doas.conf?

permit zapper as root
deny zapper as root cmd /bin/bash

You can define more rules for other shells like /bin/sh, /bin/zsh, ...

---

If you work systematically, things will come by itself (Lev D. Landau)

soren

Member

Registered: 2023-04-30

Posts: 10  

Re: [SOLVED] doas help,

This could be potentially helpful for me on any operating system as well and other people's too.

Does anyone know how to disallow the parameter that allows the user to become root?

doas -s

keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.

su must remain the same though as a huge edit and as said, the rest of doas as well.

Did you try with the following ruleset in your /etc/doas.conf?

permit zapper as root
deny zapper as root cmd /bin/bash

You can define more rules for other shells like /bin/sh, /bin/zsh, ...

I was confused what OP wanted to achieve.

Your answer looks to be the best after tinkering with doas config file.

zapper

Member

Registered: 2017-05-29

Posts: 601  

Re: [SOLVED] doas help,

This could be potentially helpful for me on any operating system as well and other people's too.

Does anyone know how to disallow the parameter that allows the user to become root?

doas -s

keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.

su must remain the same though as a huge edit and as said, the rest of doas as well.

Did you try with the following ruleset in your /etc/doas.conf?

permit zapper as root
deny zapper as root cmd /bin/bash

You can define more rules for other shells like /bin/sh, /bin/zsh, ...

I was confused what OP wanted to achieve.

Your answer looks to be the best after tinkering with doas config file.

This did in fact work! Thank you.

@chris2be8  I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.

I sometimes become root this way a hell of a lot. So... yeah.

Btw, clarifying thank you @aitor

Just making sure you know that.

Last edited by zapper (2023-05-25 20:09:51)

---

Black Lives Matter!  I am white, but I prefer equality over hatred.
Haughtiness comes before a fall, pride before destruction.
Peace be with you!
No one can serve two masters. Either you will hate the one and love the other, or you will be devoted to the one and despise the other. You cannot serve both God and mammon!

soren

Member

Registered: 2023-04-30

Posts: 10  

Re: [SOLVED] doas help,

Did you try with the following ruleset in your /etc/doas.conf?

permit zapper as root
deny zapper as root cmd /bin/bash

You can define more rules for other shells like /bin/sh, /bin/zsh, ...

I was confused what OP wanted to achieve.

Your answer looks to be the best after tinkering with doas config file.

This did in fact work! Thank you.

@chris2be8  I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.

I sometimes become root this way a hell of a lot. So... yeah.

Btw, clarifying thank you @aitor

Just making sure you know that.

Do you have other users on your machines? I dont understand the reasoning to deny root via doas if you are the sole user?

Last edited by soren (2023-05-26 11:42:10)