[SOLVED] doas help,

zapper · 2023-05-23 16:49:33

This could be potentially helpful for me on any operating system as well and other people's too.

Does anyone know how to disallow the parameter that allows the user to become root?

doas -s

keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.

su must remain the same though as a huge edit and as said, the rest of doas as well.

Last edited by zapper (2023-05-23 16:52:17)

soren · 2023-05-24 08:16:07

~~If you just want to disable su then comment the following in /etc/pam.d/su like so...~~

#auth       sufficient pam_rootok.so

~~Ive never done this and dont plan to, so buyer beware, could be bugs.~~

Decided to give this a try to see if it worked and it failed.

A better option contained in the /etc/pam.d/su file would be to do this...

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
auth       required   pam_wheel.so deny group=nosu

You could set up a group called nosu or just use your login group.

Last edited by soren (2023-05-24 11:05:08)

chris2be8 · 2023-05-24 16:15:26

I've not used doas (I learnt sudo before doas was available), but you will need to think hard about what you want to do. If you let people run an arbitrary command as root they could just run bash as root to get the same effect as doas -s.

With sudo it's possible to let people run a list of commands as root, but not a shell, as long as none of the commands you allow can spawn a shell. But it's easy to let a way to a root shell slip through.

Forcing people to jump through a few hoops to get to a root shell *might* have some value, but it's more likely to give you a false sense of security.

aitor · 2023-05-24 19:14:44

zapper wrote:

This could be potentially helpful for me on any operating system as well and other people's too.
Does anyone know how to disallow the parameter that allows the user to become root?
doas -s
keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.
su must remain the same though as a huge edit and as said, the rest of doas as well.

Did you try with the following ruleset in your /etc/doas.conf?

permit zapper as root
deny zapper as root cmd /bin/bash

You can define more rules for other shells like /bin/sh, /bin/zsh, ...

soren · 2023-05-25 09:18:17

aitor wrote:

zapper wrote:
This could be potentially helpful for me on any operating system as well and other people's too.
Does anyone know how to disallow the parameter that allows the user to become root?
doas -s
keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.
su must remain the same though as a huge edit and as said, the rest of doas as well.
Did you try with the following ruleset in your /etc/doas.conf?
permit zapper as root
deny zapper as root cmd /bin/bash
You can define more rules for other shells like /bin/sh, /bin/zsh, ...

I was confused what OP wanted to achieve.

Your answer looks to be the best after tinkering with doas config file.

zapper · 2023-05-25 20:07:46

soren wrote:

aitor wrote:
zapper wrote:
This could be potentially helpful for me on any operating system as well and other people's too.
Does anyone know how to disallow the parameter that allows the user to become root?
doas -s
keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.
su must remain the same though as a huge edit and as said, the rest of doas as well.
Did you try with the following ruleset in your /etc/doas.conf?
permit zapper as root
deny zapper as root cmd /bin/bash
You can define more rules for other shells like /bin/sh, /bin/zsh, ...
I was confused what OP wanted to achieve.
Your answer looks to be the best after tinkering with doas config file.

This did in fact work! Thank you.

@chris2be8 I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.

I sometimes become root this way a hell of a lot. So... yeah.

Btw, clarifying thank you @aitor

Just making sure you know that.

Last edited by zapper (2023-05-25 20:09:51)

soren · 2023-05-26 11:41:42

zapper wrote:

soren wrote:
aitor wrote:
Did you try with the following ruleset in your /etc/doas.conf?
permit zapper as root
deny zapper as root cmd /bin/bash
You can define more rules for other shells like /bin/sh, /bin/zsh, ...
I was confused what OP wanted to achieve.
Your answer looks to be the best after tinkering with doas config file.
This did in fact work! Thank you.
@chris2be8 I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.
I sometimes become root this way a hell of a lot. So... yeah.
Btw, clarifying thank you @aitor
Just making sure you know that.

Do you have other users on your machines? I dont understand the reasoning to deny root via doas if you are the sole user?

Last edited by soren (2023-05-26 11:42:10)

zapper · 2023-06-03 02:54:45

soren wrote:

zapper wrote:
soren wrote:
I was confused what OP wanted to achieve.
Your answer looks to be the best after tinkering with doas config file.
This did in fact work! Thank you.
@chris2be8 I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.
I sometimes become root this way a hell of a lot. So... yeah.
Btw, clarifying thank you @aitor
Just making sure you know that.
Do you have other users on your machines? I dont understand the reasoning to deny root via doas if you are the sole user?

A few things, one of which being its a habit I have to use doas -s

I don't think its a wise behaviour if connected to internet

permit zapper as root
deny zapper as root cmd /bin/bash

soren · 2023-06-03 08:16:38

zapper wrote:

soren wrote:
zapper wrote:
This did in fact work! Thank you.
@chris2be8 I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.
I sometimes become root this way a hell of a lot. So... yeah.
Btw, clarifying thank you @aitor
Just making sure you know that.
Do you have other users on your machines? I dont understand the reasoning to deny root via doas if you are the sole user?
A few things, one of which being its a habit I have to use doas -s
I don't think its a wise behaviour if connected to internet
permit zapper as root
deny zapper as root cmd /bin/bash

Ok, but what about su?
su will still be able to get a shell wont it?
Or is the behavior you want, just to deny zapper root via doas.conf?
I would want to deny zapper via su as well if that is your threat model.

zapper · 2023-06-07 20:38:16

soren wrote:

zapper wrote:
soren wrote:
Do you have other users on your machines? I dont understand the reasoning to deny root via doas if you are the sole user?
A few things, one of which being its a habit I have to use doas -s
I don't think its a wise behaviour if connected to internet
permit zapper as root
deny zapper as root cmd /bin/bash
Ok, but what about su?
su will still be able to get a shell wont it?
Or is the behavior you want, just to deny zapper root via doas.conf?
I would want to deny zapper via su as well if that is your threat model.

Oh I wouldn't need to, I will make that password way stronger as a solution.

The officially official Devuan Forum!

#1 2023-05-23 16:49:33

[SOLVED] doas help,

#2 2023-05-24 08:16:07

Re: [SOLVED] doas help,

#3 2023-05-24 16:15:26

Re: [SOLVED] doas help,

#4 2023-05-24 19:14:44

Re: [SOLVED] doas help,

#5 2023-05-25 09:18:17

Re: [SOLVED] doas help,

#6 2023-05-25 20:07:46

Re: [SOLVED] doas help,

#7 2023-05-26 11:41:42

Re: [SOLVED] doas help,

#8 2023-06-03 02:54:45

Re: [SOLVED] doas help,

#9 2023-06-03 08:16:38

Re: [SOLVED] doas help,

#10 2023-06-07 20:38:16

Re: [SOLVED] doas help,

Board footer