The officially official Devuan Forum!

You are not logged in.

#1 2023-05-23 16:49:33

zapper
Member
Registered: 2017-05-29
Posts: 956  

[SOLVED] doas help,

This could be potentially helpful for me on any operating system as well and other people's too.

Does anyone know how to disallow the parameter that allows the user to become root?

doas -s

keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.

su must remain the same though as a huge edit and as said, the rest of doas as well.

Last edited by zapper (2023-05-23 16:52:17)


Freedom is never more than one generation away from extinction. Feelings are not facts
If you wish to be humbled, try to exalt yourself long term  If you wish to be exalted, try to humble yourself long term
Favourite operating systems: Hyperbola Devuan OpenBSD
Peace Be With us All!

Offline

#2 2023-05-24 08:16:07

soren
Member
Registered: 2023-04-30
Posts: 142  

Re: [SOLVED] doas help,

If you just want to disable su then comment the following in /etc/pam.d/su like so...

#auth       sufficient pam_rootok.so



Ive never done this and dont plan to, so buyer beware, could be bugs.

Decided to give this a try to see if it worked and it failed.

A better option contained in the /etc/pam.d/su file would be to do this...

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
auth       required   pam_wheel.so deny group=nosu

You could set up a group called nosu or just use your login group.

Last edited by soren (2023-05-24 11:05:08)

Offline

#3 2023-05-24 16:15:26

chris2be8
Member
Registered: 2018-08-11
Posts: 306  

Re: [SOLVED] doas help,

I've not used doas (I learnt sudo before doas was available), but you will need to think hard about what you want to do. If you let people run an arbitrary command as root they could just run bash as root to get the same effect as doas -s.

With sudo it's possible to let people run a list of commands as root, but not a shell, as long as none of the commands you allow can spawn a shell. But it's easy to let a way to a root shell slip through.

Forcing people to jump through a few hoops to get to a root shell *might* have some value, but it's more likely to give you a false sense of security.

Offline

#4 2023-05-24 19:14:44

aitor
Member
From: basque country
Registered: 2016-12-03
Posts: 230  
Website

Re: [SOLVED] doas help,

zapper wrote:

This could be potentially helpful for me on any operating system as well and other people's too.

Does anyone know how to disallow the parameter that allows the user to become root?

doas -s

keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.

su must remain the same though as a huge edit and as said, the rest of doas as well.

Did you try with the following ruleset in your /etc/doas.conf?

permit zapper as root
deny zapper as root cmd /bin/bash

You can define more rules for other shells like /bin/sh, /bin/zsh, ...


If you work systematically, things will come by itself (Lev D. Landau)

Offline

#5 2023-05-25 09:18:17

soren
Member
Registered: 2023-04-30
Posts: 142  

Re: [SOLVED] doas help,

aitor wrote:
zapper wrote:

This could be potentially helpful for me on any operating system as well and other people's too.

Does anyone know how to disallow the parameter that allows the user to become root?

doas -s

keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.

su must remain the same though as a huge edit and as said, the rest of doas as well.

Did you try with the following ruleset in your /etc/doas.conf?

permit zapper as root
deny zapper as root cmd /bin/bash

You can define more rules for other shells like /bin/sh, /bin/zsh, ...

I was confused what OP wanted to achieve.

Your answer looks to be the best after tinkering with doas config file.

Offline

#6 2023-05-25 20:07:46

zapper
Member
Registered: 2017-05-29
Posts: 956  

Re: [SOLVED] doas help,

soren wrote:
aitor wrote:
zapper wrote:

This could be potentially helpful for me on any operating system as well and other people's too.

Does anyone know how to disallow the parameter that allows the user to become root?

doas -s

keeping all the power doas already has, but without allowing user to become fully root by doas -s and only that.

su must remain the same though as a huge edit and as said, the rest of doas as well.

Did you try with the following ruleset in your /etc/doas.conf?

permit zapper as root
deny zapper as root cmd /bin/bash

You can define more rules for other shells like /bin/sh, /bin/zsh, ...

I was confused what OP wanted to achieve.

Your answer looks to be the best after tinkering with doas config file.

This did in fact work! Thank you.

@chris2be8  I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.

I sometimes become root this way a hell of a lot. So... yeah.

Btw, clarifying thank you @aitor

Just making sure you know that. big_smile

Last edited by zapper (2023-05-25 20:09:51)


Freedom is never more than one generation away from extinction. Feelings are not facts
If you wish to be humbled, try to exalt yourself long term  If you wish to be exalted, try to humble yourself long term
Favourite operating systems: Hyperbola Devuan OpenBSD
Peace Be With us All!

Offline

#7 2023-05-26 11:41:42

soren
Member
Registered: 2023-04-30
Posts: 142  

Re: [SOLVED] doas help,

zapper wrote:
soren wrote:
aitor wrote:

Did you try with the following ruleset in your /etc/doas.conf?

permit zapper as root
deny zapper as root cmd /bin/bash

You can define more rules for other shells like /bin/sh, /bin/zsh, ...

I was confused what OP wanted to achieve.

Your answer looks to be the best after tinkering with doas config file.

This did in fact work! Thank you.

@chris2be8  I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.

I sometimes become root this way a hell of a lot. So... yeah.

Btw, clarifying thank you @aitor

Just making sure you know that. big_smile

Do you have other users on your machines? I dont understand the reasoning to deny root via doas if you are the sole user?

Last edited by soren (2023-05-26 11:42:10)

Offline

#8 2023-06-03 02:54:45

zapper
Member
Registered: 2017-05-29
Posts: 956  

Re: [SOLVED] doas help,

soren wrote:
zapper wrote:
soren wrote:

I was confused what OP wanted to achieve.

Your answer looks to be the best after tinkering with doas config file.

This did in fact work! Thank you.

@chris2be8  I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.

I sometimes become root this way a hell of a lot. So... yeah.

Btw, clarifying thank you @aitor

Just making sure you know that. big_smile

Do you have other users on your machines? I dont understand the reasoning to deny root via doas if you are the sole user?

A few things, one of which being its a habit I have to use doas -s

I don't think its a wise behaviour if connected to internet

permit zapper as root
deny zapper as root cmd /bin/bash

Freedom is never more than one generation away from extinction. Feelings are not facts
If you wish to be humbled, try to exalt yourself long term  If you wish to be exalted, try to humble yourself long term
Favourite operating systems: Hyperbola Devuan OpenBSD
Peace Be With us All!

Offline

#9 2023-06-03 08:16:38

soren
Member
Registered: 2023-04-30
Posts: 142  

Re: [SOLVED] doas help,

zapper wrote:
soren wrote:
zapper wrote:

This did in fact work! Thank you.

@chris2be8  I suppose it could give a false sense of security, but its also a habit I want to be better at fighting as well.

I sometimes become root this way a hell of a lot. So... yeah.

Btw, clarifying thank you @aitor

Just making sure you know that. big_smile

Do you have other users on your machines? I dont understand the reasoning to deny root via doas if you are the sole user?

A few things, one of which being its a habit I have to use doas -s

I don't think its a wise behaviour if connected to internet

permit zapper as root
deny zapper as root cmd /bin/bash

Ok, but what about su?
su will still be able to get a shell wont it?
Or is the behavior you want, just to deny zapper root via doas.conf?
I would want to deny zapper via su as well if that is your threat model.

Offline

#10 2023-06-07 20:38:16

zapper
Member
Registered: 2017-05-29
Posts: 956  

Re: [SOLVED] doas help,

soren wrote:
zapper wrote:
soren wrote:

Do you have other users on your machines? I dont understand the reasoning to deny root via doas if you are the sole user?

A few things, one of which being its a habit I have to use doas -s

I don't think its a wise behaviour if connected to internet

permit zapper as root
deny zapper as root cmd /bin/bash

Ok, but what about su?
su will still be able to get a shell wont it?
Or is the behavior you want, just to deny zapper root via doas.conf?
I would want to deny zapper via su as well if that is your threat model.

Oh I wouldn't need to, I will make that password way stronger as a solution. wink


Freedom is never more than one generation away from extinction. Feelings are not facts
If you wish to be humbled, try to exalt yourself long term  If you wish to be exalted, try to humble yourself long term
Favourite operating systems: Hyperbola Devuan OpenBSD
Peace Be With us All!

Offline

Board footer