[SOLVED] Anyone know how to get doas working properly on devuan?

bilhook · 2024-09-18 08:15:19

I just
permit nopass user as root cmd poweroff args -f
in UXTerm in X
it works

I will replace dummy-logind with vanilla, and do again
I'll be back

Also I use xserver-xorg-legacy /etc/Xwrapper.config
and I don't use a login manager

aaaggghhh!

bilhook · 2024-09-18 08:27:45

I installed libpam-elogind which purged dummy-logind & libsystemd0
user in X, doas poweroff -f, works

will repeat with seatd

bilhook · 2024-09-18 08:39:24

installed seatd (doesn't remove libsystemd0)
purged dummy-logind

works

will repeat with seatd & lightdm (if I can)

bilhook · 2024-09-18 08:59:25

installed seatd & lightdm, lightdm removes libsystemd0
failed to fire up lightdm
there's no README
tried alt sysrq r e i s u
don't know if I can config lightdm on the fly
sorry, don't have time

JWM-Kit · 2024-09-18 15:11:26

WOW! You're gonna test all possible configurations. LOL

OK I got it all figured out. It's so simple I can't believe it cause this much trouble. It can be summed up by saying the configuration is very specific. nopass is only allowed if it's exactly as it is in the file. So to sum this all up.

1. If you configure it with args then you have to use the args or it won't work
2. If you configure it with the full path you must use the full path - many graphical apps will need this. For example JWMKit.
3. The reverse is true if you configure as the command line only the command will not work if you do the full path.

So the args do work for me, but I tested without the args assuming it world work with or without them.
When I tested in the terminal it did not work because I did not use the full path as configured in my file.
This is why it worked with the scripts, and graphical apps, as they did use the full path.

So I will configure with multiple combinations.

full path with args
full path without args.
no path with args
no path without args

permit nopass user as root cmd poweroff args -f
permit nopass user as root cmd poweroff
permit nopass user as root cmd /sbin/poweroff args -f
permit nopass user as root cmd /sbin/poweroff

Does any one feel dumb now

To be fair I would expect it to know that poweroff is the same as /sbin/poweroff since /sbin/ is in the exec path. Also I would expect the args to be optional. Maybe requiring it to be exact adds extra security. I mean you could easily manipulate the exec path to hack the system. right?

In a way we were all correct, it's just the configuration wasn't specific enough for zappers setup where he wanted to use both the commandline (no path with args) and jwmkit (path, and no args)

chris2be8 · 2024-09-18 16:49:35

Check what happens if you put a program called poweroff in your path that does something else. Eg the following:

#!/bin/bash
echo In fake poweroff script
id

If that says it's running as root you have a security hole. A malicious person could add something like rm -rF / to it.

JWM-Kit · 2024-09-18 18:34:47

I had already thought of that when I made my last post, so I tested it.

I created a fake whoami file in my local path ~/.local/bin/ that simply echos HAHA! The results:

regular user - runs the fake whoami
with sudo - runs the real whoami
with doas - runs the fake whoami

Yep security issue. ~~So you might want to use full path when adding nopass commands~~.

update : Does not affect nopass commands. See post below.

Last edited by JWM-Kit (2024-09-18 20:44:25)

JWM-Kit · 2024-09-18 19:02:53

I'm reporting the issue right now.

JWM-Kit · 2024-09-18 20:38:22

Update, commands specified using nopass are limited to the restricted PATH. So that's good.

But it still seems that you could still do damage with a fake executable, even if a password is required. Just put it in the local path (in $HOME) like I did with the whoami example above and the user will be tricked to give the password.

of course a better example would be apt because ~~why would you~~ you'd be less likely to use root for whoami.

Last edited by JWM-Kit (2024-09-18 23:01:01)

JWM-Kit · 2024-09-19 14:51:33

Considering my concern of a fake executable in $HOME, my doas.conf will use the setenv option to override the path order to be more aligned with the expected Linux order (opposed to the original BSD order). Also, I have exclude the paths in $HOME. If I were to add them it would be at the end to be searched last.

permit setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin} user as root

Last edited by JWM-Kit (2024-09-19 14:52:33)

chris2be8 · 2024-09-19 16:34:45

That *might* not matter if you are the *only* person who can use the system. But its a *big* concern for multi-user systems.

JWM-Kit · 2024-09-19 20:58:48

@chris2be8

I agree. Lots of things aren't a problem for people who understand their system. The issue is non-technical users. Sadly it is those same user who will not made the effort to configure their system properly. Of course I'm sure those users are using sudo, so it's not an issue.

Last edited by JWM-Kit (2024-09-19 20:59:13)

bilhook · 2024-09-20 07:36:17

I started with computers and with Linux in 1998, RedHat 6, Knoppix, SysRescCd, DamnSmallLinux, soon got fed up with sudo, what with trying to get to work cdc-acm gprs & usb modem & having to make kernel module etc etc etc.
Up until only some weeks ago I didn't use doas.
I booted, logged in as root, masquerade MAC address, ifup.
Another login as user, startx.
This is a good post, this learning about fake executable.
I hope we hear from zapper how he's getting on.

bilhook · 2024-09-20 08:05:36

After openssl, I don't care to see sudo on Debian security.
I hope that simples doas is superior to sudo.

zapper · 2024-09-20 12:41:21

@bilhook @JWM-Kit

I reinstalled and doas works fine again for that purpose. Although, I did custom instead of doas no password.

Then, I did doas poweroff and doas reboot in their respective places. Now I can shutdown and reboot the way I want.

reinstalling sadly hasn't fixed my wine bug though.

The officially official Devuan Forum!

#26 2024-09-18 08:15:19

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#27 2024-09-18 08:27:45

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#28 2024-09-18 08:39:24

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#29 2024-09-18 08:59:25

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#30 2024-09-18 15:11:26

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#31 2024-09-18 16:49:35

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#32 2024-09-18 18:34:47

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#33 2024-09-18 19:02:53

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#34 2024-09-18 20:38:22

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#35 2024-09-19 14:51:33

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#36 2024-09-19 16:34:45

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#37 2024-09-19 20:58:48

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#38 2024-09-20 07:36:17

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#39 2024-09-20 08:05:36

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

#40 2024-09-20 12:41:21

Re: [SOLVED] Anyone know how to get doas working properly on devuan?

Board footer