- Add functionality to edit a file specified on the command line.
- Add `-n` option for running prerequisite checks without editing the
configuration file.
- Install vidoas in `@PREFIX@/sbin` as it is really more of a system
maintenance command (run by administrators; requires root privileges
for editing the default **doas(1)** configuation file).
- Add a manual page (in section `8`).
- Release the code under the same MIT-like license as **doas(1)**
itself.
- Define the recipe once, and list prerequisites for each target in
separate rules.
- Also use cat(1) in the recipe in case there are multiple prerequisites
for some target in the future.
- Use mv(1) to install doas.conf to avoid writing a configuration file
while other processes might be reading it.
- Define the DOAS_CONF path once in Makefile and pass that to the
substitutions instead of recreating the full path independently in
multiple files.
- Add a separate rule for building the doas binary, instead of creating
it in the "all" target. This avoids some unnecessary re-linking.
I'm not claiming this script is now safe. It would certainly benefit
from additional review. I do think (and hope) that I did not make things
worse, at least.
It might be better to look at vipw(8) or visudo(8), which both are
written in C, for prior art on how to do this kind of thing securely.
Security changes:
- Exit on errors and if referencing unset variables.
- Set PATH so that we don't run unintended commands from the PATH that
is in the caller's environment.
- Set umask to prevent other users from having write access to the
temporary files.
- Use /var/tmp instead of /tmp, as /tmp is not shared between users on
all systems. (So trying to install a file from /tmp as root would not
find the file, if the user running vidoas is not root.)
XXX: Using /var/tmp does not guarantee this either, but is more likely
to work.
- Create a temporary file for editing and use ln(1) to acquire the lock.
This addresses a race condition between checking for the lock file and
creating it.
- Use "install -r" to avoid a truncated doas.conf from existing as would
happen with cp (or install without the "-r" option).
XXX: "install -r" is not portable.
- Use "install -m" to set the mode of the installed doas.conf file.
Changes to user experience:
- Don't check for executability of ${EDITOR} as it is not required to be
an absolute path to the executable.
- Don't install an unchanged doas.conf file.
- Don't install an empty doas.conf file.
- The above two checks result in a no-op in the case that ${EDITOR}
could not be run.
- Present the user with a choice of fixing errors or canceling changes.
- Output diagnostic messages to stderr (just like other tools do, e.g.
doas, ln, and cp).
TODO:
- Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc).
They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before
installing.
Calling setusercontext(3) makes per-user temporary storage work (see
per_user_tmp in security(7) and rc.conf(5)).
May as well also use reallocarray(3) from libc instead of the bundled
compat code.
version of the doas.conf file. Then allows the user to edit it.
The new configuration file is checked for syntax and then, if it passes,
is installed on the system. If the syntax check fails the user is asked
to fix any errors.
repeated calls to getpwuid() can over-write the original struct passwd
strucuture. This can lead to the original user's environment data
being overwritten by the target user's, even when "keepenv" is
specified in the doas.conf file.
We now do a deep copy of the original and target users' struct passwd
information to avoid over-writting the original on platforms where libc
uses a static area for all calls.
