not be respected when running doas. The default class would always
be used, ignoring both the classing class and the target user's class.
This came about because FreeBSD has a "class" field in the password
structure, but other supported systems like Linux do not. doas.c and
env.c have been patched to support FreeBSD's class field in the password
structure. Login class limits are now respected.
users to perform commands without successful commands being
logged to syslogd.
Added documentation to doas.conf manual page and doas.conf.sample
files to include tips and and example of the "nolog" flag in action.
The "nolog" flag is a feature of OpenBSD's doas command and has
been introduced for compatibility and as an optional way to avoid
filling up system logs with successful doas calls.
- Add functionality to edit a file specified on the command line.
- Add `-n` option for running prerequisite checks without editing the
configuration file.
- Install vidoas in `@PREFIX@/sbin` as it is really more of a system
maintenance command (run by administrators; requires root privileges
for editing the default **doas(1)** configuation file).
- Add a manual page (in section `8`).
- Release the code under the same MIT-like license as **doas(1)**
itself.
- Define the recipe once, and list prerequisites for each target in
separate rules.
- Also use cat(1) in the recipe in case there are multiple prerequisites
for some target in the future.
- Use mv(1) to install doas.conf to avoid writing a configuration file
while other processes might be reading it.
- Define the DOAS_CONF path once in Makefile and pass that to the
substitutions instead of recreating the full path independently in
multiple files.
- Add a separate rule for building the doas binary, instead of creating
it in the "all" target. This avoids some unnecessary re-linking.
I'm not claiming this script is now safe. It would certainly benefit
from additional review. I do think (and hope) that I did not make things
worse, at least.
It might be better to look at vipw(8) or visudo(8), which both are
written in C, for prior art on how to do this kind of thing securely.
Security changes:
- Exit on errors and if referencing unset variables.
- Set PATH so that we don't run unintended commands from the PATH that
is in the caller's environment.
- Set umask to prevent other users from having write access to the
temporary files.
- Use /var/tmp instead of /tmp, as /tmp is not shared between users on
all systems. (So trying to install a file from /tmp as root would not
find the file, if the user running vidoas is not root.)
XXX: Using /var/tmp does not guarantee this either, but is more likely
to work.
- Create a temporary file for editing and use ln(1) to acquire the lock.
This addresses a race condition between checking for the lock file and
creating it.
- Use "install -r" to avoid a truncated doas.conf from existing as would
happen with cp (or install without the "-r" option).
XXX: "install -r" is not portable.
- Use "install -m" to set the mode of the installed doas.conf file.
Changes to user experience:
- Don't check for executability of ${EDITOR} as it is not required to be
an absolute path to the executable.
- Don't install an unchanged doas.conf file.
- Don't install an empty doas.conf file.
- The above two checks result in a no-op in the case that ${EDITOR}
could not be run.
- Present the user with a choice of fixing errors or canceling changes.
- Output diagnostic messages to stderr (just like other tools do, e.g.
doas, ln, and cp).
TODO:
- Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc).
They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before
installing.
Calling setusercontext(3) makes per-user temporary storage work (see
per_user_tmp in security(7) and rc.conf(5)).
May as well also use reallocarray(3) from libc instead of the bundled
compat code.
