on username instead of numeric UID. This makes using
doas smoother on systems like FreeBSD where it's common
to have multiple usernames for UID 0 (zero).
Thanks to helmat for the patch.
variables (like LANG) are set from the target user when logins are simulated with the -S flag.
However, login.conf environment variables of the target user are not set
when -S is not specified so we keep the calling user's language/environment
for most things.
not be respected when running doas. The default class would always
be used, ignoring both the classing class and the target user's class.
This came about because FreeBSD has a "class" field in the password
structure, but other supported systems like Linux do not. doas.c and
env.c have been patched to support FreeBSD's class field in the password
structure. Login class limits are now respected.
users to perform commands without successful commands being
logged to syslogd.
Added documentation to doas.conf manual page and doas.conf.sample
files to include tips and and example of the "nolog" flag in action.
The "nolog" flag is a feature of OpenBSD's doas command and has
been introduced for compatibility and as an optional way to avoid
filling up system logs with successful doas calls.
repeated calls to getpwuid() can over-write the original struct passwd
strucuture. This can lead to the original user's environment data
being overwritten by the target user's, even when "keepenv" is
specified in the doas.conf file.
We now do a deep copy of the original and target users' struct passwd
information to avoid over-writting the original on platforms where libc
uses a static area for all calls.
- amalleo25
Provided cleaner fix for crash when user/command has
no valid match in the doas.conf file.
- amalleo25
Removed option to match UID with -u flag. Provided
usernames must now match a username, not UID. This was
ambigious if a user had a numeric username.
- Jesse
Added flag to display all warnings during compiling.
Added status checks when parsing user/group IDs for Linux.
Make sure Linux drops original user's groups when running as another user.
Seeing this being used on even more system like Illumos with this ugly
and security critical bug open makes me cringe every time I check if it
was finally fixed.
I reported it directly to the maintainer in 2017. I reported it to
pkgsrc-security@netbsd.org without a response.
and PATH from the original user to the target user. This could cause
files in the wrogn path or home directory to be read (or written to),
which resulted in potential security problems.
This has been changed so that only DISPLAY and TERM are passed to the
new environment. This is fine for running command line programs. When
GUI programs need to be run, "keepenv" can be added to the user's
doas.conf entry. This results in variables like HOME being copied
to the target user, allowing GUI programs to run.
Many thanks to Sander Bos for reporting this issue and explaining
how it can be exploited.
This commit also adds the ability to pass a customized PATH to
target users. The new PATH can be set at compile time in the
Makefile. The default path is provided in the Makefile and commented
out.
commands matching the "cmd" parameter in doas.conf. The path
should be shortened to system-standard paths. This prevents
the user from injecting their own application with a familiar
name in their PATH variable and tricking doas into running it.
openpam_ttyconv checks if stdin is a terminal and if it is then does
not bother to open /dev/tty. The result is that PAM writes the
password prompt directly to stdout. In scenarios where stdin is a
terminal, but stdout is redirected to a file e.g. by running doas ls
&> ls.out interactively, the password prompt gets written to ls.out as
well. By closing stdin first we forces PAM to read/write to/from the
terminal directly. We restore stdin after authenticating.
Also see https://github.com/freebsd/freebsd/blob/master/contrib/openpam/lib/libpam/openpam_ttyconv.c#L293
been set in the doas.conf file) then we do not need to redirect a password
prompt to stderr. This patch makes sure output is displayed properly
when the user authenticates with "nopass" set.
