On 02/14/17 16:29, Sebastian Benoit wrote: > Paul de Weerd(we...@weirdnet.nl) on 2017.02.14 15:57:43 +0100: >> Consider the following: >> >> 1 [weerd@despair] $ doas true >> 2 doas (we...@despair.weirdnet.nl) password: >> 3 [weerd@despair] $ doas true >> 4 [weerd@despair] $ doas -n true >> 5 doas: Authorization required >> >> I have 'persist' to allow doas to not prompt for a password on >> subsequent invocations. However, then using 'doas -n' complains >> "Authorization required" while the manpage says for -n: "Non >> interactive mode, fail if doas would prompt for password." >> >> Doas wouldn't prompt for a password if -n wasn't specified (see line >> 3), so why does it fail in line 4? >> >> Is this a bug in doas or in the manpage? > > The -n option helps to use doas non-interactively. > Its debateable wether 'persist' is useful with non-interactive usage, but > this fixes it:
OK martijn@ > > diff --git usr.bin/doas/doas.c usr.bin/doas/doas.c > index 98f06aa1165..a1666530166 100644 > --- usr.bin/doas/doas.c > +++ usr.bin/doas/doas.c > @@ -194,7 +194,7 @@ checkconfig(const char *confpath, int argc, char **argv, > } > > static void > -authuser(char *myname, char *login_style, int persist) > +authuser(char *myname, char *login_style, int persist, int nflag) > { > char *challenge = NULL, *response, rbuf[1024], cbuf[128]; > auth_session_t *as; > @@ -207,6 +207,9 @@ authuser(char *myname, char *login_style, int persist) > goto good; > } > > + if (nflag) > + errx(1, "Authorization required"); > + > if (!(as = auth_userchallenge(myname, login_style, "auth-doas", > &challenge))) > errx(1, "Authorization failed"); > @@ -357,12 +360,8 @@ main(int argc, char **argv) > errc(1, EPERM, NULL); > } > > - if (!(rule->options & NOPASS)) { > - if (nflag) > - errx(1, "Authorization required"); > - > - authuser(myname, login_style, rule->options & PERSIST); > - } > + if (!(rule->options & NOPASS)) > + authuser(myname, login_style, rule->options & PERSIST, nflag); > > if (pledge("stdio rpath getpw exec id", NULL) == -1) > err(1, "pledge"); >