On 07/28/2015 09:35 AM, Theo Buehler wrote:
On Mon, Jul 27, 2015 at 10:44:00PM +0200, Alexander Hall wrote:
On July 27, 2015 3:22:13 PM GMT+02:00, Theo Buehler
<t...@math.ethz.ch> wrote:
On Mon, Jul 27, 2015 at 03:13:55PM +0200, Marc Espie wrote:
On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote:
So omitting [as identity] allows me to run as every user, not
just
as
root? Is this intentional?
I think it's intentional. It's definitely what I would expect [as
identity]
is a restrictive modifier. If you want to only be able to run as
root, you
write "as root".
Ok thanks, this makes sense, but it is not quite clear (to me) from
the docs that this is a "restrictive quantifier".
The the bit I quoted from the man page on "as target" sais "The
default is root.", not "root and everybody else". (Sorry I should
have written "as target", not "as identity" in my mail)
How would you phrase things if it wasn't the case ?..
As indicated above I would probably write something like "as root and
every other user" instead of simply "as root".
Assuming you are properly quoting the docs, and I have no reason to
believe otherwise, it should certainly not say "as root", but rather
"as anyone".
This was resolved by tedu@'s most recent commit to doas.conf.5:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doas/doas.conf.5.diff?r1=1.12&r2=1.13
Thanks to espie@ and halex@ for helping me understand where my confusion
came from.
Yes, this is resolved. But isn't it still an inconsistency with the line
The last matching rule determines the action taken.
from doas.conf(5)? It seems to me that if you specify a line permitting
as any user, and *later* specify a user, that it is still written a
little too vague.
