On Fri, Jul 31, 2015 at 03:14:44PM +0200, Hikari Boulders wrote: > Yes, this is resolved. But isn't it still an inconsistency with the line > > The last matching rule determines the action taken. > > from doas.conf(5)? It seems to me that if you specify a line permitting as > any user, and *later* specify a user, that it is still written a little too > vague. >
Sorry, I don't quite follow what you're saying. Could you please provide a config file that leads to said unexpected behavior? It seems that you talk about something like the following doas.conf file: --- 8< --- # allow theo to do everything as every user without password permit nopass theo # except using /usr/bin/touch as builder deny theo as builder cmd /usr/bin/touch # except that he can touch /tmp/bar upon entering his password permit theo as builder cmd /usr/bin/touch args /tmp/bar --- >8 --- $ doas -u builder /usr/bin/touch /tmp/foo # rule 2 applies Permission denied $ doas -u builder /usr/bin/touch /tmp/bar # rule 3 applies Password: $ doas -u builder /bin/ls -l /tmp # rule 1 applies [...] -rw-r--r-- 1 builder wheel 0 Jul 31 20:45 bar [...] Without the second rule, the behavior is consistent with the manual as well: --- 8< --- permit nopass theo permit theo as builder cmd /usr/bin/touch args /tmp/bar --- >8 --- $ doas -u builder /usr/bin/touch /tmp/foo # rule 1 applies $ doas -u builder /usr/bin/touch /tmp/bar # rule 2 applies Password: $
