On Tue, 22 Sep 2015 17:41:57 +0900 Joel Rees <joel.r...@gmail.com> wrote: > I have this rule in doas.conf: > > permit nopass user1 as user2 > > As user1, I try this at the command line: > > doas -u user2 whoami > > and it tells me I am user2, as I expect. And > > doas -u user2 ls > > tells me I don't have permission. I kind of expect this. > > I'm looking for a way to do the equivalent of > > sudo -u user2 -s "cd; ls" > > I don't see a way to do this with doas, at least not without a short > intermediary script, which script is not going to be able to do cd ~/. > > Should I assume that doas is not intended to do this sort of thing? > > (And therefore do things "right" by setting up ssh with public-key > authentication to do the user switch?) > > (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/ > ) > > Joel Rees > > Computer memory is just fancy paper, > CPUs just fancy pens. > All is a stream of text > flowing from the past into the future. >
if you are just trying to run multiple commands, you can do it under a shell eg $ doas -u user2 ksh -c "cd; ls" although it may be better to do $ doas -u user2 ksh -c "cd && ls" so that you know it successfully changed dir. if you are trying to 'cd' to user2's home, thats slightly more tricky, since $HOME is maintained from the parent shell. there doesn't seem to be a simple way to get a login shell, but there is way using su. in /etc/doas.conf permit nopass user1 as root cmd su args -l user2 and you can run: $ doas su -l user2 but that doesn't seem let you run commands. although, if you just want to log in user2, you can use ssh (you don't need chroot necessarily). you can just set up /home/user2/.ssh/authorized_keys and do: $ ssh user2@localhost and you can run a command that way with no problem, and it's simpler: $ ssh user2@localhost ls if you are using firefox this would be better since you have -X (X11 security restrictions.) $ ssh -X user2@localhost firefox if you do want to go down that route though see this: https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 you needn't go all the way, but the info is still good re ssh. if you just want to run the command as the user as if they were logged in, ssh is probably your best bet: $ ssh user2@localhost ksh -c "cd; ls" according to sudo(8) your original "cd; ls" would be passed to the shell just as above. so basically that last command is the equivalent to your 'sudo -u user2 -s "cd; ls"'.
