On Fri, Apr 1, 2016 at 2:33 PM, Tor Houghton <t...@bogus.net> wrote:
> Now that sudo is out of base, I am wondering -- do I need to add it again,
> or does doas.conf allow for specifying commands with arguments?
>
> Obviously not like this (doas doesn't like that), but akin to:
>
> permit nopass support as root cmd /usr/sbin/rcctl restart ntpd
>
> I don't want the support user to be able to use rcctl on any daemon process,
> basically.
Sooo close. To quote doas.conf(5):
The rules have the following format:
permit|deny [options] identity [as target] [cmd command [args ...]]
...
cmd command The command the user is allowed or denied to run. The
default is all commands. Be advised that it's best to
specify absolute paths. If a cmd is specified, only a
restricted PATH will be searched.
args ... Arguments to command. If specified, the command arguments
provided by the user need to match for the command to be
successful. Specifying args alone means that command should
be run without any arguments.
'args' is *literal* there, so the correct config line would be
permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd
Philip Guenther
