On 2018-09-12, Hajime Edakawa <hajime.edak...@gmail.com> wrote: > Hello to all, > > I am sorry to say that I could not understand this behavior intuitively. > > $ id -Gn > hajime wheel > $ cat /etc/doas.conf > permit nopass hajime as root cmd mg # A > permit keepenv :wheel # B > $ doas mg /etc/doas.conf # no password, ok. > ... > $
Something seems wrong here, because it is documented as "last match wins", and that is how it works for me (amd64 -current, FWIW). Last match is "permit keepenv :wheel", so it should ask for a password. $ printf 'permit nopass sthen as root cmd mg\npermit keepenv :wheel\n' > test $ doas -C test mg permit > But, > > $ id -Gn > hajime wheel > $ cat /etc/doas.conf > permit keepenv :wheel # B > permit nopass hajime as root cmd mg # A > $ doas mg /etc/doas.conf # require password, ok? > doas (***) password: > ... > $ > > I understand the former, but I could not understand the letter. > My question is whether is this correct behavior? This seems wrong too, that isn't what I see (the last match here is the "nopass" line) $ printf 'permit keepenv :wheel\npermit nopass sthen as root cmd mg\n' > test $ doas -C test mg permit nopass > And, > > $ id -Gn > hajime wheel > $ cat /etc/doas.conf > permit keepenv :games # New B: other than wheel group > permit nopass hajime as root cmd mg # A > $ doas mg /etc/doas.conf # no password, ok. > ... > $ This one is working how I expect, last match is "nopass" and that's what you get. $ printf 'permit keepenv :games\npermit nopass sthen as root cmd mg\n' > test $ doas -C test mg permit nopass > Excuse me if you not understand or you feel bad with my poor English. There is absolutely no problem with your English in this mail, it's very clear :) What isn't clear, is why doas is behaving like this. Which version are you running? (dmesg is always a good idea).
