On 2023-02-02, Jon Fineman <j...@fineman.me> wrote:
> I was following the doas.conf example in
><https://man.openbsd.org/OpenBSD-6.0/man5/doas.conf.5>
>
> Specially I added the below:
> permit nopass setenv { \
> FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \
> DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \
> MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \
> PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \
> SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
>
> Above these I have my regular conf of:
> permit :wheel
> permit persist keepenv root
> permit persist keepenv jjf as root
> permit nopass jjf cmd reboot
>
> I find that with that I can run the below commands without being
> prompted for a password from doas. Is that expected from the above
> settings?
With those rules in the order you described: yes, if you're a member of
group wsrc.
"The last matching rule determines the action taken."
> settings? The description implies that this is helpful for building
> ports.
If you have configured doas with "nopass" to allow any commands for an
account (or to allow a restricted command which has a way to allow another
user-chosen command to be run as a result), you can consider that account
as being root-equivalent.
That *might* be sort-of appropriate in some cases on a machine with
nothing sensitive that isn't used to connect to anything else sensitive,
though I wouldn't say it's really safer than just logging in and running
everything as root.
(That, imho unfortunate, example was removed from the manual after 6.0
and I suggest you do not use it).
