On 2023-02-02, Jon Fineman <j...@fineman.me> wrote: > I was following the doas.conf example in ><https://man.openbsd.org/OpenBSD-6.0/man5/doas.conf.5> > > Specially I added the below: > permit nopass setenv { \ > FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \ > DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \ > MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \ > PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \ > SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc > > Above these I have my regular conf of: > permit :wheel > permit persist keepenv root > permit persist keepenv jjf as root > permit nopass jjf cmd reboot > > I find that with that I can run the below commands without being > prompted for a password from doas. Is that expected from the above > settings?
With those rules in the order you described: yes, if you're a member of group wsrc. "The last matching rule determines the action taken." > settings? The description implies that this is helpful for building > ports. If you have configured doas with "nopass" to allow any commands for an account (or to allow a restricted command which has a way to allow another user-chosen command to be run as a result), you can consider that account as being root-equivalent. That *might* be sort-of appropriate in some cases on a machine with nothing sensitive that isn't used to connect to anything else sensitive, though I wouldn't say it's really safer than just logging in and running everything as root. (That, imho unfortunate, example was removed from the manual after 6.0 and I suggest you do not use it).