Re: doas.conf cmd with argument(s)
On Mon, Apr 04, 2016 at 08:08:19AM +0100, Jason McIntyre wrote: > > it is a bit inconsistent, yes. > > it is very much less readable with a line break. you could remove the > offset, but that doesn;t look great either. you could specify a smaller > offset and juggle the actual text a bit. > > the text is clear enough. i don;t really have a problem with what's > there. at least, i don;t see an easy way to both make the change you're > requesting and have it still read nicely. > I made a "patch comment" in my reply to Guenther; perhaps all you need is to add another example with args, e.g. under the line with the "tedu" user? Tor
Re: doas.conf cmd with argument(s)
On Mon, Apr 04, 2016 at 12:26:50AM +0200, Tim van der Molen wrote: > Philip Guenther (2016-04-01 23:47 +0200): > > Sooo close. To quote doas.conf(5): > > > > The rules have the following format: > > > >permit|deny [options] identity [as target] [cmd command [args > > ...]] > ... > > 'args' is *literal* there, so the correct config line would be > > permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd > > I think doas.conf(5) is misleading here: the ellipsis in "args ..." > implies that "args" is an argument that may be given multiple times. > > Hence "args ..." should be replaced by "args [arg ...]" as done in the > diff below. (Unfortunately, with this diff the rule format will no > longer fit on one line.) > it is a bit inconsistent, yes. it is very much less readable with a line break. you could remove the offset, but that doesn;t look great either. you could specify a smaller offset and juggle the actual text a bit. the text is clear enough. i don;t really have a problem with what's there. at least, i don;t see an easy way to both make the change you're requesting and have it still read nicely. jmc > Index: doas.conf.5 > === > RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v > retrieving revision 1.18 > diff -p -u -r1.18 doas.conf.5 > --- doas.conf.5 2 Jan 2016 08:34:47 - 1.18 > +++ doas.conf.5 3 Apr 2016 22:25:17 - > @@ -35,7 +35,7 @@ The rules have the following format: > .Op Ar options > .Ar identity > .Op Ic as Ar target > -.Op Ic cmd Ar command Op Ic args ... > +.Op Ic cmd Ar command Op Ic args Op Ar arg ... > .Ed > .Pp > Rules consist of the following parts: > @@ -78,7 +78,7 @@ Be advised that it's best to specify abs > If a cmd is specified, only a restricted > .Ev PATH > will be searched. > -.It Ic args ... > +.It Ic args Op Ar arg ... > Arguments to command. > If specified, the command arguments provided by the user > need to match for the command to be successful.
Re: doas.conf cmd with argument(s)
Philip Guenther (2016-04-01 23:47 +0200): > Sooo close. To quote doas.conf(5): > > The rules have the following format: > >permit|deny [options] identity [as target] [cmd command [args ...]] ... > 'args' is *literal* there, so the correct config line would be > permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd I think doas.conf(5) is misleading here: the ellipsis in "args ..." implies that "args" is an argument that may be given multiple times. Hence "args ..." should be replaced by "args [arg ...]" as done in the diff below. (Unfortunately, with this diff the rule format will no longer fit on one line.) Index: doas.conf.5 === RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v retrieving revision 1.18 diff -p -u -r1.18 doas.conf.5 --- doas.conf.5 2 Jan 2016 08:34:47 - 1.18 +++ doas.conf.5 3 Apr 2016 22:25:17 - @@ -35,7 +35,7 @@ The rules have the following format: .Op Ar options .Ar identity .Op Ic as Ar target -.Op Ic cmd Ar command Op Ic args ... +.Op Ic cmd Ar command Op Ic args Op Ar arg ... .Ed .Pp Rules consist of the following parts: @@ -78,7 +78,7 @@ Be advised that it's best to specify abs If a cmd is specified, only a restricted .Ev PATH will be searched. -.It Ic args ... +.It Ic args Op Ar arg ... Arguments to command. If specified, the command arguments provided by the user need to match for the command to be successful.
Re: doas.conf cmd with argument(s)
On Fri, Apr 01, 2016 at 02:47:42PM -0700, Philip Guenther wrote: [snip] > Sooo close. To quote doas.conf(5): > [snip] > 'args' is *literal* there, so the correct config line would be > permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd > Hahaha, holy fballs! *donk* (I'll blame the hour. Yes, I think I will.)) Thanks! Tor PS: Here's a diff :-) --- /usr/share/man/man5/doas.conf.5 Fri Feb 26 09:08:04 2016 +++ doas.conf.5 Sat Apr 2 00:14:34 2016 @@ -129,6 +129,7 @@ SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel permit nopass tedu as root cmd /usr/sbin/procmap +permit nopass tedu as root cmd /usr/sbin/rcctl args restart ntpd permit nopass keepenv root as root .Ed .Sh SEE ALSO
Re: doas.conf cmd with argument(s)
see doas.conf(5): args ... Arguments to command. If specified, the command arguments provided by the user need to match for the command to be successful. Specifying args alone means that command should be run without any arguments. You forgot the args keyword. On 04/01/16 23:33, Tor Houghton wrote: > Hi, > > Now that sudo is out of base, I am wondering -- do I need to add it again, > or does doas.conf allow for specifying commands with arguments? > > Obviously not like this (doas doesn't like that), but akin to: > > permit nopass support as root cmd /usr/sbin/rcctl restart ntpd > > I don't want the support user to be able to use rcctl on any daemon process, > basically. > > Kind regards, > > Tor
Re: doas.conf cmd with argument(s)
On Fri, Apr 1, 2016 at 2:33 PM, Tor Houghton wrote: > Now that sudo is out of base, I am wondering -- do I need to add it again, > or does doas.conf allow for specifying commands with arguments? > > Obviously not like this (doas doesn't like that), but akin to: > > permit nopass support as root cmd /usr/sbin/rcctl restart ntpd > > I don't want the support user to be able to use rcctl on any daemon process, > basically. Sooo close. To quote doas.conf(5): The rules have the following format: permit|deny [options] identity [as target] [cmd command [args ...]] ... cmd command The command the user is allowed or denied to run. The default is all commands. Be advised that it's best to specify absolute paths. If a cmd is specified, only a restricted PATH will be searched. args ... Arguments to command. If specified, the command arguments provided by the user need to match for the command to be successful. Specifying args alone means that command should be run without any arguments. 'args' is *literal* there, so the correct config line would be permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd Philip Guenther
doas.conf cmd with argument(s)
Hi, Now that sudo is out of base, I am wondering -- do I need to add it again, or does doas.conf allow for specifying commands with arguments? Obviously not like this (doas doesn't like that), but akin to: permit nopass support as root cmd /usr/sbin/rcctl restart ntpd I don't want the support user to be able to use rcctl on any daemon process, basically. Kind regards, Tor