Re: doas.conf cmd with argument(s)

[Tor Houghton]

On Mon, Apr 04, 2016 at 08:08:19AM +0100, Jason McIntyre wrote:
> 
> it is a bit inconsistent, yes.
> 
> it is very much less readable with a line break. you could remove the
> offset, but that doesn;t look great either. you could specify a smaller
> offset and juggle the actual text a bit.
> 
> the text is clear enough. i don;t really have a problem with what's
> there. at least, i don;t see an easy way to both make the change you're
> requesting and have it still read nicely.
> 

I made a "patch comment" in my reply to Guenther; perhaps all you need is to
add another example with args, e.g. under the line with the "tedu" user?

Tor

Re: doas.conf cmd with argument(s)

[Jason McIntyre]

On Mon, Apr 04, 2016 at 12:26:50AM +0200, Tim van der Molen wrote:
> Philip Guenther (2016-04-01 23:47 +0200):
> > Sooo close.  To quote doas.conf(5):
> > 
> >  The rules have the following format:
> > 
> >permit|deny [options] identity [as target] [cmd command [args 
> > ...]]
> ...
> > 'args' is *literal* there, so the correct config line would be
> > permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd
> 
> I think doas.conf(5) is misleading here: the ellipsis in "args ..."
> implies that "args" is an argument that may be given multiple times.
> 
> Hence "args ..." should be replaced by "args [arg ...]" as done in the
> diff below. (Unfortunately, with this diff the rule format will no
> longer fit on one line.)
> 

it is a bit inconsistent, yes.

it is very much less readable with a line break. you could remove the
offset, but that doesn;t look great either. you could specify a smaller
offset and juggle the actual text a bit.

the text is clear enough. i don;t really have a problem with what's
there. at least, i don;t see an easy way to both make the change you're
requesting and have it still read nicely.

jmc

> Index: doas.conf.5
> ===
> RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
> retrieving revision 1.18
> diff -p -u -r1.18 doas.conf.5
> --- doas.conf.5   2 Jan 2016 08:34:47 -   1.18
> +++ doas.conf.5   3 Apr 2016 22:25:17 -
> @@ -35,7 +35,7 @@ The rules have the following format:
>  .Op Ar options
>  .Ar identity
>  .Op Ic as Ar target
> -.Op Ic cmd Ar command Op Ic args ...
> +.Op Ic cmd Ar command Op Ic args Op Ar arg ...
>  .Ed
>  .Pp
>  Rules consist of the following parts:
> @@ -78,7 +78,7 @@ Be advised that it's best to specify abs
>  If a cmd is specified, only a restricted
>  .Ev PATH
>  will be searched.
> -.It Ic args ...
> +.It Ic args Op Ar arg ...
>  Arguments to command.
>  If specified, the command arguments provided by the user
>  need to match for the command to be successful.

Re: doas.conf cmd with argument(s)

[Tim van der Molen]

Philip Guenther (2016-04-01 23:47 +0200):
> Sooo close.  To quote doas.conf(5):
> 
>  The rules have the following format:
> 
>permit|deny [options] identity [as target] [cmd command [args ...]]
...
> 'args' is *literal* there, so the correct config line would be
> permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd

I think doas.conf(5) is misleading here: the ellipsis in "args ..."
implies that "args" is an argument that may be given multiple times.

Hence "args ..." should be replaced by "args [arg ...]" as done in the
diff below. (Unfortunately, with this diff the rule format will no
longer fit on one line.)

Index: doas.conf.5
===
RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
retrieving revision 1.18
diff -p -u -r1.18 doas.conf.5
--- doas.conf.5 2 Jan 2016 08:34:47 -   1.18
+++ doas.conf.5 3 Apr 2016 22:25:17 -
@@ -35,7 +35,7 @@ The rules have the following format:
 .Op Ar options
 .Ar identity
 .Op Ic as Ar target
-.Op Ic cmd Ar command Op Ic args ...
+.Op Ic cmd Ar command Op Ic args Op Ar arg ...
 .Ed
 .Pp
 Rules consist of the following parts:
@@ -78,7 +78,7 @@ Be advised that it's best to specify abs
 If a cmd is specified, only a restricted
 .Ev PATH
 will be searched.
-.It Ic args ...
+.It Ic args Op Ar arg ...
 Arguments to command.
 If specified, the command arguments provided by the user
 need to match for the command to be successful.

Re: doas.conf cmd with argument(s)

[Tor Houghton]

On Fri, Apr 01, 2016 at 02:47:42PM -0700, Philip Guenther wrote:

[snip]

> Sooo close.  To quote doas.conf(5):
> 
 
[snip]
 
> 'args' is *literal* there, so the correct config line would be
> permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd
> 

Hahaha, holy fballs! *donk* (I'll blame the hour. Yes, I think I will.))

Thanks!

Tor

PS: Here's a diff :-)

--- /usr/share/man/man5/doas.conf.5 Fri Feb 26 09:08:04 2016
+++ doas.conf.5 Sat Apr  2 00:14:34 2016
@@ -129,6 +129,7 @@
 SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
 permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
 permit nopass tedu as root cmd /usr/sbin/procmap
+permit nopass tedu as root cmd /usr/sbin/rcctl args restart ntpd
 permit nopass keepenv root as root
 .Ed
 .Sh SEE ALSO

Re: doas.conf cmd with argument(s)

[Martijn van Duren]

see doas.conf(5):
 args ... Arguments to command.  If specified, the command arguments
  provided by the user need to match for the command to be
  successful.  Specifying args alone means that command should
  be run without any arguments.

You forgot the args keyword.

On 04/01/16 23:33, Tor Houghton wrote:
> Hi,
> 
> Now that sudo is out of base, I am wondering -- do I need to add it again,
> or does doas.conf allow for specifying commands with arguments?
> 
> Obviously not like this (doas doesn't like that), but akin to:
> 
>   permit nopass support as root cmd /usr/sbin/rcctl restart ntpd 
> 
> I don't want the support user to be able to use rcctl on any daemon process,
> basically.
> 
> Kind regards,
> 
> Tor

Re: doas.conf cmd with argument(s)

[Philip Guenther]

On Fri, Apr 1, 2016 at 2:33 PM, Tor Houghton  wrote:
> Now that sudo is out of base, I am wondering -- do I need to add it again,
> or does doas.conf allow for specifying commands with arguments?
>
> Obviously not like this (doas doesn't like that), but akin to:
>
> permit nopass support as root cmd /usr/sbin/rcctl restart ntpd
>
> I don't want the support user to be able to use rcctl on any daemon process,
> basically.

Sooo close.  To quote doas.conf(5):

 The rules have the following format:

   permit|deny [options] identity [as target] [cmd command [args ...]]
...
 cmd command  The command the user is allowed or denied to run.  The
  default is all commands.  Be advised that it's best to
  specify absolute paths.  If a cmd is specified, only a
  restricted PATH will be searched.

 args ... Arguments to command.  If specified, the command arguments
  provided by the user need to match for the command to be
  successful.  Specifying args alone means that command should
  be run without any arguments.

'args' is *literal* there, so the correct config line would be
permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd


Philip Guenther

doas.conf cmd with argument(s)

[Tor Houghton]

Hi,

Now that sudo is out of base, I am wondering -- do I need to add it again,
or does doas.conf allow for specifying commands with arguments?

Obviously not like this (doas doesn't like that), but akin to:

permit nopass support as root cmd /usr/sbin/rcctl restart ntpd 

I don't want the support user to be able to use rcctl on any daemon process,
basically.

Kind regards,

Tor