> > > I think the failsafe is "run su". > > > > Visudo(8) style wrapper for doas(1) that would respect the editor > > preferences... is only a suggestion, no? We're 2015 here. > > and vipf after that? there are countless config files, even more dangerous > than doas.conf, that you edit at your own peril.
With respect, Ted, I hope it was clear the intention was to bring into attention the inadequacy of the $visual"sth" concept as a means of safety. > > > Since it is possible to configure doas to > > > even less than "permit :wheel" this would in some cases be a fail open. > > > > I'm not sure how much exactly "flak" I'd get about this, but: is the > > "permit" word specifically chosen in the DSL for this? > > there's not a of meaning behind "permit", other than that it's a word that > seems appropriate. So why can't "allow" fit as opposite to deny? (normally silence means no change in security model, hopefully). Can we formalise the DSL, or read about it and prevent me from making incoherent guesses? > > P.S. My opinion has zero value but why can't su(1) work this purpose? > > The semantics of su are different in a couple and people seem to like using > sudo. Trying to share code with su risks muddying up that code and introducing > mistakes. Yet it may be the same "feel" place to be of something dealing with who's what doing why when escalation. Please have others say about it, I'm nobody of significance to suggest here.
