Martijn van Duren <openbsd+t...@list.imperialat.at> wrote: > Sorry for the delay. > > I like the general direction, but I'm not 100% convinced the semantics > are fine-tuned enough. > > On 6/13/19 4:16 AM, Ted Unangst wrote: > > This has come up a few times before. For background, the default rule for > > doas > > is to copy a few environment settings from the user and omit the rest. This > > is > > to prevent confusion, and also supposedly for security. However, some of the > > alleged safe variables like PATH probably aren't that safe. And things like > > USER are confusing? And why even bother with MAIL? The list is kinda adhoc > > and > > mostly copied from what I understood sudo to do at the time, but I believe > > sudo has changed defaults as well. > > > > So here's a new model which I think is safer and more consistent. > > > > 1. Always add a DOAS_USER with the invoking user's name. > > Why not add a DOAS_UID and DOAS_GID as well. From testing I found that > sudo sets them from the passwd values, but since these values can easily > be derived from DOAS_USER (unless there's overlap between passwd(5) and > ypldap(8)); I propose that we save the original uid and egid. Egid, > because that's the gid that's actually in effect and uid because we > already lost euid to doas (0). > suggested diff below. > > I don't know if it's worth to store DOAS_COMMAND (similar to sudo), or > maybe store some additional values that we overwrite by default, but it's > easier to add to the DOAS_* set than remove them, so that can always be > determined later.
Why do all this? How many usage cases are there? I can't think of any. Will a sub-process ever be in a situation where it knows more than it should? That feels more likely.