@pixelherodev Maybe this makes me a bad person, but I don't install sudo on OSes that don't come with it preinstalled. I just su over to root and do what needs done.
I do not get how using sudo provides any protections. If I can screw something up as root I can screw that same thing up by typing "sudo." Sudo also seems less secure to me because it requires the user password, not the root password. I don't allow root logins to create an additional hurdle.
Not because I think it's necessarily more secure than su [though, I trust the authors of doas FAR more than the authors of the normal su implementations, both to be benevolent and competent; let alone sudo], but also because it makes some things super convenient.
For instance, my unencrypted ~/.profile unlocks and mounts the encrypted /home partition without needing the root password, only the encryption password, and pivots into the encrypted ~/.profile.
@autolycus@pixelherodev sudo requiring the user's password instead of root's password is a feature, It is not a bug (and it is not less secure).
With su, you have to give the root password to all users of your system that need high privileges, and thus you give them full permissions on the system to all of them.
With sudo, you can configure sudo the allow a certain user a subset of the high privileges. You give the user the only the privileges s/he needs for the job.
@autolycus@pixelherodev Also, sudo helps with auditing the system. Whenever a user executes a command with "sudo" it would be logged in the system logs which user executed what command using sudo. In case of an account got compromised, that would help to determine where the compromise started and what had been executed
In my opinion, the entire security model Linux uses is broken. The ability to gain power should not exist.
A better model is to have the first process start with all capabilities, and then launch children processes with only a subset.
Then, any process can do anything within its capabilities, and can run other processes with arbitrary subsets of its capabilities, but can never acquire ones it does not already have.
@yujiri The safest code is the code you never write.
The safest way to handle anything important is to have it do the absolute bare minimum you really need.
>99% of sudo's code should not exist in ANY language. Rewriting it in Rust will not change the fact that the code does not need to exist, that there are FAR more moving parts than there ought to be, and that there's a lot of code to read and maintain.
I'm more inclined to trust 100 lines of C than 1M lines of Rust.
navani:$ doas ls /etc/doas.d/
doas (noam@navani.radiant.pixelhero.dev) password:
doas.conf
navani:$ doas cat /etc/doas.d/doas.conf
permit persist :wheel
permit nopass noam as root cmd /sbin/cryptsetup args open /dev/nvme0n1p6 data
permit nopass noam as root cmd /bin/mount args /dev/mapper/data /home/noam/
Note how I'm only prompted for the password on the first command!
#doas in the #FreeBSD ports tree is the portable one maintained by Jesse Smith.
Per https://github.com/slicer69/doas/issues/15 you are right, and the people who claim that it works on Linux are in fact using a non-OpenBSD fork made by Duncan Overbruck that outright deleted the OpenBSD code in 2019, isn't actually portable any more despite the README, and substitutes a timestamp file for the missing necessary #OpenBSD kernel security feature that Linux lacks.
As you can see from the README and the diff that I gave to you, xe took the portable version, stripped out all of the bits that were conditionally compiled for anything other than Linux, substituted in Linux shadow password and PAM libraries, and added in the file-based timestamp mechanism from sudo.
Worse: This is the official #ArchLinux flavour of #doas. The portable one that didn't go back to sudo under the covers is relegated to the AUR.
@RL_Dane doas's persist option works great on linux but it's marked experimental. you have to opt-in with USE=persist emerge doas on gentoo, for example.
@pixelherodev I mean doas is “less bloat” but I guess sudo is just good enough for everyone to use. Most people just do not care about the bloat of sudo.
@pixelherodev@XxAlexXx you know the truth: there's no worse competition than the ancestor that's just good enough. And people (like me) know sudo, but not doas, so we're lost if it doesn't work.
@waleedmortaja@pixelherodev Sudo can do multiple set of application which might not be necessary for many users. Sudo is a jack of all trades and has ton of features in it as compared to doas. But it is the same reason it is flawed.If we were to consider each feature of an application having vulnerability, then we would understand the argument.Simply put, sudo is too big and hence has a large vector for security vulnerabilities as compared to doas.Which is smaller and might run faster than sudo
@XxAlexXx@pixelherodev I am not aware of sudo's multiple applications. Can you give some examples or an article link about that? I would like to read more about this.
Thanks
Add comment