Hi Matthew, [email protected] wrote on Tue, Jul 02, 2019 at 11:43:13AM +0300:
> This isn't a bug per se, Indeed not a bug. > more of an incongruity in how security-centric tools work wrt root, Sure. Different tools are different. In particular, in addition to major differences in behaviour that were the reason for having different tools in the first place, minor differences may also exists. > specifically doas and chroot/su/other: > > joe@drogo$ doas -s > drogo# doas -u chohag -s > doas (root@drogo) password: > doas: Authorization failed > drogo# chroot -u chohag / > drogo$ ^D > drogo# su -l chohag > drogo$ ^D > > Obviously a little one-liner or tiny C app could achieve the same result too. > > I assume this is more or less known, since each tool is working to its > designed spec, so is the above ultimately the desired behaviour? > Should doas ask even for root's password while myriad other ways of > obtaining any user ID do and probably always will exist? I see nothing wrong with it. It is easier to describe in the manual page: since authorization is always checked, nothing needs to be said about it, in particular no special case for root needs to be explained. Then again, given that root is all-powerful in the first place (as you noted), it doesn't matter either way, really. The bikeshed has already been painted, and no matter whether you are justified in calling the colour that tedu@ chose "pink", i wouldn't see an obvious benefit in re-painting it now. > On some servers root doesn't have a password. Sure, and nothing is wrong with that. If the default behaviour is not what you want on a particular machine, feel free to add a line similar to permit nopass [keepenv] root [as root] to doas.conf(5). Yours, Ingo P.S. Please do not cross-post between different OpenBSD lists. Always choose the one most appropriate for the posting, or none if the content of your posting is off-topic on every one of them (which several of your postings were lately). This one would have been on-topic on misc@; but given that you posted to bugs@, i'm answering there such that developers can more easily see which reports have been taken care of.
