Re: doas as root with /sbin/shutdown + related conf syntax query

Sat, 19 Sep 2015 18:51:06 -0700 

On Sat, 19 Sep 2015 10:50:31 -0400
"Ted Unangst" <[email protected]> wrote:

> Toby Slight wrote:
> > Hi there,
> > 
> > I just started getting to know doas a bit, and am already stumped
> > (pretty typical for me..).
> > 
> > I'm trying to let my user shutdown, reboot and suspend the computer
> > without entering a password. This is my doas.conf:
> > 
> > permit keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
> > permit nopass toby as root cmd /sbin/shutdown
> > permit nopass toby as root cmd /sbin/reboot
> > permit nopass toby as root cmd /usr/sbin/zzz
> > 
> > I can suspend successfully, but attempting to shutdown or reboot,
> > returns:
> > 
> > ksh: shutdown: cannot execute - Permission denied
> 
> you have to run the doas command. it's not part of the shell.
> 
> doas /sbin/shutdown
> 
> 

Hi Ted, misc@

Maybe inappropriate (please advise), has the existence (merits, etc)
of an example doas.conf been discussed already publicly?

http://marc.info/?l=openbsd-misc&q=b&s=doas.conf

Side comment: for the sake of mention only, pf got one (sample
configuration) not long ago:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/examples/pf.conf

and sudo had one too by ?visudo (confused). I just don't recall (must
be age related) having to ever craft my own sudo config file and set
its permissions etc (neither did I have to for sshd).

I remember I just edited away the existing file according to the
current manpage, and hold dear the comfortable experience of sample
(basic) use options preset for a starting point, and then some quality
reading material to get well into the Endspiel of the configuration
game.

Here is how early httpd got it relative to its introduction:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/examples/httpd.conf
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/httpd.conf.5
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/httpd.c

My personal (humble) view on these matters is that important pieces of
the user privilege toolkit could benefit from a comfortable learning
curve.

Probably a doas FAQ entry can reduce the rate of start up questions and
raise the usability level a bit to the point where actually useful 'tips
and tricks' / advanced set up questions start turning up in favour of
common pitfalls / gotchas.

With respect, please ignore if this suggestion is considered utterly
baseless (and/or premature) at this point.

Regards,
Anton

Reply via email to