Re: chroot vs su vs doas

[Martijn van Duren]

On 5/13/19 9:13 AM, Marc Espie wrote:
> So, in dpb, I've been forking a lot of 'chroot -u user /build'
> to build various things, and it works just great.
> 
> I was wondering about the benefits of
> su ${BUILDUSER} -c 'some quoted command'
> vs
> chroot -u ${BUILDUSER} / some unquoted command
> 
> Superficially, it looks mostly similar.  
> 
> The very nice thing about chroot (IMO) being that you can pass the
> command verbatim without having to re-quote anything.  The other
> difference being that chroot doesn't fork an extra shell, which
> might make things more transparent wrt running commands.
> 
> I'm also wondering about doas.
> By default, it's not configured at all.
> 
> But what would it hurt to allow root usage ?
> Specifically,
> 
> doas -u ${BUILDUSER} some unquoted command
> 
> as run by root.  This would not open any security hole, would it ?

I don't see any and I've been bitten by having a rootshell open and
typing doas out of habit.

lightly tested diff below.
> 
> Finally, I'm wondering if people would have any use for a chroot'd
> option in doas, and whether it's a security issue (again).
> 
> Like, people have some hardened doas.conf which only allows running
> some commands as root.
> 
> Some of these commands are basically game over, as they allow anything
> to be run, actually. Specifically, /usr/bin/env, or chroot...
> 
> Would
> doas -c /rootdir somecmd
> be of any use ?

Not particularly opposed, but the extend of this option should be
examined. E.g. do we want to extend it to the config to be something
similar to -u and limit it's use for certain commands?
> 
Index: doas.c
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.74
diff -u -p -r1.74 doas.c
--- doas.c      17 Jan 2019 05:35:35 -0000      1.74
+++ doas.c      13 May 2019 07:57:29 -0000
@@ -132,6 +132,15 @@ static int
 permit(uid_t uid, gid_t *groups, int ngroups, const struct rule **lastr,
     uid_t target, const char *cmd, const char **cmdargs)
 {
+       static struct rule allowroot = {
+               .action = PERMIT,
+               .options = NOPASS,
+               .ident = NULL,
+               .target = NULL,
+               .cmd = NULL,
+               .cmdargs = NULL,
+               .envlist = NULL
+       };
        int i;
 
        *lastr = NULL;
@@ -140,8 +149,13 @@ permit(uid_t uid, gid_t *groups, int ngr
                    cmdargs, rules[i]))
                        *lastr = rules[i];
        }
-       if (!*lastr)
+       if (!*lastr) {
+               if (uid == 0) {
+                       *lastr = &allowroot;
+                       return PERMIT;
+               }
                return 0;
+       }
        return (*lastr)->action == PERMIT;
 }