[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: More useful: something like doasedit
From:       Emille Blanc <sarlok () sarlok ! com>
Date:       2018-02-28 23:32:34
Message-ID: ed54f307cf894c3c11440f0d45f23639 () sarlok ! com
[Download RAW message or body]

On 28.02.2018 15:10, Ingo Schwarze wrote:
> Hi,
>
> Felix Maschek wrote on Wed, Feb 28, 2018 at 08:24:19PM +0100:
>
>> How would you prevent that something like 'doas vi /etc/fstab' 
>> (which
>> will run as root) doesn't offer the user to enter a root shell 
>> within vi
>> (by typing '.sh')?
>
> The sudo(8) utility has become able, over the decades, to do very
> complex things and supports fine granularity for assigning rights
> to administrators.  As a consequence, it has also become somewhat
> large and complicated.  As a consequence, Michael Lucas has become
> able to write a book about it and to hold tutorials about it at BSD
> conferences.
>
> The design goal of doas(1) is not to reproduce the full range
> of sudo(8) functionality, but to provide a smaller tool that
> is easier to maintain, use, and audit.  When writing it, it was
> intentional that tedu@ did not include doasedit(1) functionality -
> because providing selective editing capabilities of certain
> root-owned files to certain non-root administrators is among the
> things that can be considered complex, fine-grained control.
>
> During the Cambridge Hackathon, one OpenBSD developer actually
> implemented doasedit(1) nevertheless.  But the result was indeed
> complicated enough that committing it wasn't a no-brainer, several
> developers doubted whether we should have it at all, and nobody
> tried very hard to hammer the diff into a form that might meet
> consensus for commit.
>
> The question comes up now and again, but not all that often...
>
> Yours,
>   Ingo

I've run into this more than a few times, but found it's easier to just 
setup sudo for the few cases where needed as a supplement to doas for 
those cases.
I appreciate the idea of leaving the complexity of sudo where it is, 
and keeping doas neat and tidy.
Otherwise, the hardest part in living with doas so far, is coping with 
muscle memory.  'sudo something' always comes out first, other times 
'doas -e /file', both of which make me feel stupid for a brief moment. 
But that's my problem, not doas'.

[prev in list] [next in list] [prev in thread] [next in thread]