Blame
Date:
Sun Nov 27 05:00:19 2022
UTC
Message:
Daily backup
11
2021-12-17
text=(:redirect Doas.Configure:)%0a(:title Doas: the Sudo Replacement:)%0a%0a!! Doas for Group Wheel%0a%0aNormally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]].%0a%0aFirst, let's use su to log in as root:%0a%0a[@%0a$ su%0a@]%0a%0aNext, we will need to edit our [[https://man.openbsd.org/doas.conf|/etc/doas.conf]] file:%0a%0a[@%0a# echo "permit persist :wheel as root" >> /etc/doas.conf%0a@]%0a%0aThis line allows any user in the group wheel to run doas.%0a%0a'''Note''': The # sign means you run this command as root by first logging in using @@su@@. The $ sign means you run the command as your normal user. Do not literally type # or $.%0a%0a[@%0a$ whoami%0auser%0a$ doas whoami%0adoas (user@user.coconut.ircnow.org) password: %0aroot%0a@]%0a%0aFor this configuration, you will need to provide your user password in order to use doas. The @@persist@@ keyword means that after the password is first provided, doas will not ask again for some time.%0a%0a!! No password needed%0a%0aLife is a lot easier when you don't require the user password:%0a%0a[@%0a# echo "permit nopass :wheel as root" >> /etc/doas.conf%0a@]%0a%0aThe downside of this more relaxed permission is that anyone gets access to any user in the wheel group gets complete root access over the system. No passwords required for them either. Check if that makes sense with your [[openbsd/security|security goals]].%0a%0a!! Whitelisting users%0a%0aYou can also permit a specific user:%0a%0a[@%0a# echo "permit nopass user as root" >> /etc/doas.conf%0a@]%0a%0aThis allows user to login as root using @@doas@@ without a password.%0a%0a!! Security%0a%0aYou should avoid logging in as root or running programs as root unless absolutely necessary. Running insecure or malicious programs as root can lead to stolen data. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a%0aAs a precaution, we should not allow others to read doas.conf:%0a%0a[@%0a$ doas chmod o-r /etc/doas.conf%0a@]%0a%0aSee also:%0a%0a[[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a
15
2021-12-17
diff:1623590359:1612244331:=1d0%0a%3c (:redirect Doas.Configure:)%0a66c65%0a%3c [[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a---%0a> [[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a\ No newline at end of file%0a
18
2021-12-17
diff:1612244331:1612244025:=16c16%0a%3c # echo "permit persist :wheel as root" >> /etc/doas.conf%0a---%0a> # echo "permit :wheel as root" >> /etc/doas.conf%0a31,32c31,32%0a%3c For this configuration, you will need to provide your user password in order to use doas. The @@persist@@ keyword means that after the password is first provided, doas will not ask again for some time.%0a%3c %0a---%0a> For this configuration, you will need to provide your user password in order to use doas.%0a> %0a43,46c43,46%0a%3c !! Whitelisting users%0a%3c %0a%3c You can also permit a specific user:%0a%3c %0a---%0a> !!%0a> %0a> Here's ''/etc/doas.conf'' should contain (replace user123 with your own username):%0a> %0a48c48%0a%3c # echo "permit nopass user as root" >> /etc/doas.conf%0a---%0a> permit nopass user123 as root%0a51,58c51,54%0a%3c This allows user to login as root using @@doas@@ without a password.%0a%3c %0a%3c !! Security%0a%3c %0a%3c You should avoid logging in as root or running programs as root unless absolutely necessary. Running insecure or malicious programs as root can lead to stolen data. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a%3c %0a%3c As a precaution, we should not allow others to read doas.conf:%0a%3c %0a---%0a> This permits user123 to login as root using ''doas'' without a password.%0a> %0a> After doing this, you can confirm it works:%0a> %0a60c56,57%0a%3c $ doas chmod o-r /etc/doas.conf%0a---%0a> $ doas whoami%0a> user123%0a63,65c60,75%0a%3c See also:%0a%3c %0a%3c [[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a\ No newline at end of file%0a---%0a> If you find the need to constantly enter your user password for when you need to do anything as root annoying, you can have in your ''/etc/doas.conf''%0a> [@%0a> permit persist user123 %0a> @]%0a> %0a> !! Security%0a> %0a> Avoid logging in as root or executing programs as root unless absolutely necessary. Running programs as root by default can lead to serious security holes. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a> %0a> Don't allow others to read doas.conf:%0a> %0a> [@%0a> $ doas chmod o-r /etc/doas.conf%0a> @]%0a> %0a> See also, https://flak.tedunangst.com/post/doas-mastery%0a\ No newline at end of file%0a
21
2021-12-17
diff:1612244025:1612243484:=3,4d2%0a%3c !! Doas for Group Wheel%0a%3c %0a19,20c17,18%0a%3c This line allows any user in the group wheel to run doas.%0a%3c %0a---%0a> This line allows any user in the group wheel to run doas:%0a> %0a30,43d27%0a%3c %0a%3c For this configuration, you will need to provide your user password in order to use doas.%0a%3c %0a%3c !! No password needed%0a%3c %0a%3c Life is a lot easier when you don't require the user password:%0a%3c %0a%3c [@%0a%3c # echo "permit nopass :wheel as root" >> /etc/doas.conf%0a%3c @]%0a%3c %0a%3c The downside of this more relaxed permission is that anyone gets access to any user in the wheel group gets complete root access over the system. No passwords required for them either. Check if that makes sense with your [[openbsd/security|security goals]].%0a%3c %0a%3c !!%0a
24
2021-12-17
diff:1612243484:1612065887:=1,6c1,2%0a%3c (:title Doas: the Sudo Replacement:)%0a%3c %0a%3c Normally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]].%0a%3c %0a%3c First, let's use su to log in as root:%0a%3c %0a---%0a> OpenBSD does not come with ''sudo'' by default, and normally you don't want to log in as root. When you need to perform sysadmin tasks, you change to super user by running:%0a> %0a11,12c7,8%0a%3c Next, we will need to edit our [[https://man.openbsd.org/doas.conf|/etc/doas.conf]] file:%0a%3c %0a---%0a> OpenBSD provides ''doas'', a lightweight and secure replacement for ''sudo''. This allows you to run a command as root by doing:%0a> %0a14c10%0a%3c # echo "permit :wheel as root" >> /etc/doas.conf%0a---%0a> $ doas command%0a17,20c13,14%0a%3c This line allows any user in the group wheel to run doas:%0a%3c %0a%3c '''Note''': The # sign means you run this command as root by first logging in using @@su@@. The $ sign means you run the command as your normal user. Do not literally type # or $.%0a%3c %0a---%0a> You will want to add your user to ''/etc/doas.conf'':%0a> %0a22,26c16%0a%3c $ whoami%0a%3c user%0a%3c $ doas whoami%0a%3c doas (user@user.coconut.ircnow.org) password: %0a%3c root%0a---%0a> # vi /etc/doas.conf%0a27a18,19%0a> %0a> (Note the # sign means you must run this as root, by logging in first using ''su''; a $ sign means you run the command as your normal user)%0a
27
2021-12-17
diff:1612065887:1612065859:=43c43%0a%3c Avoid logging in as root or executing programs as root unless absolutely necessary. Running programs as root by default can lead to serious security holes. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a---%0a> Avoid logging in as root or executing programs as root unless absolutely necessary. Running programs as root by default can lead to serious security holes.%0a
30
2021-12-17
diff:1612065859:1610028065:=42,43d41%0a%3c %0a%3c Avoid logging in as root or executing programs as root unless absolutely necessary. Running programs as root by default can lead to serious security holes.%0a
33
2021-12-17
diff:1610028065:1597746265:=39,46d38%0a%3c @]%0a%3c %0a%3c !! Security%0a%3c %0a%3c Don't allow others to read doas.conf:%0a%3c %0a%3c [@%0a%3c $ doas chmod o-r /etc/doas.conf%0a
36
2021-12-17
diff:1597746265:1597746225:=3c3%0a%3c [@%0a---%0a> %3ccode>%0a5,6c5,6%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a9c9%0a%3c [@%0a---%0a> %3ccode>%0a11,12c11,12%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a15c15%0a%3c [@%0a---%0a> %3ccode>%0a17,18c17,18%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a23c23%0a%3c [@%0a---%0a> %3ccode>%0a25,26c25,26%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a31c31%0a%3c [@%0a---%0a> %3ccode>%0a34,35c34,35%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a37c37%0a%3c [@%0a---%0a> %3ccode>%0a39c39%0a%3c @]%0a---%0a> %3c/code>%0a
39
2021-12-17
diff:1597746225:1597746225:=1,41d0%0a%3c OpenBSD does not come with ''sudo'' by default, and normally you don't want to log in as root. When you need to perform sysadmin tasks, you change to super user by running:%0a%3c %0a%3c %3ccode>%0a%3c $ su%0a%3c %3c/code>%0a%3c %0a%3c OpenBSD provides ''doas'', a lightweight and secure replacement for ''sudo''. This allows you to run a command as root by doing:%0a%3c %0a%3c %3ccode>%0a%3c $ doas command%0a%3c %3c/code>%0a%3c %0a%3c You will want to add your user to ''/etc/doas.conf'':%0a%3c %0a%3c %3ccode>%0a%3c # vi /etc/doas.conf%0a%3c %3c/code>%0a%3c %0a%3c (Note the # sign means you must run this as root, by logging in first using ''su''; a $ sign means you run the command as your normal user)%0a%3c %0a%3c Here's ''/etc/doas.conf'' should contain (replace user123 with your own username):%0a%3c %0a%3c %3ccode>%0a%3c permit nopass user123 as root%0a%3c %3c/code>%0a%3c %0a%3c This permits user123 to login as root using ''doas'' without a password.%0a%3c %0a%3c After doing this, you can confirm it works:%0a%3c %0a%3c %3ccode>%0a%3c $ doas whoami%0a%3c user123%0a%3c %3c/code>%0a%3c %0a%3c If you find the need to constantly enter your user password for when you need to do anything as root annoying, you can have in your ''/etc/doas.conf''%0a%3c %3ccode>%0a%3c permit persist user123 %0a%3c %3c/code>%0a%3c %0a%3c See also, https://flak.tedunangst.com/post/doas-mastery%0a\ No newline at end of file%0a