Blame
Date:
Mon Jan 23 05:00:25 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=w3m/0.5.3+git20190105
03
2023-01-22
jrmu
author=jrmu
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1597746225
07
2023-01-22
jrmu
host=125.231.25.80
08
2023-01-22
jrmu
name=Openbsd.Doas
09
2023-01-22
jrmu
rev=9
10
2023-01-22
jrmu
targets=Openbsd.Security
11
2023-01-22
jrmu
text=(:redirect Doas.Configure:)%0a(:title Doas: the Sudo Replacement:)%0a%0a!! Doas for Group Wheel%0a%0aNormally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]].%0a%0aFirst, let's use su to log in as root:%0a%0a[@%0a$ su%0a@]%0a%0aNext, we will need to edit our [[https://man.openbsd.org/doas.conf|/etc/doas.conf]] file:%0a%0a[@%0a# echo "permit persist :wheel as root" >> /etc/doas.conf%0a@]%0a%0aThis line allows any user in the group wheel to run doas.%0a%0a'''Note''': The # sign means you run this command as root by first logging in using @@su@@. The $ sign means you run the command as your normal user. Do not literally type # or $.%0a%0a[@%0a$ whoami%0auser%0a$ doas whoami%0adoas (user@user.coconut.ircnow.org) password: %0aroot%0a@]%0a%0aFor this configuration, you will need to provide your user password in order to use doas. The @@persist@@ keyword means that after the password is first provided, doas will not ask again for some time.%0a%0a!! No password needed%0a%0aLife is a lot easier when you don't require the user password:%0a%0a[@%0a# echo "permit nopass :wheel as root" >> /etc/doas.conf%0a@]%0a%0aThe downside of this more relaxed permission is that anyone gets access to any user in the wheel group gets complete root access over the system. No passwords required for them either. Check if that makes sense with your [[openbsd/security|security goals]].%0a%0a!! Whitelisting users%0a%0aYou can also permit a specific user:%0a%0a[@%0a# echo "permit nopass user as root" >> /etc/doas.conf%0a@]%0a%0aThis allows user to login as root using @@doas@@ without a password.%0a%0a!! Security%0a%0aYou should avoid logging in as root or running programs as root unless absolutely necessary. Running insecure or malicious programs as root can lead to stolen data. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a%0aAs a precaution, we should not allow others to read doas.conf:%0a%0a[@%0a$ doas chmod o-r /etc/doas.conf%0a@]%0a%0aSee also:%0a%0a[[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a
12
2023-01-22
jrmu
time=1623590359
13
2023-01-22
jrmu
title=Doas: the Sudo Replacement
14
2023-01-22
jrmu
author:1623590359=jrmu
15
2023-01-22
jrmu
diff:1623590359:1612244331:=1d0%0a%3c (:redirect Doas.Configure:)%0a66c65%0a%3c [[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a---%0a> [[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a\ No newline at end of file%0a
16
2023-01-22
jrmu
host:1623590359=125.231.25.80
17
2023-01-22
jrmu
author:1612244331=jrmu
18
2023-01-22
jrmu
diff:1612244331:1612244025:=16c16%0a%3c # echo "permit persist :wheel as root" >> /etc/doas.conf%0a---%0a> # echo "permit :wheel as root" >> /etc/doas.conf%0a31,32c31,32%0a%3c For this configuration, you will need to provide your user password in order to use doas. The @@persist@@ keyword means that after the password is first provided, doas will not ask again for some time.%0a%3c %0a---%0a> For this configuration, you will need to provide your user password in order to use doas.%0a> %0a43,46c43,46%0a%3c !! Whitelisting users%0a%3c %0a%3c You can also permit a specific user:%0a%3c %0a---%0a> !!%0a> %0a> Here's ''/etc/doas.conf'' should contain (replace user123 with your own username):%0a> %0a48c48%0a%3c # echo "permit nopass user as root" >> /etc/doas.conf%0a---%0a> permit nopass user123 as root%0a51,58c51,54%0a%3c This allows user to login as root using @@doas@@ without a password.%0a%3c %0a%3c !! Security%0a%3c %0a%3c You should avoid logging in as root or running programs as root unless absolutely necessary. Running insecure or malicious programs as root can lead to stolen data. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a%3c %0a%3c As a precaution, we should not allow others to read doas.conf:%0a%3c %0a---%0a> This permits user123 to login as root using ''doas'' without a password.%0a> %0a> After doing this, you can confirm it works:%0a> %0a60c56,57%0a%3c $ doas chmod o-r /etc/doas.conf%0a---%0a> $ doas whoami%0a> user123%0a63,65c60,75%0a%3c See also:%0a%3c %0a%3c [[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a\ No newline at end of file%0a---%0a> If you find the need to constantly enter your user password for when you need to do anything as root annoying, you can have in your ''/etc/doas.conf''%0a> [@%0a> permit persist user123 %0a> @]%0a> %0a> !! Security%0a> %0a> Avoid logging in as root or executing programs as root unless absolutely necessary. Running programs as root by default can lead to serious security holes. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a> %0a> Don't allow others to read doas.conf:%0a> %0a> [@%0a> $ doas chmod o-r /etc/doas.conf%0a> @]%0a> %0a> See also, https://flak.tedunangst.com/post/doas-mastery%0a\ No newline at end of file%0a
19
2023-01-22
jrmu
host:1612244331=198.251.81.119
20
2023-01-22
jrmu
author:1612244025=jrmu
21
2023-01-22
jrmu
diff:1612244025:1612243484:=3,4d2%0a%3c !! Doas for Group Wheel%0a%3c %0a19,20c17,18%0a%3c This line allows any user in the group wheel to run doas.%0a%3c %0a---%0a> This line allows any user in the group wheel to run doas:%0a> %0a30,43d27%0a%3c %0a%3c For this configuration, you will need to provide your user password in order to use doas.%0a%3c %0a%3c !! No password needed%0a%3c %0a%3c Life is a lot easier when you don't require the user password:%0a%3c %0a%3c [@%0a%3c # echo "permit nopass :wheel as root" >> /etc/doas.conf%0a%3c @]%0a%3c %0a%3c The downside of this more relaxed permission is that anyone gets access to any user in the wheel group gets complete root access over the system. No passwords required for them either. Check if that makes sense with your [[openbsd/security|security goals]].%0a%3c %0a%3c !!%0a
22
2023-01-22
jrmu
host:1612244025=198.251.81.119
23
2023-01-22
jrmu
author:1612243484=jrmu
24
2023-01-22
jrmu
diff:1612243484:1612065887:=1,6c1,2%0a%3c (:title Doas: the Sudo Replacement:)%0a%3c %0a%3c Normally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]].%0a%3c %0a%3c First, let's use su to log in as root:%0a%3c %0a---%0a> OpenBSD does not come with ''sudo'' by default, and normally you don't want to log in as root. When you need to perform sysadmin tasks, you change to super user by running:%0a> %0a11,12c7,8%0a%3c Next, we will need to edit our [[https://man.openbsd.org/doas.conf|/etc/doas.conf]] file:%0a%3c %0a---%0a> OpenBSD provides ''doas'', a lightweight and secure replacement for ''sudo''. This allows you to run a command as root by doing:%0a> %0a14c10%0a%3c # echo "permit :wheel as root" >> /etc/doas.conf%0a---%0a> $ doas command%0a17,20c13,14%0a%3c This line allows any user in the group wheel to run doas:%0a%3c %0a%3c '''Note''': The # sign means you run this command as root by first logging in using @@su@@. The $ sign means you run the command as your normal user. Do not literally type # or $.%0a%3c %0a---%0a> You will want to add your user to ''/etc/doas.conf'':%0a> %0a22,26c16%0a%3c $ whoami%0a%3c user%0a%3c $ doas whoami%0a%3c doas (user@user.coconut.ircnow.org) password: %0a%3c root%0a---%0a> # vi /etc/doas.conf%0a27a18,19%0a> %0a> (Note the # sign means you must run this as root, by logging in first using ''su''; a $ sign means you run the command as your normal user)%0a
25
2023-01-22
jrmu
host:1612243484=198.251.81.119
26
2023-01-22
jrmu
author:1612065887=jrmu
27
2023-01-22
jrmu
diff:1612065887:1612065859:=43c43%0a%3c Avoid logging in as root or executing programs as root unless absolutely necessary. Running programs as root by default can lead to serious security holes. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a---%0a> Avoid logging in as root or executing programs as root unless absolutely necessary. Running programs as root by default can lead to serious security holes.%0a
28
2023-01-22
jrmu
host:1612065887=125.224.24.163
29
2023-01-22
jrmu
author:1612065859=jrmu
30
2023-01-22
jrmu
diff:1612065859:1610028065:=42,43d41%0a%3c %0a%3c Avoid logging in as root or executing programs as root unless absolutely necessary. Running programs as root by default can lead to serious security holes.%0a
31
2023-01-22
jrmu
host:1612065859=125.224.24.163
32
2023-01-22
jrmu
author:1610028065=jrmu
33
2023-01-22
jrmu
diff:1610028065:1597746265:=39,46d38%0a%3c @]%0a%3c %0a%3c !! Security%0a%3c %0a%3c Don't allow others to read doas.conf:%0a%3c %0a%3c [@%0a%3c $ doas chmod o-r /etc/doas.conf%0a
34
2023-01-22
jrmu
host:1610028065=125.231.63.134
35
2023-01-22
jrmu
author:1597746265=jrmu
36
2023-01-22
jrmu
diff:1597746265:1597746225:=3c3%0a%3c [@%0a---%0a> %3ccode>%0a5,6c5,6%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a9c9%0a%3c [@%0a---%0a> %3ccode>%0a11,12c11,12%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a15c15%0a%3c [@%0a---%0a> %3ccode>%0a17,18c17,18%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a23c23%0a%3c [@%0a---%0a> %3ccode>%0a25,26c25,26%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a31c31%0a%3c [@%0a---%0a> %3ccode>%0a34,35c34,35%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a37c37%0a%3c [@%0a---%0a> %3ccode>%0a39c39%0a%3c @]%0a---%0a> %3c/code>%0a
37
2023-01-22
jrmu
host:1597746265=38.81.163.143
38
2023-01-22
jrmu
author:1597746225=jrmu
39
2023-01-22
jrmu
diff:1597746225:1597746225:=1,41d0%0a%3c OpenBSD does not come with ''sudo'' by default, and normally you don't want to log in as root. When you need to perform sysadmin tasks, you change to super user by running:%0a%3c %0a%3c %3ccode>%0a%3c $ su%0a%3c %3c/code>%0a%3c %0a%3c OpenBSD provides ''doas'', a lightweight and secure replacement for ''sudo''. This allows you to run a command as root by doing:%0a%3c %0a%3c %3ccode>%0a%3c $ doas command%0a%3c %3c/code>%0a%3c %0a%3c You will want to add your user to ''/etc/doas.conf'':%0a%3c %0a%3c %3ccode>%0a%3c # vi /etc/doas.conf%0a%3c %3c/code>%0a%3c %0a%3c (Note the # sign means you must run this as root, by logging in first using ''su''; a $ sign means you run the command as your normal user)%0a%3c %0a%3c Here's ''/etc/doas.conf'' should contain (replace user123 with your own username):%0a%3c %0a%3c %3ccode>%0a%3c permit nopass user123 as root%0a%3c %3c/code>%0a%3c %0a%3c This permits user123 to login as root using ''doas'' without a password.%0a%3c %0a%3c After doing this, you can confirm it works:%0a%3c %0a%3c %3ccode>%0a%3c $ doas whoami%0a%3c user123%0a%3c %3c/code>%0a%3c %0a%3c If you find the need to constantly enter your user password for when you need to do anything as root annoying, you can have in your ''/etc/doas.conf''%0a%3c %3ccode>%0a%3c permit persist user123 %0a%3c %3c/code>%0a%3c %0a%3c See also, https://flak.tedunangst.com/post/doas-mastery%0a\ No newline at end of file%0a
40
2023-01-22
jrmu
host:1597746225=38.81.163.143
IRCNow