Blame
Date:
Sun Jan 29 05:00:28 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=w3m/0.5.3+git20210102
03
2023-01-22
jrmu
author=jrmu
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1617882861
07
2023-01-22
jrmu
host=38.87.162.8
08
2023-01-22
jrmu
name=Doas.Configure
09
2023-01-22
jrmu
rev=12
10
2023-01-22
jrmu
targets=Ksh.Redirection
11
2023-01-22
jrmu
text=(:title Doas: the Sudo Replacement:)%0a%0a!! Doas for Group Wheel%0a%0aNormally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]].%0a%0aFirst, let's use su to log in as root:%0a%0a[@%0a$ su%0aPassword:%0a@]%0a%0aNext, we create [[https://man.openbsd.org/doas.conf|/etc/doas.conf]] using this command:%0a%0a[@%0a# echo "permit persist :wheel" >> /etc/doas.conf%0a@]%0a%0a%0aThis allows any user in the group wheel to run doas. The shell's [[ksh/redirection|redirection operator]] @@>>@@ appends to the end of a file (or creates it if it does not already exist).%0a%0a'''Note''': The # sign means you run this command as root by first logging in using @@su@@. The $ sign means you run the command as your normal user. Do not literally type # or $.%0a%0a'''Note''': redirection with @@>@@ and @@>>@@ is done by your '''shell'''. This means that the command below probably does '''NOT''' work:%0a%0a[@%0a$ doas echo "permit nopass :wheel" >> /etc/doas.conf%0a@]%0a%0aThis is because your current non-root user will probably not have write permissions /etc/doas.conf.%0a%0aAfterwards, exit su:%0a%0a[@%0a# exit%0a@]%0a%0aYou could also type @@ctrl+d@@ to tell the shell you've reached the end-of-file and want to exit.%0a%0aNext, test the configuration:%0a%0a[@%0a$ whoami%0auser%0a$ doas whoami%0adoas (user@user.coconut.ircnow.org) password: %0aroot%0a@]%0a%0aFor this configuration, you will need to provide your user password in order to use doas. The @@persist@@ keyword means that after the password is first provided, doas will not ask again for some time.%0a%0a!! No password needed%0a%0aLife is a lot easier when you don't require the user password.%0a%0aRun doas with the @@-s@@ argument to get a shell as root, then append to doas.conf:%0a%0a[@%0a$ doas -s%0a# echo "permit nopass :wheel" >> /etc/doas.conf%0a# exit%0a@]%0a%0aThe drawback to this configuration is that any user in the wheel group gets complete root access without requiring any password.%0a%0a!! Whitelisting users%0a%0aYou can also permit a specific user:%0a%0a[@%0a# echo "permit nopass user" >> /etc/doas.conf%0a@]%0a%0aThis allows user to login as root using @@doas@@ without a password.%0a%0a!! Security%0a%0aYou should avoid logging in as root or running programs as root unless absolutely necessary. Running insecure or malicious programs as root can lead to stolen data. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a%0aAs a precaution, we should not allow others to read doas.conf:%0a%0a[@%0a$ doas chmod o-r /etc/doas.conf%0a@]%0a%0aSee also:%0a%0a[[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a
12
2023-01-22
jrmu
time=1654761374
13
2023-01-22
jrmu
title=Doas: the Sudo Replacement
14
2023-01-22
jrmu
author:1654761374=jrmu
15
2023-01-22
jrmu
diff:1654761374:1654761314:=65c65%0a%3c The drawback to this configuration is that any user in the wheel group gets complete root access without requiring any password.%0a---%0a> The drawback to this configuration is that any user in the wheel group gets complete root access. No passwords are required.%0a
16
2023-01-22
jrmu
host:1654761374=38.87.162.8
17
2023-01-22
jrmu
author:1654761314=jrmu
18
2023-01-22
jrmu
diff:1654761314:1636637418:=25c25%0a%3c '''Note''': redirection with @@>@@ and @@>>@@ is done by your '''shell'''. This means that the command below probably does '''NOT''' work:%0a---%0a> '''Note''': redirection with @@>@@ and @@>>@@) is done by your '''shell'''. This means that the command below probably does '''NOT''' work:%0a
19
2023-01-22
jrmu
host:1654761314=38.87.162.8
20
2023-01-22
jrmu
author:1636637418=starewind
21
2023-01-22
jrmu
csum:1636637418=then overwrite doas.conf - changed to then append to doas.conf
22
2023-01-22
jrmu
diff:1636637418:1629704462:minor=57c57%0a%3c Run doas with the @@-s@@ argument to get a shell as root, then append to doas.conf:%0a---%0a> Run doas with the @@-s@@ argument to get a shell as root, then overwrite doas.conf:%0a
23
2023-01-22
jrmu
host:1636637418=159.223.30.236
24
2023-01-22
jrmu
author:1629704462=jrmu
25
2023-01-22
jrmu
diff:1629704462:1629704374:=28c28%0a%3c $ doas echo "permit nopass :wheel" >> /etc/doas.conf%0a---%0a> $ doas echo "%3cconfig line>" >> /etc/doas.conf%0a
26
2023-01-22
jrmu
host:1629704462=38.87.162.8
27
2023-01-22
jrmu
author:1629704374=jrmu
28
2023-01-22
jrmu
diff:1629704374:1629690820:=24,31d23%0a%3c %0a%3c '''Note''': redirection with @@>@@ and @@>>@@) is done by your '''shell'''. This means that the command below probably does '''NOT''' work:%0a%3c %0a%3c [@%0a%3c $ doas echo "%3cconfig line>" >> /etc/doas.conf%0a%3c @]%0a%3c %0a%3c This is because your current non-root user will probably not have write permissions /etc/doas.conf.%0a
29
2023-01-22
jrmu
host:1629704374=38.87.162.8
30
2023-01-22
jrmu
author:1629690820=jrmu
31
2023-01-22
jrmu
diff:1629690820:1629690631:=17c17%0a%3c # echo "permit persist :wheel" >> /etc/doas.conf%0a---%0a> # echo "permit persist :wheel" > /etc/doas.conf%0a53c53%0a%3c # echo "permit nopass :wheel" >> /etc/doas.conf%0a---%0a> # echo "permit nopass :wheel" > /etc/doas.conf%0a
32
2023-01-22
jrmu
host:1629690820=198.251.81.119
33
2023-01-22
jrmu
author:1629690631=jrmu
34
2023-01-22
jrmu
diff:1629690631:1629690482:=21c21%0a%3c This allows any user in the group wheel to run doas. The shell's [[ksh/redirection|redirection operator]] @@>>@@ appends to the end of a file (or creates it if it does not already exist).%0a---%0a> This allows any user in the group wheel to run doas. The shell's [[pipes/redirection|redirection operator]] @@>>@@ appends to the end of a file (or creates it if it does not already exist).%0a
35
2023-01-22
jrmu
host:1629690631=198.251.81.119
36
2023-01-22
jrmu
author:1629690482=jrmu
37
2023-01-22
jrmu
diff:1629690482:1629689571:=5,6c5,7%0a%3c Normally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]].%0a%3c %0a---%0a> Normally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]]. \\%0a> When you haven't used doas yet, such as after a fresh install, then we need to start by configuring it.%0a> %0a21,22c22,24%0a%3c This allows any user in the group wheel to run doas. The shell's [[pipes/redirection|redirection operator]] @@>>@@ appends to the end of a file (or creates it if it does not already exist).%0a%3c %0a---%0a> This line (being echo-ed) allows any user in the group wheel to run doas. \\%0a> Recall that the shell's @@redirection operator@@ @@>@@ overwrites the file (or creates it when it doesn't exist) whereas @@>>@@ would append to the file (or creates it when it doesn't exist).%0a> %0a25,26c27,28%0a%3c Afterwards, exit su:%0a%3c %0a---%0a> After you exit su (using @@exit@@ or using the key-combo @@CTRL+D@@) you can test this configuration:%0a> %0a28a31,35%0a> $ whoami%0a> user%0a> $ doas whoami%0a> doas (user@user.coconut.ircnow.org) password: %0a> root%0a31,34c38,44%0a%3c You could also type @@ctrl+d@@ to tell the shell you've reached the end-of-file and want to exit.%0a%3c %0a%3c Next, test the configuration:%0a%3c %0a---%0a> For this configuration, you will need to provide your user password in order to use doas. The @@persist@@ keyword means that after the password is first provided, doas will not ask again for some time.%0a> %0a> !! No password needed%0a> %0a> Life is a lot easier when you don't require the user password. \\%0a> This time we will use doas with the @@-s@@ argument to give us a shell as root to overwrite our doas.conf as follows:%0a> %0a36,40c46,48%0a%3c $ whoami%0a%3c user%0a%3c $ doas whoami%0a%3c doas (user@user.coconut.ircnow.org) password: %0a%3c root%0a---%0a> $ doas -s%0a> # echo "permit nopass :wheel" > /etc/doas.conf%0a> # exit%0a43,57c51,58%0a%3c For this configuration, you will need to provide your user password in order to use doas. The @@persist@@ keyword means that after the password is first provided, doas will not ask again for some time.%0a%3c %0a%3c !! No password needed%0a%3c %0a%3c Life is a lot easier when you don't require the user password.%0a%3c %0a%3c Run doas with the @@-s@@ argument to get a shell as root, then overwrite doas.conf:%0a%3c %0a%3c [@%0a%3c $ doas -s%0a%3c # echo "permit nopass :wheel" > /etc/doas.conf%0a%3c # exit%0a%3c @]%0a%3c %0a%3c The drawback to this configuration is that any user in the wheel group gets complete root access. No passwords are required.%0a---%0a> The downside of this more relaxed permission is that anyone gets access to any user in the wheel group gets complete root access over the system. No passwords required for them either. Check if that makes sense with your [[openbsd/security|security goals]].%0a> %0a> '''Note''': redirection (@@>@@, @@>>@@) is done by ''your shell'', so just using @@$ doas echo "%3cconfig line>" > /etc/doas.conf@@ would '''not''' work if your current non-root user doesn't have write permissions to that config file! See this [[https://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr|link]] for more info.%0a> %0a> !! Whitelisting users%0a> %0a> You can also permit a specific user:%0a> %0a
38
2023-01-22
jrmu
host:1629690482=198.251.81.119
39
2023-01-22
jrmu
author:1629689571=
40
2023-01-22
jrmu
diff:1629689571:1621503119:minor=5,7c5,6%0a%3c Normally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]]. \\%0a%3c When you haven't used doas yet, such as after a fresh install, then we need to start by configuring it.%0a%3c %0a---%0a> Normally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]].%0a> %0a12d10%0a%3c Password:%0a18c16%0a%3c # echo "permit persist :wheel" > /etc/doas.conf%0a---%0a> # echo "permit persist :wheel" >> /etc/doas.conf%0a21,24c19,20%0a%3c %0a%3c This line (being echo-ed) allows any user in the group wheel to run doas. \\%0a%3c Recall that the shell's @@redirection operator@@ @@>@@ overwrites the file (or creates it when it doesn't exist) whereas @@>>@@ would append to the file (or creates it when it doesn't exist).%0a%3c %0a---%0a> This line allows any user in the group wheel to run doas.%0a> %0a27,28d22%0a%3c After you exit su (using @@exit@@ or using the key-combo @@CTRL+D@@) you can test this configuration:%0a%3c %0a30d23%0a%3c # exit%0a42,44c35,36%0a%3c Life is a lot easier when you don't require the user password. \\%0a%3c This time we will use doas with the @@-s@@ argument to give us a shell as root to overwrite our doas.conf as follows:%0a%3c %0a---%0a> Life is a lot easier when you don't require the user password. We run this command:%0a> %0a46,48c38%0a%3c $ doas -s%0a%3c # echo "permit nopass :wheel" > /etc/doas.conf%0a%3c # exit%0a---%0a> # echo "permit nopass :wheel" >> /etc/doas.conf%0a52,53d41%0a%3c %0a%3c '''Note''': redirection (@@>@@, @@>>@@) is done by ''your shell'', so just using @@$ doas echo "%3cconfig line>" > /etc/doas.conf@@ would '''not''' work if your current non-root user doesn't have write permissions to that config file! See this [[https://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr|link]] for more info.%0a
41
2023-01-22
jrmu
host:1629689571=38.87.162.129
42
2023-01-22
jrmu
author:1621503119=jrmu
43
2023-01-22
jrmu
diff:1621503119:1618754519:=16c16%0a%3c # echo "permit persist :wheel" >> /etc/doas.conf%0a---%0a> # echo "permit persist :wheel as root" >> /etc/doas.conf%0a38c38%0a%3c # echo "permit nopass :wheel" >> /etc/doas.conf%0a---%0a> # echo "permit nopass :wheel as root" >> /etc/doas.conf%0a48c48%0a%3c # echo "permit nopass user" >> /etc/doas.conf%0a---%0a> # echo "permit nopass user as root" >> /etc/doas.conf%0a65c65%0a%3c [[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a---%0a> [[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a\ No newline at end of file%0a
44
2023-01-22
jrmu
host:1621503119=38.81.163.143
45
2023-01-22
jrmu
author:1618754519=jrmu
46
2023-01-22
jrmu
diff:1618754519:1617882861:=13,14c13,14%0a%3c Next, we create [[https://man.openbsd.org/doas.conf|/etc/doas.conf]] using this command:%0a%3c %0a---%0a> Next, we will need to edit our [[https://man.openbsd.org/doas.conf|/etc/doas.conf]] file:%0a> %0a35c35%0a%3c Life is a lot easier when you don't require the user password. We run this command:%0a---%0a> Life is a lot easier when you don't require the user password:%0a
47
2023-01-22
jrmu
host:1618754519=198.251.81.119
48
2023-01-22
jrmu
author:1617882861=jrmu
49
2023-01-22
jrmu
diff:1617882861:1617882861:=1,65d0%0a%3c (:title Doas: the Sudo Replacement:)%0a%3c %0a%3c !! Doas for Group Wheel%0a%3c %0a%3c Normally, you don't want to log in as root for security reasons. OpenBSD does not come with ''sudo'' by default; instead, it provides a small, simple utility called [[https://man.openbsd.org/doas|doas]].%0a%3c %0a%3c First, let's use su to log in as root:%0a%3c %0a%3c [@%0a%3c $ su%0a%3c @]%0a%3c %0a%3c Next, we will need to edit our [[https://man.openbsd.org/doas.conf|/etc/doas.conf]] file:%0a%3c %0a%3c [@%0a%3c # echo "permit persist :wheel as root" >> /etc/doas.conf%0a%3c @]%0a%3c %0a%3c This line allows any user in the group wheel to run doas.%0a%3c %0a%3c '''Note''': The # sign means you run this command as root by first logging in using @@su@@. The $ sign means you run the command as your normal user. Do not literally type # or $.%0a%3c %0a%3c [@%0a%3c $ whoami%0a%3c user%0a%3c $ doas whoami%0a%3c doas (user@user.coconut.ircnow.org) password: %0a%3c root%0a%3c @]%0a%3c %0a%3c For this configuration, you will need to provide your user password in order to use doas. The @@persist@@ keyword means that after the password is first provided, doas will not ask again for some time.%0a%3c %0a%3c !! No password needed%0a%3c %0a%3c Life is a lot easier when you don't require the user password:%0a%3c %0a%3c [@%0a%3c # echo "permit nopass :wheel as root" >> /etc/doas.conf%0a%3c @]%0a%3c %0a%3c The downside of this more relaxed permission is that anyone gets access to any user in the wheel group gets complete root access over the system. No passwords required for them either. Check if that makes sense with your [[openbsd/security|security goals]].%0a%3c %0a%3c !! Whitelisting users%0a%3c %0a%3c You can also permit a specific user:%0a%3c %0a%3c [@%0a%3c # echo "permit nopass user as root" >> /etc/doas.conf%0a%3c @]%0a%3c %0a%3c This allows user to login as root using @@doas@@ without a password.%0a%3c %0a%3c !! Security%0a%3c %0a%3c You should avoid logging in as root or running programs as root unless absolutely necessary. Running insecure or malicious programs as root can lead to stolen data. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.%0a%3c %0a%3c As a precaution, we should not allow others to read doas.conf:%0a%3c %0a%3c [@%0a%3c $ doas chmod o-r /etc/doas.conf%0a%3c @]%0a%3c %0a%3c See also:%0a%3c %0a%3c [[https://flak.tedunangst.com/post/doas-mastery|Ted Unangst's Doas Mastery]]%0a\ No newline at end of file%0a
50
2023-01-22
jrmu
host:1617882861=198.251.81.44
IRCNow