Setting doas with passwordless authorization
Ever since I discovered that Alpine Linux was running a shim for the sudo command in the background, I wanted to see what the new kid on the block was all about:
Initially, my fingers had some muscle memory typing 'sudo' for the past 12 years or so. But quite quickly I realized that there were not a lot of differences in the experience, and quite frankly I liked it. Recently, then, came another challenge: passwordless doas commands.
If you've dealt with a sudoers file before, you already know how much of a gargantua of complexity it is to declare with the correct syntax of that
ALL=(ALL:ALL) alphabet soup to fine-tune the permissions used per user of the machine. And to stick a
NOPASSWD condition in there without reading some online documentation is suicide. Yet, particularly here, doas shines with its simplicity:
# traditional 'sudo-like' behaviour with timer permit persist :wheel # loginctl suspend to work without password: permit nopass :wheel as root cmd /bin/loginctl
And that's it. Two lines (the last one expansible) that define everything we need. There is only one tiny catch with it: invocation.
When trying to set up doas to do passwordless authentication, manually specifying
/path/to/executable is a must as we saw above, but here's the thing: you also must call doas
/path/to/executable to make use of the rule you've set!
So, in short, you must call
doas /bin/loginctl suspend if you want to suspend the machine passwordlessly. Otherwise doas will ignore the passwordless rule and will demand authentication:
$ cat /etc/doas.conf permit persist :wheel permit nopass :wheel as root cmd /usr/bin/id $ doas /usr/bin/id # calling the full path to the binary uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) $ doas $(which id) # 'which id' resolves to /usr/bin/id uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) $ doas id # oops, no rule for only 'id'! Authentication required. doas (email@example.com) password:
So there you go, one small thing that you need to do to make use of passwordless stuff in doas. But I guess it's another layer of security (setting the appropriate location of the binary independently of
What other tricks of doas do you know? Let me know!
Source with reference here.