Klaus Zimmermann's Corner

Setting doas with passwordless authorization

Ever since I discovered that Alpine Linux was running a shim for the sudo command in the background, I wanted to see what the new kid on the block was all about: doas.

Initially, my fingers had some muscle memory typing 'sudo' for the past 12 years or so. But quite quickly I realized that there were not a lot of differences in the experience, and quite frankly I liked it. Recently, then, came another challenge: passwordless doas commands.

If you've dealt with a sudoers file before, you already know how much of a gargantua of complexity it is to declare with the correct syntax of that ALL=(ALL:ALL) alphabet soup to fine-tune the permissions used per user of the machine. And to stick a NOPASSWD condition in there without reading some online documentation is suicide. Yet, particularly here, doas shines with its simplicity:

# traditional 'sudo-like' behaviour with timer
permit persist :wheel

# loginctl suspend to work without password:
permit nopass :wheel as root cmd /bin/loginctl

And that's it. Two lines (the last one expansible) that define everything we need. There is only one tiny catch with it: invocation.

When trying to set up doas to do passwordless authentication, manually specifying /path/to/executable is a must as we saw above, but here's the thing: you also must call doas /path/to/executable to make use of the rule you've set!

So, in short, you must call doas /bin/loginctl suspend if you want to suspend the machine passwordlessly. Otherwise doas will ignore the passwordless rule and will demand authentication:

$ cat /etc/doas.conf
permit persist :wheel
permit nopass :wheel as root cmd /usr/bin/id

$ doas /usr/bin/id # calling the full path to the binary
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

$ doas $(which id) # 'which id' resolves to /usr/bin/id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

$ doas id # oops, no rule for only 'id'! Authentication required.
doas (vman@chunkyalp.home) password:

So there you go, one small thing that you need to do to make use of passwordless stuff in doas. But I guess it's another layer of security (setting the appropriate location of the binary independently of $PATH).

What other tricks of doas do you know? Let me know!

Source with reference here.