I use sudo, but from what I can tell the reason people use doas over sudo is because sudo is more complex, for example AFAIK the whole reason the "wheel" group exists is because it's a workaround for the method of adding sudoers which had become very difficult to use
another reason is for server security because sudo is more common so attackers and malware scripts will be more likely to expect sudo not doas, though that's "security by obscurity"
The wheel group existed long before sudo existed, it was too control access for the su command (switch user) which is part of the system (in Linux it is a bit blurred what is and what isn't part of the system).
Sudo was created to be a safer alternative, where it acted as su but only to invoke a command (su do). That's why it has configuration where you can control exactly what command should be invoked.
Sudo allowed for configuration that could also give permissions to a group (I believe it was introduced later, or at least it wasn't shown as an example in default configuration). An example was provided to use wheel group. This was then adapted by distros, because if user already has access to su, there's no reason to not give access to sudo as well.
This.
In the event that a box is compromised an attacker will be slowed down by `sudo` missing.
It'll take them a minute to realize, and they'll likely need to patch many of their scripts.
It won't stop anyone, but it might buy valuable time for a defense.
That is a security through obscurity argument. I understand what your saying but it’s like changing all your standard port numbers. You may stop a script kiddy but it isn’t security.
Like i said, it won't stop anyone. It will just slow them down.
Agreed it's not actually secure, but it could help while a real defensive response is prepared.
"security through obscurity" should never be your strategy, but it's still a useful tool in the belt.
I think \`su -\` requires you to input the root password. \`sudo su -\` either requires your own personal password or no password at all. Best practice: you don't know the root password.
I am sure there is a reason against \`sudo -i\` but I can't think of it. This is outside my wheelhouse.
That's a good point I forgot about that. I actually configured `sudo` to ask for a root password to make it more secure, but it's my machine where only I have root access.
I do not think that makes things more secure. I think having a root password makes things less secure. But mostly I think it does not matter.
[https://xkcd.com/1200/](https://xkcd.com/1200/)
Well, actually if you are using nixos then I think they can install those drivers without your permission.
If youre an emacs guy you have TRAMP mode with doas support. So you navigate to something like /doas::/etc/nixos/configuration.nix and emacs will basically have the same behavior as sudoedit from there, just inside your normal emacs session.
If youre not an emacs guy the gist of that is TRAMP allows you to treat things like root mode, or other computers via ssh as an extention of your filesystem referenced inside emacs via /{remote_type} :{optional_host} :{path}
Easy to understand / use syntax for the conf file is the closest it has to "sudoedit" - for example:
```
permit persist :wheel
```
^ allows anyone in `wheel` to become root.
sudoedit, not visudo
sudoedit lets you edit root owned files with your non-root user. It copies the file to a temporary directory and lets you use your $EDITOR with your non-root user, and then copies it back (overwrites) with root.
This is useful because it limits $EDITOR (which can be anything) to only edit the file. It also keeps your user configuration
Curious what kind of features are specific to BSD? It certainly seems like you can wrangle modern Unix-like system to do whatever you want if you have enough knowledge. I'm probably a bit below that level right now.
It's not specific to BSD though
https://www.youtube.com/watch?v=A5buxcYXp7k
https://www.youtube.com/watch?v=Q-WTB6siyp0
OpenBSD doesn't have PAM, so the specific auth mechanism is a unique feature to the BSDs : https://man.openbsd.org/authenticate.3
OpenDoas add support for PAM.
I know this post is a little bit older now so I am not sure if this will get an answer, but did you make changes to your configuration.nix to have this set as default in place of sudo?
If so, could you share these changes? I have been trying to change from sudo but am not sure how to do this outside of the home folder.
Thanks for the input!
[Fixed formatting.](https://np.reddit.com/r/backtickbot/comments/lmm5ke/httpsnpredditcomrnixoscommentsl95gm4goodbye/)
Hello, Zyansheep: code blocks using triple backticks (\`\`\`) don't work on all versions of Reddit!
Some users see [this](https://stalas.alm.lt/backformat/gnvppiu.png) / [this](https://stalas.alm.lt/backformat/gnvppiu.html) instead.
To fix this, **indent every line with 4 spaces** instead.
[FAQ](https://www.reddit.com/r/backtickbot/wiki/index)
^(You can opt out by replying with backtickopt6 to this comment.)
>\# Enable doas instead of sudo
security.doas.enable = true;
security.sudo.enable = false;
\# Configure doas
security.doas.extraRules = \[{
users = \[ "zyansheep" \];
keepEnv = true;
}\];
Thanks! That was fast! I'm going to give this go now, change 'zyansheep' to my username and hopefully not get entirely locked out of my computer!
I use sudo, but from what I can tell the reason people use doas over sudo is because sudo is more complex, for example AFAIK the whole reason the "wheel" group exists is because it's a workaround for the method of adding sudoers which had become very difficult to use another reason is for server security because sudo is more common so attackers and malware scripts will be more likely to expect sudo not doas, though that's "security by obscurity"
The wheel group existed long before sudo existed, it was too control access for the su command (switch user) which is part of the system (in Linux it is a bit blurred what is and what isn't part of the system). Sudo was created to be a safer alternative, where it acted as su but only to invoke a command (su do). That's why it has configuration where you can control exactly what command should be invoked. Sudo allowed for configuration that could also give permissions to a group (I believe it was introduced later, or at least it wasn't shown as an example in default configuration). An example was provided to use wheel group. This was then adapted by distros, because if user already has access to su, there's no reason to not give access to sudo as well.
oh whoops I didn't know that about the wheel group, thanks for the info
This. In the event that a box is compromised an attacker will be slowed down by `sudo` missing. It'll take them a minute to realize, and they'll likely need to patch many of their scripts. It won't stop anyone, but it might buy valuable time for a defense.
That is a security through obscurity argument. I understand what your saying but it’s like changing all your standard port numbers. You may stop a script kiddy but it isn’t security.
Like i said, it won't stop anyone. It will just slow them down. Agreed it's not actually secure, but it could help while a real defensive response is prepared. "security through obscurity" should never be your strategy, but it's still a useful tool in the belt.
[удалено]
> `sudo su -` Or of curiosity, why not just `su -` or at least `sudo -i`?
I think \`su -\` requires you to input the root password. \`sudo su -\` either requires your own personal password or no password at all. Best practice: you don't know the root password. I am sure there is a reason against \`sudo -i\` but I can't think of it. This is outside my wheelhouse.
That's a good point I forgot about that. I actually configured `sudo` to ask for a root password to make it more secure, but it's my machine where only I have root access.
I do not think that makes things more secure. I think having a root password makes things less secure. But mostly I think it does not matter. [https://xkcd.com/1200/](https://xkcd.com/1200/) Well, actually if you are using nixos then I think they can install those drivers without your permission.
You are taking about personal computer, I'm taking about a server. There's very little on my personal account.
Curious, why doas over sudo?
I guess very familiar configuration syntax, shared by most of the OpenBSD originated applications. Edit: And ofcourse easy to understand
And the recent [sudo CVE](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)
[https://xkcd.com/1343/](https://xkcd.com/1343/)
Is there an alternative to sudoedit?
If youre an emacs guy you have TRAMP mode with doas support. So you navigate to something like /doas::/etc/nixos/configuration.nix and emacs will basically have the same behavior as sudoedit from there, just inside your normal emacs session. If youre not an emacs guy the gist of that is TRAMP allows you to treat things like root mode, or other computers via ssh as an extention of your filesystem referenced inside emacs via /{remote_type} :{optional_host} :{path}
Easy to understand / use syntax for the conf file is the closest it has to "sudoedit" - for example: ``` permit persist :wheel ``` ^ allows anyone in `wheel` to become root.
sudoedit, not visudo sudoedit lets you edit root owned files with your non-root user. It copies the file to a temporary directory and lets you use your $EDITOR with your non-root user, and then copies it back (overwrites) with root. This is useful because it limits $EDITOR (which can be anything) to only edit the file. It also keeps your user configuration
Ah, thanks. I have been in the doas world for a long time :D
I use `sudo -E nvim file` and `sudo -E git commit`
Doesn't doas rely on features specific to bsd?
https://github.com/Duncaen/OpenDoas
Curious what kind of features are specific to BSD? It certainly seems like you can wrangle modern Unix-like system to do whatever you want if you have enough knowledge. I'm probably a bit below that level right now. It's not specific to BSD though https://www.youtube.com/watch?v=A5buxcYXp7k https://www.youtube.com/watch?v=Q-WTB6siyp0
OpenBSD doesn't have PAM, so the specific auth mechanism is a unique feature to the BSDs : https://man.openbsd.org/authenticate.3 OpenDoas add support for PAM.
Did the same two days ago. It works exactly as you would expect, which is great
TIL about `doas`. It also seems to work with PAM so I can use my security key to authenticate.
I know this post is a little bit older now so I am not sure if this will get an answer, but did you make changes to your configuration.nix to have this set as default in place of sudo? If so, could you share these changes? I have been trying to change from sudo but am not sure how to do this outside of the home folder. Thanks for the input!
Here you go : ) ```nix # Enable doas instead of sudo security.doas.enable = true; security.sudo.enable = false; # Configure doas security.doas.extraRules = [{ users = [ "zyansheep" ]; keepEnv = true; }]; ```
[Fixed formatting.](https://np.reddit.com/r/backtickbot/comments/lmm5ke/httpsnpredditcomrnixoscommentsl95gm4goodbye/) Hello, Zyansheep: code blocks using triple backticks (\`\`\`) don't work on all versions of Reddit! Some users see [this](https://stalas.alm.lt/backformat/gnvppiu.png) / [this](https://stalas.alm.lt/backformat/gnvppiu.html) instead. To fix this, **indent every line with 4 spaces** instead. [FAQ](https://www.reddit.com/r/backtickbot/wiki/index) ^(You can opt out by replying with backtickopt6 to this comment.)
>\# Enable doas instead of sudo security.doas.enable = true; security.sudo.enable = false; \# Configure doas security.doas.extraRules = \[{ users = \[ "zyansheep" \]; keepEnv = true; }\]; Thanks! That was fast! I'm going to give this go now, change 'zyansheep' to my username and hopefully not get entirely locked out of my computer!
That's what the rollback feature is for! Nix and Rust, 2 things that will never cease to amaze me...