TnSb/blog
1
0
Fork 0
Code Issues Releases Activity

init

Browse Source
This commit is contained in:
Joel Beckmeyer
2022-07-30 20:22:42 -04:00
commit d2d7ad9534
76 changed files with 5207 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
public/posts/hello_doas/index.html Normal file
View File

@@ -0,0 +1,156 @@
<!DOCTYPE html>
<html class="no-js" lang="en-us" prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#">
<head>
<meta charset="utf-8">
<base href="https://beckmeyer.us/">
<meta name="viewport" content="width=device-width">
<title>Hello doas &ndash; Joel Beckmeyer&#39;s Blog</title>
<link rel="stylesheet" href="/css/styles.css">
<link id="theme_css" rel="stylesheet" href="/css/themes/light.css">
</head>
<body>
<input class="show-hide-menu-input" style="display:none;" autocomplete="off" type="checkbox" id="toggle-1">
<div class="main">
<div class="header">
<div class="header-content">
<div class="title">
<a href="https://beckmeyer.us/">Joel Beckmeyer&#39;s Blog</a>
</div>
<div>
<div class="header-right">
<label id="show-hide-menu-label" class="clickable-header-label" for="toggle-1">
<img class="color-adapting-image" width="30" src="/images/hamburger.svg" alt="menu button">
</label>
</div>
<label class="overlay" for="toggle-1"></label>
<div class="dont-show">
Links:
</div>
<ul class="links">
<li><a href="/">Home</a></li>
<li><a href="/contact/">Contact</a></li>
<li><a href="/posts/">Posts</a></li>
</ul>
</div>
</div>
</div>
<div class="body">
<div class="body-content">
<div class="title-header">
<h1>Hello doas</h1>
<div class="title-header-date">
<time>Saturday, January 30, 2021</time>
</div>
</div>
<p>Today, I switched my workstation from <code>sudo</code> to <code>doas</code>. I&rsquo;m running Void Linux,
and the process was fairly easy.</p>
<p>First, I needed to figure out how to remove <code>sudo</code> (yes, I realize I could have
installed <code>doas</code> first, then removed <code>sudo</code>, but I decided to do it the hard way.)
As it turns out, the <a href="https://docs.voidlinux.org/xbps/advanced-usage.html#ignoring-packages">advanced usage section of the XBPS manual</a> details how to use the <code>ignorepkg</code> entry in xbps.d with nothing
other than this exact use case! I created the file <code>/etc/xbps.d/20-ignorepkg-sudo.conf</code> with contents</p>
<pre tabindex="0"><code>ignorepkg=sudo
</code></pre><p>and then ran <code>sudo xbps-remove sudo</code> (an ironic command).</p>
<p>After that, because I was stupid and removed <code>sudo</code> before I had set up <code>doas</code>,
I had to use plain-old <code>su</code> to change to the root user and run <code>xi opendoas</code>. I also
configured <code>doas</code> in <code>/etc/doas.conf</code> with the following:</p>
<pre tabindex="0"><code># see doas.conf(5) for configuration details
permit nopass keepenv :admin
</code></pre><p>I ran <code>groupadd admin</code>, <code>usermod -aG admin joel</code>, and then logged out so that my
user account would see the new group perms.</p>
<p>And just like that, I can now run <code>doas xbps-install ...</code> and all of my other commands,
just substituting <code>doas</code> for <code>sudo</code>.</p>
<p>The one thing I immediately missed was <code>sudoedit</code>. Before I accidentally tried
to use <code>sudo</code> for the first time, I had already accidentally tried to run <code>sudoedit</code>
<em>at least</em> 5 times. I had to fix this. I saw a discussion on Reddit where <a href="https://www.reddit.com/r/linux/comments/l6y7nv/is_doas_a_good_alternative_to_sudo/gl4hs42?utm_source=share&amp;utm_medium=web2x&amp;context=3">one user
suggested</a> writing a script to replace the <code>sudoedit</code> functionality.
I quickly starting hacking together something like that. I started with:</p>
<pre tabindex="0"><code>#!/bin/sh
mkdir -p /tmp/doasedit
doas cp $1 /tmp/doasedit/tmp_file
$EDITOR /tmp/doasedit/tmp_file
</code></pre><p>And quickly ran into my first road-block. The script is going to have to change
the permissions of that file before the user can edit it. But if the script changes
the permissions, how can I restore it to the original location with the right
permissions? <code>cp /tmp/doasedit/tmp_file $1</code> won&rsquo;t work. I thought about just using
cat to overwrite the file contents in-place (<code>cat /tmp/doasedit/tmp_file &gt; $1</code>).
That <em>could</em> create some issues if a program has the file open. Instead, a better option
is to create two copies of the file&ndash;one for editing, and one for preserving file
attributes:</p>
<pre tabindex="0"><code>#!/bin/sh
mkdir -p /tmp/doasedit
doas cp $1 /tmp/doasedit/edit
doas chown -R $USER:$USER /tmp/doasedit/edit
doas cp $1 /tmp/doasedit/file
$EDITOR /tmp/doasedit/edit
cat /tmp/doasedit/edit | doas tee /tmp/doasedit/file 1&gt;/dev/null
doas mv -f /tmp/doasedit/file $1
rm -rf /tmp/doasedit
</code></pre><p>Of course, the issue with this is that it only works with absolute paths.
I want to make it work for relative paths as well. I&rsquo;m going to take advantage
of <code>realpath</code>, which is part of the <code>coreutils</code> package from Void. As a bonus, this
will also take care of the edge case where the given file is a symlink (IIRC,
<code>sudoedit</code> didn&rsquo;t follow symlinks, so I may be diverging here):</p>
<pre tabindex="0"><code>#!/bin/sh
mkdir -p /tmp/doasedit
srcfile=&#34;$(realpath $1)&#34;
doas cp $srcfile /tmp/doasedit/edit
doas chown -R $USER:$USER /tmp/doasedit/edit
doas cp $srcfile /tmp/doasedit/file
$EDITOR /tmp/doasedit/edit
cat /tmp/doasedit/edit | doas tee /tmp/doasedit/file 1&gt;/dev/null
doas mv -f /tmp/doasedit/file $srcfile
rm -rf /tmp/doasedit
</code></pre><p>At this point, it works&hellip;okay-ish. It can only be used in one instance currently
since I hard-coded <code>/tmp/doasedit/file</code> and <code>/tmp/doasedit/edit</code>, but that&rsquo;s easily fixed:</p>
<pre tabindex="0"><code>#!/bin/sh
destfile_pfx=&#34;$(cat /dev/urandom | tr -cd &#39;a-f0-9&#39; | head -c 32)&#34;
while [ -d &#34;/tmp/doasedit/$destfile_pfx&#34; ]; do
destfile_pfx=&#34;$(cat /dev/urandom | tr -cd &#39;a-f0-9&#39; | head -c 32)&#34;
done
mkdir -p /tmp/doasedit/$destfile_pfx
srcfile=&#34;$(realpath $1)&#34;
doas cp $srcfile /tmp/doasedit/$destfile_pfx/edit
doas chown -R $USER:$USER /tmp/doasedit/$destfile_pfx/edit
doas cp $srcfile /tmp/doasedit/$destfile_pfx/file
$EDITOR /tmp/doasedit/$destfile_pfx/edit
cat /tmp/doasedit/$destfile_pfx/edit | doas tee /tmp/doasedit/$destfile_pfx/file 1&gt;/dev/null
doas mv -f /tmp/doasedit/$destfile_pfx/file $srcfile
rm -rf /tmp/doasedit/$destfile_pfx
</code></pre><p>At this point, the only thing missing is the check to see if the file was actually
edited:</p>
<pre tabindex="0"><code>...
cat /tmp/doasedit/$destfile_pfx/edit | doas tee /tmp/doasedit/$destfile_pfx/file 1&gt;/dev/null
if cmp -s &#34;/tmp/doasedit/$destfile_pfx/file&#34; &#34;$srcfile&#34;; then
echo &#34;Skipping write; no changes.&#34;
else
doas mv -f /tmp/doasedit/$destfile_pfx/file $srcfile
fi
...
</code></pre><p>I put this in a <a href="https://github.com/AluminumTank/doasedit">repo on GitHub</a> if
anyone is interested. I know that a major
weakness of this script is the number of times it calls <code>doas</code>, which could
break flows where password is required every time <code>doas</code> is run.</p>
</div>
</div>
</div>
<hr class="dont-show">
<div class="footer">
<p>Have any questions? Let me know on <a href="https://matrix.to/#/@joel:thebeckmeyers.xyz">Matrix</a>, or start a discussion on <a href="https://social.beckmeyer.us/TinfoilSubmarine">Fediverse</a>!</p>
</div>
</body>
</html>