157 lines
7.3 KiB
HTML
157 lines
7.3 KiB
HTML
<!DOCTYPE html>
|
|
<html class="no-js" lang="en-us" prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#">
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<base href="https://beckmeyer.us/">
|
|
<meta name="viewport" content="width=device-width">
|
|
<title>Hello doas – Joel Beckmeyer's Blog</title>
|
|
<link rel="stylesheet" href="/css/styles.css">
|
|
<link id="theme_css" rel="stylesheet" href="/css/themes/light.css">
|
|
</head>
|
|
<body>
|
|
<input class="show-hide-menu-input" style="display:none;" autocomplete="off" type="checkbox" id="toggle-1">
|
|
<div class="main">
|
|
<div class="header">
|
|
<div class="header-content">
|
|
<div class="title">
|
|
<a href="https://beckmeyer.us/">Joel Beckmeyer's Blog</a>
|
|
</div>
|
|
<div>
|
|
<div class="header-right">
|
|
<label id="show-hide-menu-label" class="clickable-header-label" for="toggle-1">
|
|
<img class="color-adapting-image" width="30" src="/images/hamburger.svg" alt="menu button">
|
|
</label>
|
|
</div>
|
|
<label class="overlay" for="toggle-1"></label>
|
|
<div class="dont-show">
|
|
Links:
|
|
</div>
|
|
<ul class="links">
|
|
<li><a href="/">Home</a></li>
|
|
<li><a href="/contact/">Contact</a></li>
|
|
<li><a href="/posts/">Posts</a></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="body">
|
|
<div class="body-content">
|
|
<div class="title-header">
|
|
<h1>Hello doas</h1>
|
|
<div class="title-header-date">
|
|
<time>Saturday, January 30, 2021</time>
|
|
</div>
|
|
</div>
|
|
|
|
<p>Today, I switched my workstation from <code>sudo</code> to <code>doas</code>. I’m running Void Linux,
|
|
and the process was fairly easy.</p>
|
|
<p>First, I needed to figure out how to remove <code>sudo</code> (yes, I realize I could have
|
|
installed <code>doas</code> first, then removed <code>sudo</code>, but I decided to do it the hard way.)
|
|
As it turns out, the <a href="https://docs.voidlinux.org/xbps/advanced-usage.html#ignoring-packages">advanced usage section of the XBPS manual</a> details how to use the <code>ignorepkg</code> entry in xbps.d with nothing
|
|
other than this exact use case! I created the file <code>/etc/xbps.d/20-ignorepkg-sudo.conf</code> with contents</p>
|
|
<pre tabindex="0"><code>ignorepkg=sudo
|
|
</code></pre><p>and then ran <code>sudo xbps-remove sudo</code> (an ironic command).</p>
|
|
<p>After that, because I was stupid and removed <code>sudo</code> before I had set up <code>doas</code>,
|
|
I had to use plain-old <code>su</code> to change to the root user and run <code>xi opendoas</code>. I also
|
|
configured <code>doas</code> in <code>/etc/doas.conf</code> with the following:</p>
|
|
<pre tabindex="0"><code># see doas.conf(5) for configuration details
|
|
permit nopass keepenv :admin
|
|
</code></pre><p>I ran <code>groupadd admin</code>, <code>usermod -aG admin joel</code>, and then logged out so that my
|
|
user account would see the new group perms.</p>
|
|
<p>And just like that, I can now run <code>doas xbps-install ...</code> and all of my other commands,
|
|
just substituting <code>doas</code> for <code>sudo</code>.</p>
|
|
<p>The one thing I immediately missed was <code>sudoedit</code>. Before I accidentally tried
|
|
to use <code>sudo</code> for the first time, I had already accidentally tried to run <code>sudoedit</code>
|
|
<em>at least</em> 5 times. I had to fix this. I saw a discussion on Reddit where <a href="https://www.reddit.com/r/linux/comments/l6y7nv/is_doas_a_good_alternative_to_sudo/gl4hs42?utm_source=share&utm_medium=web2x&context=3">one user
|
|
suggested</a> writing a script to replace the <code>sudoedit</code> functionality.
|
|
I quickly starting hacking together something like that. I started with:</p>
|
|
<pre tabindex="0"><code>#!/bin/sh
|
|
mkdir -p /tmp/doasedit
|
|
doas cp $1 /tmp/doasedit/tmp_file
|
|
$EDITOR /tmp/doasedit/tmp_file
|
|
</code></pre><p>And quickly ran into my first road-block. The script is going to have to change
|
|
the permissions of that file before the user can edit it. But if the script changes
|
|
the permissions, how can I restore it to the original location with the right
|
|
permissions? <code>cp /tmp/doasedit/tmp_file $1</code> won’t work. I thought about just using
|
|
cat to overwrite the file contents in-place (<code>cat /tmp/doasedit/tmp_file > $1</code>).
|
|
That <em>could</em> create some issues if a program has the file open. Instead, a better option
|
|
is to create two copies of the file–one for editing, and one for preserving file
|
|
attributes:</p>
|
|
<pre tabindex="0"><code>#!/bin/sh
|
|
mkdir -p /tmp/doasedit
|
|
doas cp $1 /tmp/doasedit/edit
|
|
doas chown -R $USER:$USER /tmp/doasedit/edit
|
|
doas cp $1 /tmp/doasedit/file
|
|
$EDITOR /tmp/doasedit/edit
|
|
cat /tmp/doasedit/edit | doas tee /tmp/doasedit/file 1>/dev/null
|
|
doas mv -f /tmp/doasedit/file $1
|
|
rm -rf /tmp/doasedit
|
|
</code></pre><p>Of course, the issue with this is that it only works with absolute paths.
|
|
I want to make it work for relative paths as well. I’m going to take advantage
|
|
of <code>realpath</code>, which is part of the <code>coreutils</code> package from Void. As a bonus, this
|
|
will also take care of the edge case where the given file is a symlink (IIRC,
|
|
<code>sudoedit</code> didn’t follow symlinks, so I may be diverging here):</p>
|
|
<pre tabindex="0"><code>#!/bin/sh
|
|
mkdir -p /tmp/doasedit
|
|
srcfile="$(realpath $1)"
|
|
|
|
doas cp $srcfile /tmp/doasedit/edit
|
|
doas chown -R $USER:$USER /tmp/doasedit/edit
|
|
doas cp $srcfile /tmp/doasedit/file
|
|
|
|
$EDITOR /tmp/doasedit/edit
|
|
|
|
cat /tmp/doasedit/edit | doas tee /tmp/doasedit/file 1>/dev/null
|
|
doas mv -f /tmp/doasedit/file $srcfile
|
|
|
|
rm -rf /tmp/doasedit
|
|
</code></pre><p>At this point, it works…okay-ish. It can only be used in one instance currently
|
|
since I hard-coded <code>/tmp/doasedit/file</code> and <code>/tmp/doasedit/edit</code>, but that’s easily fixed:</p>
|
|
<pre tabindex="0"><code>#!/bin/sh
|
|
|
|
destfile_pfx="$(cat /dev/urandom | tr -cd 'a-f0-9' | head -c 32)"
|
|
|
|
while [ -d "/tmp/doasedit/$destfile_pfx" ]; do
|
|
destfile_pfx="$(cat /dev/urandom | tr -cd 'a-f0-9' | head -c 32)"
|
|
done
|
|
|
|
mkdir -p /tmp/doasedit/$destfile_pfx
|
|
srcfile="$(realpath $1)"
|
|
|
|
doas cp $srcfile /tmp/doasedit/$destfile_pfx/edit
|
|
doas chown -R $USER:$USER /tmp/doasedit/$destfile_pfx/edit
|
|
doas cp $srcfile /tmp/doasedit/$destfile_pfx/file
|
|
|
|
$EDITOR /tmp/doasedit/$destfile_pfx/edit
|
|
|
|
cat /tmp/doasedit/$destfile_pfx/edit | doas tee /tmp/doasedit/$destfile_pfx/file 1>/dev/null
|
|
doas mv -f /tmp/doasedit/$destfile_pfx/file $srcfile
|
|
|
|
rm -rf /tmp/doasedit/$destfile_pfx
|
|
</code></pre><p>At this point, the only thing missing is the check to see if the file was actually
|
|
edited:</p>
|
|
<pre tabindex="0"><code>...
|
|
cat /tmp/doasedit/$destfile_pfx/edit | doas tee /tmp/doasedit/$destfile_pfx/file 1>/dev/null
|
|
|
|
if cmp -s "/tmp/doasedit/$destfile_pfx/file" "$srcfile"; then
|
|
echo "Skipping write; no changes."
|
|
else
|
|
doas mv -f /tmp/doasedit/$destfile_pfx/file $srcfile
|
|
fi
|
|
...
|
|
</code></pre><p>I put this in a <a href="https://github.com/AluminumTank/doasedit">repo on GitHub</a> if
|
|
anyone is interested. I know that a major
|
|
weakness of this script is the number of times it calls <code>doas</code>, which could
|
|
break flows where password is required every time <code>doas</code> is run.</p>
|
|
|
|
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<hr class="dont-show">
|
|
<div class="footer">
|
|
<p>Have any questions? Let me know on <a href="https://matrix.to/#/@joel:thebeckmeyers.xyz">Matrix</a>, or start a discussion on <a href="https://social.beckmeyer.us/TinfoilSubmarine">Fediverse</a>!</p>
|
|
</div>
|
|
</body>
|
|
</html>
|