Wednesday, October 31, 2018

Re: syntax error and doas.conf

On 10:42 Wed 31 Oct, Markus Rosjat wrote:
> Hi all,
>
> just something I notice while trying out stuff with doas and my python
> scripts. If you do a mistake and have a syntax error in the doas.conf file
> you can easily look you self out from root privilages  :(
>
> consider a a case where your root has no pw, you are the guy in the wheel
> group and of course you have only this line
>
> permit persist keepenv :wheel
>
> so far everything is peachy ok we are going to add a new line
>
> permit nopass foo as root cmt /root/scripts/dosomething
>
> and we save it ... ups we did a mistake an like to fix it, no worries we can
> ... or cant we?
>
> doas vi /etc/doas.conf
>
> doas: syntax error at line 15
>
>
> at this point you are a bit screwed because you cant edit the doas.conf you
> cant reboot you only way seems to be a switch off. Ok maybe there other was
> but hey I'm no pro Im a simple user and its a vm so switch it off. Boot in
> single user mode, make a fsck because , mount the patritions, export the
> TERM var so yu get a vi. Well seems we are back in business but no we cant
> edit /etc/doas.conf. Doesnt matter we came so far we simply copy the exmaple
> to /etc and be done with it. At that point 5 to 10 min of your life is
> wasted with silly stuff but you may have learn at least one thing ... read
> again what you just wrote before you save it :)
>
>
> Have a nice day list :) and happy helloween

Well, that's why we have sudoedit. With doas your are forced to

$ doas cp -p /etc/doas.conf /etc/doas.conf.new
$ doas vi /etc/doas.conf.new
$ doas -C /etc/doas.conf.new
$ doas mv /etc/doas.conf.new /etc/doas.conf

No comments:

Post a Comment