doas and home directory of target user

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

doas and home directory of target user

Joel Rees-2
I have this rule in doas.conf:

    permit nopass user1 as user2

As user1, I try this at the command line:

    doas -u user2 whoami

and it tells me I am user2, as I expect. And

   doas -u user2 ls

tells me I don't have permission. I kind of expect this.

I'm looking for a way to do the equivalent of

    sudo -u user2 -s "cd; ls"

I don't see a way to do this with doas, at least not without a short
intermediary script, which script is not going to be able to do cd ~/.

Should I assume that doas is not intended to do this sort of thing?

(And therefore do things "right" by setting up ssh with public-key
authentication to do the user switch?)

(Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
)

Joel Rees

Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.

Reply | Threaded
Open this post in threaded view
|

Re: doas and home directory of target user

dan mclaughlin
On Tue, 22 Sep 2015 17:41:57 +0900 Joel Rees <[hidden email]> wrote:

> I have this rule in doas.conf:
>
>     permit nopass user1 as user2
>
> As user1, I try this at the command line:
>
>     doas -u user2 whoami
>
> and it tells me I am user2, as I expect. And
>
>    doas -u user2 ls
>
> tells me I don't have permission. I kind of expect this.
>
> I'm looking for a way to do the equivalent of
>
>     sudo -u user2 -s "cd; ls"
>
> I don't see a way to do this with doas, at least not without a short
> intermediary script, which script is not going to be able to do cd ~/.
>
> Should I assume that doas is not intended to do this sort of thing?
>
> (And therefore do things "right" by setting up ssh with public-key
> authentication to do the user switch?)
>
> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
> )
>
> Joel Rees
>
> Computer memory is just fancy paper,
> CPUs just fancy pens.
> All is a stream of text
> flowing from the past into the future.
>

if you are just trying to run multiple commands, you can do it under a
shell eg

$ doas -u user2 ksh -c "cd; ls"

although it may be better to do

$ doas -u user2 ksh -c "cd && ls"

so that you know it successfully changed dir.

if you are trying to 'cd' to user2's home, thats slightly more tricky,
since $HOME is maintained from the parent shell. there doesn't seem to
be a simple way to get a login shell, but there is way using su.

in /etc/doas.conf

  permit nopass user1 as root cmd su args -l user2

and you can run:
 
  $ doas su -l user2

but that doesn't seem let you run commands.


although, if you just want to log in user2, you can use ssh (you don't
need chroot necessarily). you can just set up
/home/user2/.ssh/authorized_keys and do:

$ ssh user2@localhost

and you can run a command that way with no problem, and it's simpler:

$ ssh user2@localhost ls

if you are using firefox this would be better since you have -X (X11
security restrictions.)

$ ssh -X user2@localhost firefox

if you do want to go down that route though see this:
https://marc.info/?l=openbsd-misc&m=142676615612510&w=2

you needn't go all the way, but the info is still good re ssh.


if you just want to run the command as the user as if they were logged
in, ssh is probably your best bet:

$ ssh user2@localhost ksh -c "cd; ls"

according to sudo(8) your original "cd; ls" would be passed to the
shell just as above. so basically that last command is the equivalent
to your 'sudo -u user2 -s "cd; ls"'.

Reply | Threaded
Open this post in threaded view
|

Re: doas and home directory of target user

Benjamin Baier
In reply to this post by Joel Rees-2
On Tue, 22 Sep 2015 17:41:57 +0900
Joel Rees <[hidden email]> wrote:

> I have this rule in doas.conf:
>
>     permit nopass user1 as user2
>
> As user1, I try this at the command line:
>
>     doas -u user2 whoami
>
> and it tells me I am user2, as I expect. And
>
>    doas -u user2 ls
>
> tells me I don't have permission. I kind of expect this.
>
> I'm looking for a way to do the equivalent of
>
>     sudo -u user2 -s "cd; ls"

My two slightly different solutions

$ doas -u user2 -s << EOF
> cd /home/user2                                                                                        
> ls
> EOF

$ doas -u user2 env HOME=/home/user2 /bin/ksh << EOF                                                    
> cd
> ls
> EOF

Greetings ben

Reply | Threaded
Open this post in threaded view
|

Re: doas and home directory of target user

Joel Rees-2
In reply to this post by Joel Rees-2
Thank you, Dan, Ben, and Frank. I see that I have left out some
important information:

user2 is specified as a non-login class of user in /etc/login.conf,
auth=reject: shell=/sbin/nologin, and has a default shell of
/sbin/nologin in /etc/passwd .

On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees <[hidden email]> wrote:

> I have this rule in doas.conf:
>
>     permit nopass user1 as user2
>
> As user1, I try this at the command line:
>
>     doas -u user2 whoami
>
> and it tells me I am user2, as I expect. And
>
>    doas -u user2 ls
>
> tells me I don't have permission. I kind of expect this.
>
> I'm looking for a way to do the equivalent of
>
>     sudo -u user2 -s "cd; ls"
>
> I don't see a way to do this with doas, at least not without a short
> intermediary script, which script is not going to be able to do cd ~/.
>
> Should I assume that doas is not intended to do this sort of thing?

With this intermediary script:

    #! /bin/sh
    export USER=user2
    . /etc/ksh.kshrc
    printenv
    ls

I get

    MAIL=/var/mail/user1
    LOGNAME=user1
    HOME=/home/classU/user1
    PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
    DISPLAY=:0.0
    TERM=xterm
    USER=user2
    ls: .: Permission denied

Which, I guess, does surprise me.

> (And therefore [I should] do things "right" by setting up ssh with public-key
> authentication to do the user switch?)

Which would also require enabling login for user2. (I tried this
without thinking yesterday.)

> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
> )

Would this also require enabling login?

--
Joel Rees

Be careful when you look at conspiracy.
Arm yourself with knowledge of yourself, as well:
http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html

Reply | Threaded
Open this post in threaded view
|

Re: doas and home directory of target user

Joel Rees-2
Ahem. Dmesg below. (Sorry about that.)

On Wed, Sep 23, 2015 at 8:29 AM, Joel Rees <[hidden email]> wrote:

> Thank you, Dan, Ben, and Frank. I see that I have left out some
> important information:
>
> user2 is specified as a non-login class of user in /etc/login.conf,
> auth=reject: shell=/sbin/nologin, and has a default shell of
> /sbin/nologin in /etc/passwd .
>
> On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees <[hidden email]> wrote:
>> I have this rule in doas.conf:
>>
>>     permit nopass user1 as user2
>>
>> As user1, I try this at the command line:
>>
>>     doas -u user2 whoami
>>
>> and it tells me I am user2, as I expect. And
>>
>>    doas -u user2 ls
>>
>> tells me I don't have permission. I kind of expect this.
>>
>> I'm looking for a way to do the equivalent of
>>
>>     sudo -u user2 -s "cd; ls"
>>
>> I don't see a way to do this with doas, at least not without a short
>> intermediary script, which script is not going to be able to do cd ~/.
>>
>> Should I assume that doas is not intended to do this sort of thing?
>
> With this intermediary script:
>
>     #! /bin/sh
>     export USER=user2
>     . /etc/ksh.kshrc
>     printenv
>     ls
>
> I get
>
>     MAIL=/var/mail/user1
>     LOGNAME=user1
>     HOME=/home/classU/user1
>     PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
>     DISPLAY=:0.0
>     TERM=xterm
>     USER=user2
>     ls: .: Permission denied
>
> Which, I guess, does surprise me.
>
>> (And therefore [I should] do things "right" by setting up ssh with public-key
>> authentication to do the user switch?)
>
> Which would also require enabling login for user2. (I tried this
> without thinking yesterday.)
>
>> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
>> )
>
> Would this also require enabling login?

--
Joel Rees

-----------------------------------
OpenBSD 5.8-current (GENERIC.MP) #1367: Sat Sep 12 14:59:55 MDT 2015
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1835790336 (1750MB)
avail mem = 1776250880 (1693MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP UEFI HPET APIC MCFG ASF! BOOT FPDT MSDM SSDT
SSDT SSDT SSDT SSDT
acpi0: wakeup devices GPP0(S5) GPP1(S4) OHC1(S3) OHC2(S3) OHC3(S3)
EHC1(S3) EHC2(S3) EHC3(S3) XHC0(S4) AWAD(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD A4-1200 APU with Radeon(TM) HD Graphics, 998.27 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD A4-1200 APU with Radeon(TM) HD Graphics, 998.13 MHz
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 1MB
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 21, 24 pins
ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 21, 32 pins
ioapic1: misconfigured as apic 0, remapped to apid 5
acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (GPP0)
acpiprt2 at acpi0: bus 5 (GPP1)
acpiprt3 at acpi0: bus -1 (GPP2)
acpiprt4 at acpi0: bus -1 (GPP3)
acpiprt5 at acpi0: bus -1 (GFX_)
acpiec0 at acpi0
acpicpu0 at acpi0: !C2(0@400 io@0x414), C1(@1 halt!), PSS
acpicpu1 at acpi0: !C2(0@400 io@0x414), C1(@1 halt!), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpitz0 at acpi0: critical temperature is 118 degC
acpibtn0 at acpi0: PWRB
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: BAT0 model "Primary" serial 43346 03/09/2014 type
LIon oem "Hewlett-Packard"
acpibtn1 at acpi0: LID_
acpivideo0 at acpi0: VGA_
acpivideo1 at acpi0: VGA_
cpu0: 998 MHz: speeds: 1000 900 800 700 600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD AMD64 16h Host" rev 0x00
vga1 at pci0 dev 1 function 0 vendor "ATI", unknown product 0x9839 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci0 dev 1 function 1 vendor "ATI", unknown product 0x9840
rev 0x00: msi
azalia0: no supported codecs
pchb1 at pci0 dev 2 function 0 vendor "AMD", unknown product 0x1538 rev 0x00
ppb0 at pci0 dev 2 function 2 "AMD AMD64 16h PCIE" rev 0x00: msi
pci1 at ppb0 bus 1
rtsx0 at pci1 dev 0 function 0 "Realtek RTL8402 Card Reader" rev 0x01: msi
sdmmc0 at rtsx0
re0 at pci1 dev 0 function 2 "Realtek 8101E" rev 0x06: RTL8402
(0x4400), msi, address 14:58:d0:06:96:26
rlphy0 at re0 phy 7: RTL8201E 10/100 PHY, rev. 2
ppb1 at pci0 dev 2 function 3 "AMD AMD64 16h PCIE" rev 0x00: msi
pci2 at ppb1 bus 5
"Ralink RT3290" rev 0x00 at pci2 dev 0 function 0 not configured
"Ralink Bluetooth" rev 0x00 at pci2 dev 0 function 1 not configured
xhci0 at pci0 dev 16 function 0 vendor "AMD", unknown product 0x7814
rev 0x01: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 "AMD xHCI root hub" rev 3.00/1.00 addr 1
ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x00: apic 0
int 19, AHCI 1.3
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, TOSHIBA MQ01ABF0, AM0P> SCSI3
0/direct fixed naa.50000395a340583a
sd0: 305245MB, 512 bytes/sector, 625142448 sectors
ohci0 at pci0 dev 18 function 0 "AMD Hudson-2 USB" rev 0x39: apic 0
int 18, version 1.0, legacy support
ehci0 at pci0 dev 18 function 2 "AMD Hudson-2 USB2" rev 0x39: apic 0 int 17
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 "AMD EHCI root hub" rev 2.00/1.00 addr 1
ohci1 at pci0 dev 19 function 0 "AMD Hudson-2 USB" rev 0x39: apic 0
int 18, version 1.0, legacy support
ehci1 at pci0 dev 19 function 2 "AMD Hudson-2 USB2" rev 0x39: apic 0 int 17
usb2 at ehci1: USB revision 2.0
uhub2 at usb2 "AMD EHCI root hub" rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x3a: polling
iic0 at piixpm0
azalia1 at pci0 dev 20 function 2 "AMD Hudson-2 HD Audio" rev 0x02: msi
azalia1: codecs: Realtek ALC269
audio0 at azalia1
pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11
sdhc0 at pci0 dev 20 function 7 vendor "AMD", unknown product 0x7813
rev 0x01: apic 0 int 16
sdhc0 at 0x10: can't map registers
pchb2 at pci0 dev 24 function 0 "AMD AMD64 16h Link Cfg" rev 0x00
pchb3 at pci0 dev 24 function 1 "AMD AMD64 16h Address Map" rev 0x00
pchb4 at pci0 dev 24 function 2 "AMD AMD64 16h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD AMD64 16h Misc Cfg" rev 0x00
pchb5 at pci0 dev 24 function 4 "AMD AMD64 16h CPU Power" rev 0x00
pchb6 at pci0 dev 24 function 5 vendor "AMD", unknown product 0x1535 rev 0x00
usb3 at ohci0: USB revision 1.0
uhub3 at usb3 "AMD OHCI root hub" rev 1.00/1.00 addr 1
usb4 at ohci1: USB revision 1.0
uhub4 at usb4 "AMD OHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pms0: Elantech Touchpad, version 3, firmware 0x354f00
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
uvideo0 at uhub1 port 4 configuration 1 interface 0 "Generic HP
Webcam-50" rev 2.00/5.26 addr 2
video0 at uvideo0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (c910159e72666593.a) swap on sd0b dump on sd0b
hw.sensors.acpitz0.temp0=64.00 degC (zone temperature)
hw.sensors.acpiac0.indicator0=On (power supply)
hw.sensors.acpibat0.volt0=10.80 VDC (voltage)
hw.sensors.acpibat0.volt1=12.49 VDC (current voltage)
hw.sensors.acpibat0.current0=0.00 A (rate)
hw.sensors.acpibat0.amphour0=2.22 Ah (last full capacity)
hw.sensors.acpibat0.amphour1=0.32 Ah (warning capacity)
hw.sensors.acpibat0.amphour2=0.21 Ah (low capacity)
hw.sensors.acpibat0.amphour3=2.22 Ah (remaining capacity), OK
hw.sensors.acpibat0.amphour4=2.22 Ah (design capacity)
hw.sensors.acpibat0.raw0=0 (battery full), OK
hw.sensors.acpibtn1.indicator0=On (lid open)
hw.sensors.km0.temp0=64.25 degC

Reply | Threaded
Open this post in threaded view
|

Re: doas and home directory of target user

Joel Rees-2
In reply to this post by Joel Rees-2
At any rate, I have convinced myself that doas follows the manual page
in preserving the calling user's key environment variables, including
HOME and USER.

I had not grasped that this was considered desired behavior, so did
not initially read it that way. I still think the man page is a little
confusing, but do not at the moment have any suggestions for
clarifying things. (Now I'm not sure what doas is for, other than for
running build scripts more safely, which I think it will be much more
reliable at than sudo.)

For the purpose below (allowing running firefox as a non-login user),
I've installed sudo, and note that sudo -s now passes quoted strings
as if the string itself were the command, such that scripts that were

    sudo -H -u user2 -s "cd; command"

must now explicitly say sh -c, as

    sudo -H -u user2 sh -c "cd; command"

For the larger purpose, providing a reliable sandbox, I'm going to see
whether chroot would allow me to use a non-login user as proxy user
for the stupid (pardon my French) bloated web browsers.

On Wed, Sep 23, 2015 at 8:29 AM, Joel Rees <[hidden email]> wrote:

> Thank you, Dan, Ben, and Frank. I see that I have left out some
> important information:
>
> user2 is specified as a non-login class of user in /etc/login.conf,
> auth=reject: shell=/sbin/nologin, and has a default shell of
> /sbin/nologin in /etc/passwd .
>
> On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees <[hidden email]> wrote:
>> I have this rule in doas.conf:
>>
>>     permit nopass user1 as user2
>>
>> As user1, I try this at the command line:
>>
>>     doas -u user2 whoami
>>
>> and it tells me I am user2, as I expect. And
>>
>>    doas -u user2 ls
>>
>> tells me I don't have permission. I kind of expect this.
>>
>> I'm looking for a way to do the equivalent of
>>
>>     sudo -u user2 -s "cd; ls"
>>
>> I don't see a way to do this with doas, at least not without a short
>> intermediary script, which script is not going to be able to do cd ~/.
>>
>> Should I assume that doas is not intended to do this sort of thing?
>
> With this intermediary script:
>
>     #! /bin/sh
>     export USER=user2
>     . /etc/ksh.kshrc
>     printenv
>     ls
>
> I get
>
>     MAIL=/var/mail/user1
>     LOGNAME=user1
>     HOME=/home/classU/user1
>     PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
>     DISPLAY=:0.0
>     TERM=xterm
>     USER=user2
>     ls: .: Permission denied
>
> Which, I guess, does surprise me.
>
>> (And therefore [I should] do things "right" by setting up ssh with public-key
>> authentication to do the user switch?)
>
> Which would also require enabling login for user2. (I tried this
> without thinking yesterday.)
>
>> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
>> )
>
> Would this also require enabling login?
>
> --
> Joel Rees
>
> Be careful when you look at conspiracy.
> Arm yourself with knowledge of yourself, as well:
> http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html



--
Joel Rees

Be careful when you look at conspiracy.
Arm yourself with knowledge of yourself, as well:
http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html

Reply | Threaded
Open this post in threaded view
|

Re: doas and home directory of target user

dan mclaughlin
In reply to this post by Joel Rees-2
On Fri, 25 Sep 2015 02:09:40 +0900 Joel Rees <[hidden email]> wrote:

> At any rate, I have convinced myself that doas follows the manual page
> in preserving the calling user's key environment variables, including
> HOME and USER.
>
> I had not grasped that this was considered desired behavior, so did
> not initially read it that way. I still think the man page is a little
> confusing, but do not at the moment have any suggestions for
> clarifying things. (Now I'm not sure what doas is for, other than for
> running build scripts more safely, which I think it will be much more
> reliable at than sudo.)
>
> For the purpose below (allowing running firefox as a non-login user),
> I've installed sudo, and note that sudo -s now passes quoted strings
> as if the string itself were the command, such that scripts that were
>
>     sudo -H -u user2 -s "cd; command"
>
> must now explicitly say sh -c, as
>
>     sudo -H -u user2 sh -c "cd; command"
>
> For the larger purpose, providing a reliable sandbox, I'm going to see
> whether chroot would allow me to use a non-login user as proxy user
> for the stupid (pardon my French) bloated web browsers.

i had a thread 'isolating untrusted programs in ssh chroot jails'
(https://marc.info/?l=openbsd-misc&m=142676615612510&w=2) that covers
this in detail.

David Coppa reported that it was possible to do for firefox.

you need a user with a shell for this to work however, but you can disable
password authentication. from passwd(5):

  Similarly, login accounts not allowing password authentication but
  allowing other authentication methods, for example public key
  authentication, conventionally have 13 asterisks in the password field.

so you can ensure that a local key is necessary to log in. and you can
ensure that it only runs firefox with the ForceCommand directive (it's
all in that thread, and more in the linked threads).

>
> On Wed, Sep 23, 2015 at 8:29 AM, Joel Rees <[hidden email]> wrote:
> > Thank you, Dan, Ben, and Frank. I see that I have left out some
> > important information:
> >
> > user2 is specified as a non-login class of user in /etc/login.conf,
> > auth=reject: shell=/sbin/nologin, and has a default shell of
> > /sbin/nologin in /etc/passwd .
> >
> > On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees <[hidden email]> wrote:
> >> I have this rule in doas.conf:
> >>
> >>     permit nopass user1 as user2
> >>
> >> As user1, I try this at the command line:
> >>
> >>     doas -u user2 whoami
> >>
> >> and it tells me I am user2, as I expect. And
> >>
> >>    doas -u user2 ls
> >>
> >> tells me I don't have permission. I kind of expect this.
> >>
> >> I'm looking for a way to do the equivalent of
> >>
> >>     sudo -u user2 -s "cd; ls"
> >>
> >> I don't see a way to do this with doas, at least not without a short
> >> intermediary script, which script is not going to be able to do cd ~/.
> >>
> >> Should I assume that doas is not intended to do this sort of thing?
> >
> > With this intermediary script:
> >
> >     #! /bin/sh
> >     export USER=user2
> >     . /etc/ksh.kshrc
> >     printenv
> >     ls
> >
> > I get
> >
> >     MAIL=/var/mail/user1
> >     LOGNAME=user1
> >     HOME=/home/classU/user1
> >     PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
> >     DISPLAY=:0.0
> >     TERM=xterm
> >     USER=user2
> >     ls: .: Permission denied
> >
> > Which, I guess, does surprise me.
> >
> >> (And therefore [I should] do things "right" by setting up ssh with public-key
> >> authentication to do the user switch?)
> >
> > Which would also require enabling login for user2. (I tried this
> > without thinking yesterday.)
> >
> >> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
> >> )
> >
> > Would this also require enabling login?
> >
> > --
> > Joel Rees
> >
> > Be careful when you look at conspiracy.
> > Arm yourself with knowledge of yourself, as well:
> > http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html
>
>
>
> --
> Joel Rees
>
> Be careful when you look at conspiracy.
> Arm yourself with knowledge of yourself, as well:
> http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html