syntax error and doas.conf

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

syntax error and doas.conf

Markus Rosjat
Hi all,

just something I notice while trying out stuff with doas and my python
scripts. If you do a mistake and have a syntax error in the doas.conf
file you can easily look you self out from root privilages  :(

consider a a case where your root has no pw, you are the guy in the
wheel group and of course you have only this line

permit persist keepenv :wheel

so far everything is peachy ok we are going to add a new line

permit nopass foo as root cmt /root/scripts/dosomething

and we save it ... ups we did a mistake an like to fix it, no worries we
can ... or cant we?

doas vi /etc/doas.conf

doas: syntax error at line 15


at this point you are a bit screwed because you cant edit the doas.conf
you cant reboot you only way seems to be a switch off. Ok maybe there
other was but hey I'm no pro Im a simple user and its a vm so switch it
off. Boot in single user mode, make a fsck because , mount the
patritions, export the TERM var so yu get a vi. Well seems we are back
in business but no we cant edit /etc/doas.conf. Doesnt matter we came so
far we simply copy the exmaple to /etc and be done with it. At that
point 5 to 10 min of your life is wasted with silly stuff but you may
have learn at least one thing ... read again what you just wrote before
you save it :)


Have a nice day list :) and happy helloween

--
Markus Rosjat    fon: +49 351 8107224    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: syntax error and doas.conf

Consus-2
On 10:42 Wed 31 Oct, Markus Rosjat wrote:

> Hi all,
>
> just something I notice while trying out stuff with doas and my python
> scripts. If you do a mistake and have a syntax error in the doas.conf file
> you can easily look you self out from root privilages  :(
>
> consider a a case where your root has no pw, you are the guy in the wheel
> group and of course you have only this line
>
> permit persist keepenv :wheel
>
> so far everything is peachy ok we are going to add a new line
>
> permit nopass foo as root cmt /root/scripts/dosomething
>
> and we save it ... ups we did a mistake an like to fix it, no worries we can
> ... or cant we?
>
> doas vi /etc/doas.conf
>
> doas: syntax error at line 15
>
>
> at this point you are a bit screwed because you cant edit the doas.conf you
> cant reboot you only way seems to be a switch off. Ok maybe there other was
> but hey I'm no pro Im a simple user and its a vm so switch it off. Boot in
> single user mode, make a fsck because , mount the patritions, export the
> TERM var so yu get a vi. Well seems we are back in business but no we cant
> edit /etc/doas.conf. Doesnt matter we came so far we simply copy the exmaple
> to /etc and be done with it. At that point 5 to 10 min of your life is
> wasted with silly stuff but you may have learn at least one thing ... read
> again what you just wrote before you save it :)
>
>
> Have a nice day list :) and happy helloween

Well, that's why we have sudoedit. With doas your are forced to

        $ doas cp -p /etc/doas.conf /etc/doas.conf.new
        $ doas vi /etc/doas.conf.new
        $ doas -C /etc/doas.conf.new
        $ doas mv /etc/doas.conf.new /etc/doas.conf

Reply | Threaded
Open this post in threaded view
|

Re: syntax error and doas.conf

Markus Rosjat
Hi


Am 31.10.2018 um 10:52 schrieb Consus:
> Well, that's why we have sudoedit. With doas your are forced to
>
> $ doas cp -p /etc/doas.conf /etc/doas.conf.new
> $ doas vi /etc/doas.conf.new
> $ doas -C /etc/doas.conf.new
> $ doas mv /etc/doas.conf.new /etc/doas.conf
>
yeah and by default there is no sudo package installed or is it (at
least it isnt in the 6.x releases if I remember right)?!  Just try a
sudoedit on a fresh install and see if it works. As fas as I understand
the doas approach its there to provide a simple way of archiving things like

sudo /do/this/cmd

because 99% of the time you only need root priv to do something like
that. So some very nice guy, I think is name is Ted, thought "hey lets
simplify it and skip all the heavy stuff that sudo brings along". At
least I imagine he thought something like that :)

regard

--
Markus Rosjat    fon: +49 351 8107224    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: syntax error and doas.conf

Bruno Flueckiger
In reply to this post by Markus Rosjat
On 31.10.18 10:42, Markus Rosjat wrote:

> Hi all,
>
> just something I notice while trying out stuff with doas and my python
> scripts. If you do a mistake and have a syntax error in the doas.conf
> file you can easily look you self out from root privilages  :(
>
> consider a a case where your root has no pw, you are the guy in the
> wheel group and of course you have only this line
>
> permit persist keepenv :wheel
>
> so far everything is peachy ok we are going to add a new line
>
> permit nopass foo as root cmt /root/scripts/dosomething
>
> and we save it ... ups we did a mistake an like to fix it, no worries we
> can ... or cant we?
>
> doas vi /etc/doas.conf
>
> doas: syntax error at line 15
>
>
> at this point you are a bit screwed because you cant edit the doas.conf
> you cant reboot you only way seems to be a switch off. Ok maybe there
> other was but hey I'm no pro Im a simple user and its a vm so switch it
> off. Boot in single user mode, make a fsck because , mount the
> patritions, export the TERM var so yu get a vi. Well seems we are back
> in business but no we cant edit /etc/doas.conf. Doesnt matter we came so
> far we simply copy the exmaple to /etc and be done with it. At that
> point 5 to 10 min of your life is wasted with silly stuff but you may
> have learn at least one thing ... read again what you just wrote before
> you save it :)
>
>
> Have a nice day list :) and happy helloween
>
> --
> Markus Rosjat    fon: +49 351 8107224    mail: [hidden email]
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
>

Losing ten minutes time because of a mistake you've made all by yourself
made you write this useles mail. Imagine how many times you could have
read the man page of doas(8) and find out that there is the parameter -C
to check the config file.

Cheers,
Bruno

--
Don't trust a man wearing a better suit than your own

Reply | Threaded
Open this post in threaded view
|

Re: syntax error and doas.conf

Markus Rosjat
Hi Bruno,


Am 31.10.2018 um 12:23 schrieb Bruno Flueckiger:
> On 31.10.18 10:42, Markus Rosjat wrote:
> Losing ten minutes time because of a mistake you've made all by yourself
> made you write this useles mail. Imagine how many times you could have
> read the man page of doas(8) and find out that there is the parameter -C
> to check the config file.
>
> Cheers,
> Bruno
>
thank you for the attitude!

Now I learned even more it's better not to share mistakes and keep them
to yourself so the real pros are not bored by your findings because they
are to simple to be made.

I appreciate it!

--
Markus Rosjat    fon: +49 351 8107224    mail: [hidden email]

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT

Reply | Threaded
Open this post in threaded view
|

Re: syntax error and doas.conf

Stuart Henderson
In reply to this post by Markus Rosjat
On 2018-10-31, Markus Rosjat <[hidden email]> wrote:
> just something I notice while trying out stuff with doas and my python
> scripts. If you do a mistake and have a syntax error in the doas.conf
> file you can easily look you self out from root privilages  :(

If you aren't sure about a change you're about to make, keep a spare
root shell open (or at least keep the editor open - save the file
but don't exit - and test on another terminal).

Reply | Threaded
Open this post in threaded view
|

Re: syntax error and doas.conf

Kim Zeitler
In reply to this post by Markus Rosjat
On 10/31/18 10:42 AM, Markus Rosjat wrote:
...
> doas vi /etc/doas.conf
# Edit in vi
:w
:! doas -C %
<if error correct and repeat>
<if OK :q>

You don't even have to leave your editor


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: syntax error and doas.conf

Solene Rapenne
In reply to this post by Stuart Henderson
Stuart Henderson <[hidden email]> wrote:
> On 2018-10-31, Markus Rosjat <[hidden email]> wrote:
> > just something I notice while trying out stuff with doas and my python
> > scripts. If you do a mistake and have a syntax error in the doas.conf
> > file you can easily look you self out from root privilages  :(
>
> If you aren't sure about a change you're about to make, keep a spare
> root shell open (or at least keep the editor open - save the file
> but don't exit - and test on another terminal).

When editing files, most of the time I go back to the shell using ^Z (editor go
in background), I do what's related to the file (try doas, restart httpd until
it works, etc..). And I use fg when I need to come back to the editor.

When playing with doas or sshd, I would recommend for doas to keep a root shell
opened in case you screw the file. And for sshd, when restarting it on a remote
machine, try to connect to it before exiting your current ssh session.

Reply | Threaded
Open this post in threaded view
|

Re: syntax error and doas.conf

Allan Streib-2
In reply to this post by Stuart Henderson
Stuart Henderson <[hidden email]> writes:

> If you aren't sure about a change you're about to make, keep a spare
> root shell open (or at least keep the editor open - save the file
> but don't exit - and test on another terminal).

I would add that this is not really OpenBSD-specific. Yes there's no
direct analogue to visudo(8) but it's perfectly possible to lock
yourself out of sudo access even with a correctly formatted /etc/sudoers
file, and visudo will happily let you shoot yourself in the foot that
way. With the sudoers(5) man page clocking in at about 20x the size of
the doas.conf(5) page, it's probably quite likely.

Allan

Reply | Threaded
Open this post in threaded view
|

Re: syntax error and doas.conf

Jacqueline Jolicoeur
In reply to this post by Markus Rosjat
On Oct 31 10:42, Markus Rosjat wrote:
> at this point you are a bit screwed because you cant edit the doas.conf you
> cant reboot you only way seems to be a switch off. Ok maybe there other was
> but hey I'm no pro Im a simple user and its a vm so switch it off. Boot in
> single user mode, make a fsck because , mount the patritions, export the
> TERM var so yu get a vi. Well seems we are back in business but no we cant
> edit /etc/doas.conf. Doesnt matter we came so far we simply copy the exmaple
> to /etc and be done with it. At that point 5 to 10 min of your life is
> wasted with silly stuff but you may have learn at least one thing ... read
> again what you just wrote before you save it :)

From my experience, taking some extra time to learn ed(1), for
scenarios where you boot into single user mode, can really save
time.