💾 Archived View for kota.nz › notes › doas captured on 2023-01-29 at 02:48:00. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-06-03)
-=-=-=-=-=-=-
2021/01/31
doas is a simple and easy to configure replacement for sudo. It's built by the OpenBSD developers (same ones who make OpenSSH, OpenNTPD, and LibreSSL), so you can be quite confident in its security/simplicity standards. On a basic level, it allows for running a command as a different user. Typically, that means allowing an "unprivileged" user to run "privileged" commands such as installing packages or updating the web server. The configuration syntax is very simple and straightforward, making complicated setups easy to understand.
doas accomplishes about 95% of what sudo is used for with a fraction of the code and complexity. I quickly checked the lines of code in the current stable version of each program using David A. Wheeler's sloccount. sudo is at version 1.9.5p2 and doas is at 6.8.1.
$ cd OpenDoas $ sloccount . SLOC Directory SLOC-by-Language (Sorted) 3479 OpenDoas ansic=2423,sh=667,yacc=290,perl=99 Totals grouped by language (dominant language first): ansic: 2423 (69.65%) sh: 667 (19.17%) yacc: 290 (8.34%) perl: 99 (2.85%)
$ cd sudo-1.9.5p2 $ sloccount . SLOC Directory SLOC-by-Language (Sorted) 47841 plugins ansic=43243,yacc=2118,lex=1295,sh=843,python=342 28060 lib ansic=28060 10339 src_top_dir ansic=10339 8081 scripts sh=7761,perl=320 5193 logsrvd ansic=5193 3140 top_dir sh=3140 3091 include ansic=3091 245 doc sed=229,sh=16 203 src_regress ansic=203 32 etc sh=32 0 examples (none) 0 m4 (none) 0 po (none) Totals grouped by language (dominant language first): ansic: 90129 (84.85%) sh: 11792 (11.10%) yacc: 2118 (1.99%) lex: 1295 (1.22%) python: 342 (0.32%) perl: 320 (0.30%) sed: 229 (0.22%)
In terms of C code, sudu is over 37 times larger than doas. I would argue it is not 37 times more useful to make up for the larger attack surface. The vast majority of extra code implements rarely used features, which are likely not as actively maintained. This might explain why sudo has around 58 CVEs since January 2019, including a fairly serious one a few days ago, in the same time the portable version of doas has had 3. None of which apply to the native version on OpenBSD.
including a fairly serious one a few days ago
One may argue sudo is audited more intensely due to its prevalence. It's true that doas certainly doesn't share the same popularity as sudo, but it comes default on OpenBSD and is very common on NetBSD, FreeBSD, and linux distros -- including the tiny and extremely prevalent Alpine -- which are at the heart of many major targets.
The other big source of issues with sudo comes from trying to configure it to do anything more complicated than allow the wheel group to run commands as root. Its manual is like 10,000 lines long and includes the following man sudoers |
grep -C1 despair.
The sudoers file grammar will be described below in Extended Backus-Naur Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly simple, and the definitions below are annotated.
Configuring doas is dead simple. The manual is under 200 lines and OpenBSD prides itself on well written, easy to understand manuals. In fact, documentation issues are considered critical since they're just as likely to cause serious vulnerabilities and issues as technical problems.
The basic config to allow all members of the wheel group to run commands as root is this:
$ cat /etc/doas.conf permit persist :wheel
persist is an option that allows elevated commands to be run multiple times in a session, only authenticating with a password on the first attempt.
permit/deny and an identity are the only required entries. An identity can be a group or a user - groups are prefixed with :. You may also add a command to limit the scope to a single command rather than all commands. Read man 5
doas.conf for more information.