💾 Archived View for thrig.me › blog › 2023 › 03 › 12 › feature-poor-sudo-replacement.gmi captured on 2024-07-09 at 00:59:08. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-14)
-=-=-=-=-=-=-
... the `sudo` program is made up of 108,255 lines of C code ... this is simply unacceptable in a utility that is installed suid root ... 95% of the code is just sitting there ... just waiting for someone to find the next exploit. We could easily have a suitable replacement that would cover just about everyone's needs in no more than a few hundred lines of code ...
$ which sudo which: sudo: Command not found. $ which doas /usr/bin/doas $ cd /usr/src/usr.bin/doas $ cloc . 10 text files. 5 unique files. 5 files ignored. github.com/AlDanial/cloc v 1.93 T=0.03 s (193.3 files/s, 44338.6 lines/s) ------------------------------------------------------------------------------- Language files blank comment code ------------------------------------------------------------------------------- C 2 89 41 599 yacc 1 35 26 293 C/C++ Header 1 8 16 25 make 1 5 1 9 ------------------------------------------------------------------------------- SUM: 5 137 84 926 -------------------------------------------------------------------------------
http://man.openbsd.org/man1/doas.1
doas requires wrapper scripts to run programs limited to particular arguments that sudo could do from its config file. The complexity must go somewhere, and may need to be invented at multiple sites. Nothing one cannot wrangle with configuration management, but I've seen sysadmins go all deer in headlights when configuration management is mentioned; for them, editing sudoers works, and maybe they haven't learnt other ways to solve problems. A lot of those five percents were added with the best intentions. The screen saver password check that uses the accessibility framework, which makes the system very accessible, for example. And suddenly you have 100,000 lines of code.
I have written a suid wrapper on RedHat Enterprise Linux, 121 lines of C. I forget what combination of sudo and PAM and what all else blocked the Postfix and Apache users from working together. Options were to stick it out and debug what was going wrong (could take a while), to pony up for a RedHat license (expensive, and maybe their support would EDUNNO or EWONTFIX), or to go full Gordian Knot mode, which could be very bad if you suck at writing suid wrappers. Moves outside the system would have included pushing back on the feature request, which would have put load on a different overburdened group, or to find a new job. One might contemplate drastic changes to how Postfix and Apache are run. This pulls a too-small rug over in some other maybe not so good direction. The complexity will go somewhere.
sudo dates from "around 1980"; if anything we've learned that shiny > simplicity, though there has been a slow if irregular turn to security and a backtracking on portions of Postel's "be permissive in what you accept" thing. Various programs now actually handle duplicate environment variables, for example. sudo: 2015; many other softwares: Bueller... Bueller... Bueller...
/blog/2023/02/05/wrapper-script-etiquette.gmi
/blog/2022/12/14/duplicate-environment-variables.gmi
tags #sudo #doas #security