opendoas

my fork of doas with custom prompt
git clone git://git.kocotian.pl/opendoas.git
Log | Files | Refs | README | LICENSE

README.md (2510B)


      1 # OpenDoas: a portable version of OpenBSD's `doas` command
      2 
      3 `doas` is a minimal replacement for the venerable `sudo`. It was
      4 initially [written by Ted Unangst](http://www.tedunangst.com/flak/post/doas)
      5 of the OpenBSD project to provide 95% of the features of `sudo` with a
      6 fraction of the codebase.
      7 
      8 ## Building and installation discouragements
      9 
     10 There are a few steps you have to carefully consider before building and installing
     11 opendoas:
     12 
     13 * There are less eyes on random doas ports, just because sudo had a vulnerability
     14   does not mean random doas ports are more secure if they are not reviewed
     15   or pam is configured incorrectly.
     16 * If you want to use pam; You have to [configure pam](#pam-configuration)
     17   and failing to do so correctly might leave a big open door.
     18 * Use the configure script.
     19 * Use the default make target.
     20 * If you really want to install a setuid binary that depends on
     21   pam being correctly configured, use the make install target
     22   to install the software.
     23 
     24 ## About the port
     25 
     26 This is not an official port/project from OpenBSD!
     27 
     28 As much as possible I've attempted to stick to `doas` as tedu desired
     29 it. As things stand it's essentially just code lifted from OpenBSD with
     30 PAM or shadow based authentication glommed on to it.
     31 
     32 Compatibility functions in libopenbsd come from openbsd directly
     33 (`strtonum.c`, `reallocarray.c`, `strlcpy.c`, `strlcat.c`),
     34 from openssh (`readpassphrase.c`) or from sudo (`closefrom.c`).
     35 
     36 The PAM and shadow authentication code does not come from the OpenBSD project.
     37 
     38 ### pam configuration
     39 
     40 I will not ship pam configuration files, they are distribution specific and
     41 its simply not safe or productive to ship and install those files.
     42 
     43 If you want to use opendoas on your system and there is no package that
     44 ships with a working pam configuration file, then you have to write and
     45 test it yourself.
     46 
     47 A good starting point is probably the distribution maintained `/etc/pam.d/sudo`
     48 file.
     49 
     50 ### Persist/Timestamp/Timeout
     51 
     52 The persist feature is disabled by default and can be enabled with the configure
     53 flag `--with-timestamp`.
     54 
     55 This feature is new and potentially dangerous, in the original doas, a kernel API
     56 is used to set and clear timeouts. This API is openbsd specific and no similar API
     57 is available on other operating systems.
     58 
     59 As a workaround, the persist feature is implemented using timestamp files
     60 similar to sudo.
     61 
     62 See the comment block in `timestamp.c` for an in-depth description on how
     63 timestamps are created and checked to be as safe as possible.