summaryrefslogtreecommitdiff
path: root/system/opendoas/README
blob: 2e57141ec121c2f6bca0b8ea5303473fc3c980a8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
This is the "OpenDoas" port of OpenBSD's doas.

The doas utility is a program originally written for OpenBSD that
allows a user to run a command as though they were another user,
typically root. doas acts as an alternative to sudo, with simple
configuration syntax and a smaller code base for ease of security
auditing.

Please note that running this SlackBuild will install doas with SUID
root.

To get started, write a configuration file at /etc/doas.conf. As an
example, including the line:

  permit :wheel as root

will allow all users in the wheel group to act as root with doas.
Consult the doas.conf(5) man page for further details.

The parameter "keepenv" in /etc/doas.conf allows for opening graphical
applications with doas:

  permit keepenv gene as root

"exec dbus-launch --exit-with-session" may be required for xinit in
Slackware 14.2. An alternative is to run "export $(dbus-launch)" after
starting the X session. As with su, KDE 4 graphical applications may
fail to open with doas.

Running this SlackBuild without parameters will provide a build of
OpenDoas with shadow support if PAM is not installed, and with PAM 
support if PAM is installed. Password persistence is disabled by
default.

To enable timestamp-based password persistence, call the SlackBuild
with PERSIST=yes:

  PERSIST=yes ./opendoas.SlackBuild

In addition, ensure that the appropriate user or group line in
/etc/doas.conf includes the "persist" option, as in this example:

  permit persist jane as root

Please note that upstream considers timestamp-based password
persistence to be "new and potentially dangerous."

For users with PAM installed, enable shadow authentication instead by
calling the SlackBuild with PAM=no:

  PAM=no ./opendoas.SlackBuild

If /etc/pam.d/other and /etc/pam.d/system-auth are unmodified from the
state in which they are shipped in -current, doas will run with PAM
support if so compiled. Otherwise, doas may require a dedicated file at
/etc/pam.d/doas to use PAM authentication.

To allow OpenDoas to write a new PAM configuration file for doas, call
the SlackBuild with PAM_FILE=yes:

  PAM_FILE=yes ./opendoas.SlackBuild

Upstream will not include PAM configuration files in releases of
OpenDoas beyond 6.8.1.

opendoas has no outside dependencies on Slackware 14.2 and adds no
users or groups. opendoas conflicts with all other ports of doas.