Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
[Discussion] Why Debian still uses sudo instead of doas?
- Hetzer
- Posts: 80
- Joined: 2024-01-05 22:30
- Location: /etc/fstab
- Has thanked: 45 times
- Been thanked: 21 times
[Discussion] Why Debian still uses sudo instead of doas?
doas has nearly the same (or it's already of same) functionality, is smaller and much easier to configure than sudo. It's also said that doas is more secure, mostly due to it's much smaller codebase
doas is already in Debian repositories (opendoas package), is proven to work (at least by me) - The question is, why Debian still prefers sudo when we have plain better replacement?
doas is already in Debian repositories (opendoas package), is proven to work (at least by me) - The question is, why Debian still prefers sudo when we have plain better replacement?
Heave 'er up, and away we'll go...
- bbbhltz
- Posts: 166
- Joined: 2024-01-10 14:53
- Location: Normandy
- XMMP/Jabber: bbbhltz@mailbox.org
- Has thanked: 49 times
- Been thanked: 33 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
I asked myself the same question when I used Alpine Linux, which comes with doas:
doas: simpler, less configuration, good for single-user cases and doing things as root without remembering two passwords.
sudo can be used in elaborate sysadmin situations with permission combinations and multiuser cases and servers.
doas: simpler, less configuration, good for single-user cases and doing things as root without remembering two passwords.
sudo can be used in elaborate sysadmin situations with permission combinations and multiuser cases and servers.
bbbhltz
longtime desktop Linux user; eternal newbie
longtime desktop Linux user; eternal newbie
-
- Global Moderator
- Posts: 2719
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
Momentum.
I'm slow, usually early, then late. Going forward I am moving to doas. For me it deserve a long view and I never expect I can sit down and figure out the extents in a single session, or minutes. So after I started with it a year+ ago I haven't come up with an issue. I have had sudo removed for years, like gksudo years, which was when I was starting to lean on policy kit. I only use sudo/doas in scripts or tickle code where they seem equivalent. With larger more complicated multi-user sudo group installs there may be some snags I won't see.
Overall a minor detail and an easily reconfigurable one. So I rely on attrition, eventually.
Momentum.
I'm slow, usually early, then late. Going forward I am moving to doas. For me it deserve a long view and I never expect I can sit down and figure out the extents in a single session, or minutes. So after I started with it a year+ ago I haven't come up with an issue. I have had sudo removed for years, like gksudo years, which was when I was starting to lean on policy kit. I only use sudo/doas in scripts or tickle code where they seem equivalent. With larger more complicated multi-user sudo group installs there may be some snags I won't see.
Overall a minor detail and an easily reconfigurable one. So I rely on attrition, eventually.
Momentum.
- Hetzer
- Posts: 80
- Joined: 2024-01-05 22:30
- Location: /etc/fstab
- Has thanked: 45 times
- Been thanked: 21 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
I think doas can be used as well since it allows per-user, per-group and per-command settingssudo can be used in elaborate sysadmin situations with permission combinations and multiuser cases and servers.
And well, even if sudo has more options than doas - I still think it's better to prefer doas 'cause most Debian installations are these "single-user" cases ye told of - therefore no need for complexity of sudo
I'd not call it "minor" since it's somewhat a must-have for people that don't want to switch between unprivileged and root frequentlyOverall a minor detail and an easily reconfigurable one
Indeed it's easy to configure (even easier if root password is set during installation, since no sudo is installed) - But I personally think it'd be better to have it already configured instead - one less chore after install
Heave 'er up, and away we'll go...
-
- Global Moderator
- Posts: 2719
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
I do because it's rare for me to ever use either, I could say never to needing it, just an option. I try to get everything to happen within user rights with polkit, and have except for the mentioned use of scripts, which are within a gui anyway and available to the user.
There are enough options in how to gain su status none are critical to have, just pick one. Some may argue for 'su -' as the default minimum, nothing else required since all can be built from there.
Sudo is habit, nothing more. So any replacement is simply a newly preferred habit.
Code: Select all
user@debian:~$ su -
Password:
root@debian:~# exit
logout
user@debian:~$
-
- Posts: 1101
- Joined: 2016-01-07 12:25
- Has thanked: 7 times
- Been thanked: 16 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
I haven't used doas (or ever installed it) but would like to know in what way doas is better than sudo? I will do a bit of googling (without google ) while waiting for any response but opinions of it are welcome (to me at least).
My reason for asking is because I'm a "if it aint broke don't fix it" kind of guy.
My reason for asking is because I'm a "if it aint broke don't fix it" kind of guy.
- Hallvor
- Global Moderator
- Posts: 2044
- Joined: 2009-04-16 18:35
- Location: Kristiansand, Norway
- Has thanked: 151 times
- Been thanked: 212 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
Unless you are in a corporate environment where you don't want to hand out the root password to your colleagues on yellow post-it notes, I don't see a reason to use any of them: su - works just fine.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
-
- Posts: 1101
- Joined: 2016-01-07 12:25
- Has thanked: 7 times
- Been thanked: 16 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
Absolutely true, I only install sudo to make it easier when using code found on the net (after checking for anything obviously malicious )
Re: [Discussion] Why Debian still uses sudo instead of doas?
During install I allways set a root password and after installation I install sudo (and add myself to the sudo group).
I also have some rules set in the sudoers map "/etc/sudoers.d". This works great for me.
So I think I don't have the need to use doas in stead of sudo.
I also have some rules set in the sudoers map "/etc/sudoers.d". This works great for me.
So I think I don't have the need to use doas in stead of sudo.
- Hetzer
- Posts: 80
- Joined: 2024-01-05 22:30
- Location: /etc/fstab
- Has thanked: 45 times
- Been thanked: 21 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
In ways I've mentioned in the beginning - simplier, easier to set up + said to be more secureI haven't used doas (or ever installed it) but would like to know in what way doas is better than sudo?
I personally see since I use it. A lot.I don't see a use any of them: su - works just fine.
I frequently forget what I wanted to execute as root (I mean, execute one command as root, one as unprivileged, then remind meself of thing to do so another command as root...), in my case I would swap between both all the time - so instead I utilize doas with disabled password prompt
sudo / doas is a habit, but preferring one over another isn't - it's not only because of syntax matterSudo is habit, nothing more. So any replacement is simply a newly preferred habit.
doas is simplier, smaller (smaller codebase = smaller attack surface) and functionally very close (again, if not 1:1) to sudo - I see no problems to prefer it in future releases
Ones who need (or just are used to) sudo still could install it, like one can install and configure doas right now
Heave 'er up, and away we'll go...
-
- Global Moderator
- Posts: 2719
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
I don't disagree. What you say is true. But, your perspective in narrow, as is mine. There are many packages impacted by this seemingly simple choice, packages that inherit the sudo group for permissions would need changed. That would take a coherent effort beyond the simplicity you're assuming. In any case sudo is already a secondary consideration even if level with a doas consideration. I'd prefer a polkit configuration step within the installer. The likely answer may be to configure that after install, let's not complicate the installer. I'd comply, maybe with a sulk. Sudo is a result of accommodating the lack of a root account, which is a result of an ill conceived notion that root accounts are dangerous. Obfuscating the path to su function with alternatives doesn't change the reality there is always a root, invisible or not.
KISS says to always establish the root account at install, pay attention, and when we are at a prompt after install completion, configure secondary solutions like polkit/sudo/doas using 'su -' with the root password (you were paying attention) in a DE's terminal emulator or switch to a tty and login as root to do it the hard way.
Since KISS is not the current way with a rootless option we have already moved away from this KISS. If this path is the way, then a doas vs. sudo argument is valid - as long as we recognize removing sudo and enforcing a root account is also valid.
Many packages have already rid themselves of a hard dependency on sudo now listing the optional alternative opendoas. It is only recently possible to rid a system of sudo being previously tied up in various DE dependencies. So a default doas option could happen by 13 or 14.
Finally, default should always be considered the beginning and not the end. We are ROOT, we will configure.
KISS - Keep It Simple...
- Hallvor
- Global Moderator
- Posts: 2044
- Joined: 2009-04-16 18:35
- Location: Kristiansand, Norway
- Has thanked: 151 times
- Been thanked: 212 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
I can't and won't argue against your personal preferences, but I do think it is a good idea to make a clear distinction between root and regular user environments. This separation is there for security reasons, and understanding when to issue commands as root and user will help you avoid unintended consequences of executing commands with elevated privileges.Hetzer wrote: ↑2024-01-29 15:41 I personally see since I use it. A lot.
I frequently forget what I wanted to execute as root (I mean, execute one command as root, one as unprivileged, then remind meself of thing to do so another command as root...), in my case I would swap between both all the time - so instead I utilize doas with disabled password prompt
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
- Hetzer
- Posts: 80
- Joined: 2024-01-05 22:30
- Location: /etc/fstab
- Has thanked: 45 times
- Been thanked: 21 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
There are many packages impacted by this seemingly simple choice, packages that inherit the sudo group for permissions would need changed. That would take a coherent effort beyond the simplicity you're assuming.
Well, didn't know 'bout that...It is only recently possible to rid a system of sudo being previously tied up in various DE dependencies.
And I didn't even think of it as well, since my non-sudo installations always went smooth - never noticed something not working because of lack of the sudo
That's a good wisdom. Personally I don't understand meself that "rootless" trend, it makes no difference to user except if anything breaks one will be locked out of his/her systemKISS says to always establish the root account at install, pay attention, and when we are at a prompt after install completion, configure secondary solutions like polkit/sudo/doas using 'su -' with the root password (you were paying attention) in a DE's terminal emulator or switch to a tty and login as root to do it the hard way.
Not true in my case, I always thought of sudo/doas as a "one-liner to do something as root" - but mentality ye described lives for sure as it's seen in mainstream distributions (e.g. Ubuntu)Sudo is a result of accommodating the lack of a root account, which is a result of an ill conceived notion that root accounts are dangerous. Obfuscating the path to su function with alternatives doesn't change the reality there is always a root, invisible or not.
The funniest thing is this "dangerous root" still being utilized with that sudo/doas anyway - In the end, no difference [comparing to properly-configured machine] expect additional risk I've mentioned above
Ye I'm aware of that, I use mentioned doas when something just can't be done as unprivileged (partitioning, service management, installing packages...) - I'm not type who runs anything that doesn't work on first try as rootHallvor wrote: ↑2024-01-29 18:01I can't and won't argue against your personal preferences, but I do think it is a good idea to make a clear distinction between root and regular user environments. This separation is there for security reasons, and understanding when to issue commands as root and user will help you avoid unintended consequences of executing commands with elevated privileges.Hetzer wrote: ↑2024-01-29 15:41 I personally see since I use it. A lot.
I frequently forget what I wanted to execute as root (I mean, execute one command as root, one as unprivileged, then remind meself of thing to do so another command as root...), in my case I would swap between both all the time - so instead I utilize doas with disabled password prompt
Heave 'er up, and away we'll go...
-
- Posts: 1101
- Joined: 2016-01-07 12:25
- Has thanked: 7 times
- Been thanked: 16 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
After reading all the comments and doing a little research it appears (to me) that while doas is smaller, (although this is quite insignificant IMO due to the actual size of both packages) there are things that are not quite ready (in doas) to be able to replace sudo in some situations. On top of that sudo will work ootb (probably due to the fact that it is maintained by debian) and doas requires some configuration at all times.
My current opinion is that while doas might be ready in the future to be able to replace sudo, at the moment i cannot see any reason to change what already works flawlessly for me.
Also just as a minor point, I usually prefer using packages maintained by Debian rather than a random (unknown to me until now) github repository.
I am not knocking doas it may do everything most users would need and save a little under 2Mb of space, but for me it's not a viable replacement (yet).
For information a seemingly good reference might include this page
My current opinion is that while doas might be ready in the future to be able to replace sudo, at the moment i cannot see any reason to change what already works flawlessly for me.
Also just as a minor point, I usually prefer using packages maintained by Debian rather than a random (unknown to me until now) github repository.
I am not knocking doas it may do everything most users would need and save a little under 2Mb of space, but for me it's not a viable replacement (yet).
For information a seemingly good reference might include this page
- sunrat
- Administrator
- Posts: 6511
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 119 times
- Been thanked: 489 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
https://packages.debian.org/search?keywords=doasDai_trying wrote: ↑2024-01-30 08:45Also just as a minor point, I usually prefer using packages maintained by Debian rather than a random (unknown to me until now) github repository.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Re: [Discussion] Why Debian still uses sudo instead of doas?
Sudo usage is logged. Some prefer that, others don't care.
- Hetzer
- Posts: 80
- Joined: 2024-01-05 22:30
- Location: /etc/fstab
- Has thanked: 45 times
- Been thanked: 21 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
doas should work OOTB as well if package deployed a simple config like this:On top of that sudo will work ootb (probably due to the fact that it is maintained by debian) and doas requires some configuration at all times
Code: Select all
permit persist keepenv :wheel
doas, like sudo, doesn't need to be configured specifically for one machine (unlike a e.g. mailserver, of which configuration is always different)
Just a note from me, this wiki doesn't mention about "keepenv" setting which can be used instead of setting user environment all over againFor information a seemingly good reference might include this page
It's useful in multi-user machines, not so in case of desktops. And I think it does some kind of logging, at least I assume that on the basis of "nolog" parameter for /etc/doas.confSudo usage is logged. Some prefer that, others don't care.
Heave 'er up, and away we'll go...
-
- Global Moderator
- Posts: 2719
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
There you just went off the rails...
guid 100, users or
guid 50, staff, the logical choice, already exist.
- Hetzer
- Posts: 80
- Joined: 2024-01-05 22:30
- Location: /etc/fstab
- Has thanked: 45 times
- Been thanked: 21 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
Sorry, my bad
Heave 'er up, and away we'll go...
-
- Posts: 1101
- Joined: 2016-01-07 12:25
- Has thanked: 7 times
- Been thanked: 16 times
Re: [Discussion] Why Debian still uses sudo instead of doas?
I guess I may have worded my previous post wrong but my point was the apt show output:-sunrat wrote: ↑2024-01-30 10:48https://packages.debian.org/search?keywords=doasDai_trying wrote: ↑2024-01-30 08:45Also just as a minor point, I usually prefer using packages maintained by Debian rather than a random (unknown to me until now) github repository.
Code: Select all
Package: sudo
Maintainer: Sudo Maintainers <sudo@packages.debian.org>
Homepage: https://www.sudo.ws/
Code: Select all
Package: doas
Maintainer: Scupake <scupake@riseup.net>
Homepage: https://github.com/Duncaen/OpenDoas