jmgibson1981 wrote: ↑2024-02-01 16:25
If it's not recent then I'm curious how I missed it in the last 8-10 years.
Well, in that time frame most every reference found by googlers was sudo, if not gksudo. During stretch polkit was still incomplete and doas still not packaged. During Buster and Bullseye polkit greatly matured and many packages were coming with policy files. Doas was first as 'doas' in bullseye I think. Now in bookworm transitioned to 'opendoas' and needing root setup, like it should.
The mention of polkit is there since sudo was already something I used only in scripts, with front ends of some sort. I have a right click always available, with the red root terminal icon scarfed from gksudo itself! This requires root setup too, like it should.
Excessive, I know. It works well.
If opendoas is smaller and tighter, then it's better. I stated the case above, we'll see how it goes.
This covers the way I do it, and requires root setup.
Groups could be a powerful rule for a more segmented setup. adm, users, staff, sure. Staff I use more for the idea of common out of home file sharing and rights, so would refrain from tying root rights to that group.
A transitional setup file for ootb goodness
@sunrat, you knew it was coming! Polkit had such a crutch!
I haven't thought about or tested logging options, someone could investigate that...
I have an image up with some time on it, let's see;
Code: Select all
$ journalctl -b 0 -g doas --no-pager
Jan 21 20:59:33 user doas[11530]: pam_unix(doas:session): session opened for user root(uid=0) by (uid=1001)
Jan 21 20:59:33 user doas[11530]: pam_unix(doas:session): session closed for user root
Jan 21 21:00:45 user doas[11645]: pam_unix(doas:session): session opened for user root(uid=0) by (uid=1001)
Jan 21 21:00:45 user doas[11645]: pam_unix(doas:session): session closed for user root
So, a recorded instance from weeks back. I suppose logging options may include more.
It seems to me that all of these need setup help. So the only egg worth caring for is 'su -'.