[Discussion] Why Debian still uses sudo instead of doas?

[Dai_trying]

doas should work OOTB as well if package deployed a simple config like this:

I just installed doas to verify the ootb experience and i get this:-

Code: Select all

$ doas apt update
doas: doas is not enabled, /etc/doas.conf: No such file or directory

And so I have to configure it. I can see that it is quite trivial to set-up but nonetheless needs setting up.

[maxwell267]

doas should work OOTB as well if package deployed a simple config like this:

I just installed doas to verify the ootb experience and i get this:-

Code: Select all

$ doas apt update
doas: doas is not enabled, /etc/doas.conf: No such file or directory

And so I have to configure it. I can see download lagu that it is quite trivial to set-up but nonetheless needs setting up.

Hello @Dai_trying

Maybe you'll need to set up `doas` to use it.

1. Create the /etc/doas.conf file using a text editor,

Code: Select all

sudo nano /etc/doas.conf

2. Inside doas.conf, you can set up rules. For a simple configuration allowing a user to run any command with elevated privileges, you can add:

Code: Select all

permit :wheel

3. Save and Exit

4. Retry your command,

Code: Select all

doas apt update

I hope it's help you. Thank you

[sunrat]

Maybe you'll need to set up `doas` to use it.

1. Create the /etc/doas.conf file using a text editor,

Code: Select all

sudo nano /etc/doas.conf

2. Inside doas.conf, you can set up rules. For a simple configuration allowing a user to run any command with elevated privileges, you can add:

Code: Select all

permit :wheel

Curious advice. You would need to set up sudo first, and add your user to wheel group which is not a default in Debian.

I'm happy enough with sudo. Actually I'm also happy enough without doas or sudo.

[donald]

@Best_Threads

[Hetzer]

I just installed doas to verify the ootb experience and i get this:-

I said "if package deployed a simple config like this: [...]", not that it does - Just wanted to point out that doas (possibly, one has to verify that) can be packaged to work OOTB

[...] and add your user to wheel group which is not a default in Debian

Because "wheel" group is the BSD way, not Linux - I also forget 'bout that when I showed example config

[jmgibson1981]

I know I'm not the longest serving Linux user by any remote measure but this is the first time I've personally ever heard of doas. As such if it's somewhat recent it will need to be proven for quite a time before Debian would make it any kind of default I'd think. If it's not recent then I'm curious how I missed it in the last 8-10 years.

[sdibaja]

I'm also happy enough without doas or sudo.

to me, it's unnecessary complication.
su - rocks

BTW: I could probably count the number of times I have logged in as root on one hand.

[None1975]

I don't really understand why change something that works well...

[fabien]

@Best_Threads

Already done @donald, but thanks anyway

[CwF]

If it's not recent then I'm curious how I missed it in the last 8-10 years.

Well, in that time frame most every reference found by googlers was sudo, if not gksudo. During stretch polkit was still incomplete and doas still not packaged. During Buster and Bullseye polkit greatly matured and many packages were coming with policy files. Doas was first as 'doas' in bullseye I think. Now in bookworm transitioned to 'opendoas' and needing root setup, like it should.

The mention of polkit is there since sudo was already something I used only in scripts, with front ends of some sort. I have a right click always available, with the red root terminal icon scarfed from gksudo itself! This requires root setup too, like it should.

Code: Select all

pkexec xfce4-terminal

Excessive, I know. It works well.

If opendoas is smaller and tighter, then it's better. I stated the case above, we'll see how it goes.

Code: Select all

permit nopass user as root

This covers the way I do it, and requires root setup.

Groups could be a powerful rule for a more segmented setup. adm, users, staff, sure. Staff I use more for the idea of common out of home file sharing and rights, so would refrain from tying root rights to that group.

A transitional setup file for ootb goodness

Code: Select all

permit :sudo

@sunrat, you knew it was coming! Polkit had such a crutch!

I haven't thought about or tested logging options, someone could investigate that...

I have an image up with some time on it, let's see;

Code: Select all

$  journalctl -b 0 -g doas --no-pager
Jan 21 20:59:33 user doas[11530]: pam_unix(doas:session): session opened for user root(uid=0) by (uid=1001)
Jan 21 20:59:33 user doas[11530]: pam_unix(doas:session): session closed for user root
Jan 21 21:00:45 user doas[11645]: pam_unix(doas:session): session opened for user root(uid=0) by (uid=1001)
Jan 21 21:00:45 user doas[11645]: pam_unix(doas:session): session closed for user root

So, a recorded instance from weeks back. I suppose logging options may include more.

It seems to me that all of these need setup help. So the only egg worth caring for is 'su -'.

[oswaldkelso]

I don't use sudo on any of my systems. Never have. I've always used su or su -
The one place I do use doas is in my .bashrc file
things like this

Code: Select all

alias ps='doas ps_mem.py '

sudo is a complex HGV doas is a simple bicycle I get professionals need sudo but for single user systems like mine I don't need it.

I always have the text red in my root terminal and green in my user terminal so I have a clear visual clue as the if I'm root or user. I guess you can do that with sudo to, but I like a stronger and longer password for root and a shorter one for user that's not so easy to sort out.

[Dai_trying]

Hello @Dai_trying

Maybe you'll need to set up `doas` to use it.

Hi maxwell267, yes, I was just pointing out the fact that it needs to be configured before it can work, I did look at the official source and found it to be a trivial task, but i am more than happy with Debain's current choice of sudo.

[Dai_trying]

I just installed doas to verify the ootb experience and i get this:-

I said "if package deployed a simple config like this: [...]", not that it does - Just wanted to point out that doas (possibly, one has to verify that) can be packaged to work OOTB

[...] and add your user to wheel group which is not a default in Debian

Because "wheel" group is the BSD way, not Linux - I also forget 'bout that when I showed example config

I'm sorry if I'm being a little pedantic here, and I do agree that it could be packaged/configured with relative ease for "proper" deployment, but at the moment that is not the case.

[CynicalDebian]

Sudo is battle tested. Doas has nice benefits and I use it on OpenBSD but you need an actually good reason to switch away from sudo. Especially since switching away from sudo (on a default install ) will break compatibility and habits.

Anyways, out of the priv-esc religious war there is one clear loser, su!

Read this to see what maintainers think:
https://bugs.debian.org/cgi-bin/bugrepo ... bug=907194

'su' is a terrible nightmare legacy binary that is mainly just kept around for compatibility. With everyone's favorite --login footgun

For backward compatibility, su defaults to not
change the current directory and to only set the
environment variables HOME and SHELL (plus USER
and LOGNAME if the target user is not root). It is
recommended to always use the --login option
(instead of its shortcut -) to avoid side effects
caused by mixing environments.

What does this even mean??? Backwards compatibility???

Sudo and Doas can function as replacements for su, and you can even emulate su's behavior of asking for a rootpw if you so wish.

Privesc from unprivileged user is scary. If you are paranoid, best switch to TTY1 and login as root directly.

[donald]

I tried this doas command and to be quite honest I am not a big fan of it. I dislike typing it every time. I tend to log in to my user account and then run root ... even on production systems. I've always used root and am wary of the dangers of running root, but it has been _years 23 days since I royally messed a system up*. I went back to using su -c as whatever I could do in sudo I can do as root anyway.

similar to what @Oswald Luis does I have different colored bash prompts to let me know which level/account I am running

[wizard10000]

Got four Debian machines here - the *only* reason they have a root password is because grub's recovery mode requires one (DDs, Ubuntu's grub recovery mode doesn't require a root password). If I break something I could just boot in single-user mode and remount filesystems rw but putting in a root password is quicker and easier.

I've used sudo since day one (almost 30 years now); I've spent a lot of time working in the enterprise for both government and civilian agencies and what I'm used to is the root password being locked in a safe and changed after each use. If you wanted the root password you had to explain to IT security why what you needed couldn't be done with sudo. The short version is I wouldn't work for a company that didn't restrict the hell out of a root password and I don't think anybody here disagrees that sudo is the thing if you're doing enterprise IT

On a home PC I figure it matters not at all as it's your hardware, your choice; personally I see doas as a solution without a requirement but I'm not in charge of other people's hardware.

And that's probably a good thing