summaryrefslogtreecommitdiff
path: root/usr.bin/doas
AgeCommit message (Collapse)Author
2016-07-12add "recvfd" to doas(1) for use with skey.Sebastien Marie
ok tb@ deraadt@
2016-07-10rename variable for consistencyTed Unangst
2016-06-27minor tweaks; ok teduJason McIntyre
2016-06-27somehow nopass snuck onto the :wheel example. i think it's better without.Ted Unangst
2016-06-27revise environment handling.Ted Unangst
Add a setenv keyword for manipulating the environment. keepenv now means only retain everything. (for one release, the old use of keepenv will still work.) Allow setting variables to new or existing values, and also removing vars when keepenv is used. ok djm martijn tb
2016-06-24move a space to the correct spotTed Unangst
2016-06-19Move the RB_ code from doas.h to env.c, and limit the environment interface to aMartijn van Duren
simple prepenv function. OK tedu@
2016-06-16the environment handling code was showing its age. just because environTed Unangst
is a char** array doesn't mean we must exclusively operate on such. convert to a red-black tree, manipulate as desired, then flatten to array. potentially overkill for the current operations, but reading the tea leaves i see that more manipulations are desired. ok tb (and some thought provoking disagreement from martijn)
2016-06-11don't use specified twice in a sentence, noticed by jmcTed Unangst
2016-06-11clarify some wordingTed Unangst
2016-06-11specify that default is deny if no rule matchesTed Unangst
2016-06-11expand contractionsTed Unangst
2016-06-11tighten up some wordingTed Unangst
2016-06-07revert recent changes to allow setenv. everybody now has an idea aboutTed Unangst
how to do things better, so let's take a step back and reconsider.
2016-06-07merge setenv feature into keepenv. less grammar, more better.Ted Unangst
minimal changes to implementation for now, but some refinement to the way in which the new environment is constructed would be nice. ok djm
2016-06-05spelling fix;Jason McIntyre
2016-06-05add a doas.conf setenv directive that allows setting environmentDamien Miller
variables explicitly and by copying existing environment variables of a different name. E.g. permit nopass setenv { PS1=$SUDO_PS1 FOO=bar } keepenv :wheel ok tedu@ benno@
2016-04-28set progname to doas so users can't create bizarro fake logsTed Unangst
2016-04-27adjust yyerror() to precede with "progname: " the error message stringGleydson Soares
OK tedu@ phessler@
2016-02-15Do a carriage return before password prompt.martijn
OK tedu@
2016-02-07require a tty for the password.Ted Unangst
sudo regression noted by miod, fix by millert
2016-01-24make sure of cleaning rbuf with explicit_bzero(3)Gleydson Soares
OK tedu@
2016-01-02tweak previous;Jason McIntyre
2016-01-01doas.conf lives in /etc. from Amit KulkarniTed Unangst
2015-12-08semarie noticed that auth failures don't set errno. just print a genericTed Unangst
message and leave it to the user to find the tea leaves.
2015-12-08Support -a <auth_style> in doas(1). Allows specifying a non-default authStuart Henderson
style, for example if you have "auth-doas=yubikey,passwd" in login.conf, doas will usually want yubikey authentication, but will allow a fallback of "doas -a passwd". Avoids the need for sudo in a number of cases, at the expense of 5 added lines of code (and one of those is only to avoid >80 columns). Adapted from a diff by Renaud Allard, ok dlg@ tedu@
2015-12-04espie reminds me that EOF can happen for errors as well, so check for thatTed Unangst
happening and print a message.
2015-12-03use the more direct auth interfaces so we can provide a custom passwordTed Unangst
prompt to the user (including username and host) so it's always clear what program is asking. request from henning with a hint from millert. ok deraadt jung zhuk
2015-11-27after reading a too long line, restart at the beginning of the buffer soTed Unangst
we don't keep writing past the end. (the perils of trying to recover from parse errors.) noticed by Jan Schreiber
2015-10-24setusercontext() may still need "getpw" pledge rights; unbreaks doas on ypMiod Vallat
accounts after 1.43; found the hard way by matthieu@
2015-10-22copying of the environment can be done later, as the user runningTed Unangst
2015-10-22pledge in doas. startup pledge "stdio rpath getpw proc exec id". 4Theo de Raadt
more times after that more attributes are dropped: "proc" after bsd auth has spawned/received result from the login_* program; "getpw" after the final getpwent lookup, "id" after the final uid changing, and "rpath" after constructing getcwd. leaving only "exec", for the ride into execve().
2015-09-19doas doesn't need any files to be passed in. closefrom STDERR+1. ok bennoTed Unangst
2015-09-03replace permfail calls with errc. the permfail calls had been retained forTed Unangst
clarity and/or future use, but if people send me diffs fixing it, it's not worth fighting for. from Martin Natano
2015-09-01increment the line number after the line continuation; ok teduMike Belopuhov
2015-09-01only need to restrict exec path if the rule specifies a command.Ted Unangst
add a hint about path restrictions to man page. ok deraadt espie
2015-08-28Document an example that lets root run unrestricted doas commands asReyk Floeter
root ("permit nopass keepenv root as root"), matching the old behaviour from OpenBSD's sudoers file ("root ALL=(ALL) SETENV: ALL"). OK sthen@
2015-08-27add a type of "auth-doas" to the perm check to allow login.conf fiddlingTed Unangst
originally proposed by halex
2015-08-22Add cwd context to syslog entry.Doug Hogan
input + ok tedu@, ok benno@
2015-08-20Show program name for permission failure messages.Rafael Zalamena
ok espie@, tedu@.
2015-08-13and now we can unify the code. okay tedu@Marc Espie
err() suggestion by Martijn van Duren
2015-08-12more explicit warnings. Okay tedu@Marc Espie
2015-08-03remove an extra getuid call, reported by Martijn van DurenTed Unangst
2015-07-30make gid parsing look like uid parsing. from Martijn van DurenTed Unangst
ack deraadt
2015-07-30Fix usage examples.Vadim Zhukov
From Theo Buehler on misc@, thanks! okay jmc@, deraadt@.
2015-07-29refine a commentTed Unangst
2015-07-28wrap some exceedingly long linesTheo de Raadt
2015-07-28Rename some variables and add few comments in keepenv handling code.Vadim Zhukov
Makes the code more readable. okay tedu@
2015-07-28Fix keepenv handling. Initially reported by Ze Loff on misc@.Vadim Zhukov
tedu@ agrees.
2015-07-27default permitted target is all users, not root.Ted Unangst