doas is a utility that is aimed to replace sudo for most ordinary use cases. Ted Unagst's, an OpenBSD developer, explained why He originally wrote it in his blog post: doas - dedicated openbsd application subexecutor.
The gist is that sudo is hard to configure and does a lot more then the standard user needs.
doas was created in order to replace sudo for regular folks like me and you.
doas only targets OpenBSD, and lacked features that I felt were missing from it and sudo as well.
Furthermore, all ports I looked at weren't production ready & poorly written.
Instead of creating my own port, I decided to re-write doas and create a new version that fixes the issues I care about.
-
Secure. User's must not be able to abuse the utility, and it should protect the user from making stupid mistakes.
-
Easy. The utility should be easy to audit, to maintain, to extend and to contribute to.
-
Friendly. Rule creation should be straight forward. Rule should be easy to understand and easy to debug.
-
Powerful. Rules should be short, concise and allow find-grained control.
-
Feature Parity. This project should have complete feature parity with the original utility.
To achieve these goals, the following design decisions were made:
- The whole project was implemented in modern C++
- Explicit is better then implicit (for instance, rule commands must be absolute paths)
- Prefer using the standard library when possible - for the sake of security and maintainability.
- Commands are globs, which allows to use the same rule for many executables.
- Arguments are PCRE-compliant regular expressions, which allows to create fine-grained rules.
pre-compiled .deb and .rpm packages are uploaded on each release.
The project is currently available in a Copr:
$ sudo dnf copr enable odedlaz/suex
$ sudo dnf install -y suexYou can also build it from source:
$ git clone https://github.com/odedlaz/suex.git
$ sudo dnf install -y cmake pam-devel elfutils-devel rubygem-ronn gcc-c++
$ mkdir -p suex/build && cd suex/build && cmake .. && cd ..The project has a pre-compiled deb available at the release page.
You can also build it from source:
$ git clone https://github.com/odedlaz/suex.git
$ sudo apt install -y cmake libpam-dev libdw-dev ruby-ronn g++ rpm
$ mkdir -p suex/build && cd suex/build && cmake .. && cd ..[!] A PPA is coming soon.
[!] coming soon...
The project is in beta and will be until it reaches the 1.0 milestone.
I don't expect any major features to be added until then.
In order to reach 1.0 the project must:
- get a good-enough unit & system test coverage.
- pass a professional security audit.
- have a continuous test & integration pipeline.
- be available on major client distributions, i.e: Ubuntu, Fedora, Arch
- have both an faq & examples page that have quality enough content in them
The main author is Oded Lazar
I gladly accept contributions via GitHub pull requests.
If you are interested in contributing but not sure where to start, feel free to contact me.
Once I feel this method is not effective anymore, I'll probably open a slack / irc channel.