6.3p2
This release introduces a new utility called vidoas (vi doas). This tool is a
shell script which creates a copy of the doas.conf file, allows the admin to
edit the file, and then checks its syntax for errors. If a problem is found,
vidoas reports which line the error was on and asks us to try editing the file
again. Once the new doas.conf file contains the proper syntax, it is installed
and overwrites the old doas.conf file.
This tool is designed to assist admins and avoid introducing errors to doas.conf
which might accidentally revoke admin access to the machine.
6.3p1
In this release, we work around a quirk of the GNU parameter parser which
required us to use double-dashes (--) after doas's parameters and before a
target command's parameters. In the past we used "doas -- pacman -Syu" and now
we can use simply "doas pacman -Syu".
This change affects only GNU/Linux systems, other platforms like FreeBSD,
NetBSD, etc already had this behaviour.
6.3
This release introduces a few minor changes:
-Added command line parameter (-S) which launches an interactive shell. This is
equivalent to "su -l" or "sudo -i".
-Updated documentation to include the new -S flag.
-Updated documentation to assist users in installing doas on some Linux
distributions, such as CentOS, that prevent PAM authentication from working by
default.
6.2p5
This release simply adds a new sample PAM configuration file for FreeBSD (and
compatible systems). The new sample configuration file is named
campat/pam.conf.freebsd.
Calling setusercontext(3) makes per-user temporary storage work (see
per_user_tmp in security(7) and rc.conf(5)).
May as well use our reallocarray(3) instead of the bundled compat code.
Changelog picked from https://github.com/slicer69/doas/releases:
6.2p4:
* Keeping environment variables with keepenv
On some platforms (seemingly Linux and macOS) it is possible for
repeated calls to getpwuid() can over-write the original struct
passwd structure. (This behaviour may vary depending on which
C library is used. This can lead to the original user's
environment data being overwritten by the target user's, even
when "keepenv" is specified in the doas.conf file.
We now do a deep copy of the original and target users' struct
passwd information to avoid over-writing the original on platforms
where libc uses a static area for all calls.
Significant items from https://github.com/slicer69/doas/releases:
doas 6.2p2
* Introducing macOS support
Due to the dedicated work by Gordon Bergling, the doas
command now builds and runs on macOS. This release
contains no functionality changes, just the ability to
build and run on macOS.
Significant items from https://github.com/slicer69/doas/releases:
doas 6.2p1
* Fixes a crash on Linux systems when a specified user on the
command line did not match a valid entry in the doas.conf file.
In the past, doas would first try to find an exact username match
when the "-u" flag was used and, if one could not be found, it
would try to find a matching numeric UID.
Now doas requires that an exact username be specified when
"-u" is used. This avoids confusion (and, on Linux, fuzzy matches
when a username begins with a number). This means "doas -u 0" can
no longer be used to run a command as root, and "duas -u 1000" is
not ambigious if there is a user with the name "1000" on the system.
doas 6.2
* Group permissions of the original user are now dropped on Linux.
This prevents the original user's group access from interfering
with the target user's owned files. Group permissions were already
dropped on FreeBSD (and I believe) NetBSD, and this brings doas's
Linux behaviour into line with the other systems.
* Fixed a couple of compiler warnings that get rid of either unneeded
variables or introduce sanity checks on return functions.
This should make doas more secure, across platforms/compilers.
doas 6.1p1
* ported to illumos, added support for SmartOS and
OpenIndiana.
* Better pkgsrc integration.
doas is a port of OpenBSD's doas which runs on FreeBSD, Linux and
NetBSD.
The doas utility is a program originally written for OpenBSD which
allows a user to run a command as though they were another
user. Typically doas is used to allow non-privleged users to run
commands as though they were the root user. The doas program acts as
an alternative to sudo, which is a popular method in the Linux
community for granting admin access to specific users.
The doas program offers two benefits over sudo: its configuration file
has a simple syntax and it is smaller, requiring less effort to audit
the code. This makes it harder for both admins and coders to make
mistakes that potentially open security holes in the system.