Commit Graph

10 Commits

Author SHA1 Message Date
Erik Arvstedt
781ab443c2
nixos/doas: fix recursive calls to doas
Previously, for processes launched by doas the unwrapped doas binary preceded the
setuid-wrapped doas binary in PATH.

This caused error `doas: not installed setuid` when running doas from
processes launched by doas.

doas seems to short-circuit the PATH lookup when called like
`doas -u myuser doas -u myuser ...` so the error doesn't appear in this case.
2021-08-12 14:40:22 +02:00
Cole Helbling
408b107b0c
doas: don't configure pamdir
In the future, doas won't ship PAM files (see
cfa9f0d3b3),
and we already configure PAM in the doas module. Configuring the pamdir
serves no purpose.
2021-02-04 11:19:56 -08:00
Cole Helbling
5a1c008bae doas: 6.8 -> 6.8.1
Most notably, addresses CVE-2019-25016.

https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1

https://github.com/Duncaen/OpenDoas/compare/v6.8...v6.8.1
2021-01-28 16:02:50 -08:00
Cole Helbling
caad9aba5a
doas: 6.6.1 -> 6.8
https://github.com/duncaen/opendoas/compare/v6.6.1...v6.8
2020-11-14 19:14:54 -08:00
Dmitry Bogatov
99de53b79b doas: add enablePAM option
New option "withPAM" controls whether to build support for pluggable
authetincation modules. Default value is "true", which correspond to
existing behaviour. Futhermore, with default configuration, this change
do not cause rebuild.
2020-10-08 23:20:37 -04:00
Cole Helbling
82f897333a
doas: add NixOS binary dirs to safe PATH
I recently tried to give myself passwordless `doas` for `virsh` commands
(starting, stopping, and editing VMs), but `doas` was complaining that
it didn't know what `virsh` was.

This patch adds `/run/current-system/sw/{s,}bin` and `/run/wrappers/bin`
to the safe path, allowing system binaries to be discovered and executed
properly.
2020-05-27 08:11:30 -07:00
Cole Helbling
0f8e972f01
doas: enable timestamp by default and set pamdir
* `--with-timestamp` enables the usage of the `persist` setting in
`doas.conf`. It is possible some people might not want this, so the flag
`withTimestamp` was added to control this.
* `--pamdir` copies the PAM files to `$out/etc/pam.d`. This may or may
not have a use in the future, but it removes a some errors from the
build (when it tries to copy these files to /etc/pam.d).
2020-05-17 11:42:50 -07:00
Cole Helbling
cf9a8bcc99
doas: 6.0 -> 6.6.1
https://github.com/Duncaen/OpenDoas/compare/v6.0...v6.6.1

There are a decent chunk of changes in there. I'm mostly interested in
5debef098b7ebba67da5db9fbb020a7cd0f90a7f, which fixes the parsing of
/proc/$pid/stat that is used to implement timestamping.
2020-05-02 11:31:44 +01:00
volth
46420bbaa3 treewide: name -> pname (easy cases) (#66585)
treewide replacement of

stdenv.mkDerivation rec {
  name = "*-${version}";
  version = "*";

to pname
2019-08-15 13:41:18 +01:00
Charles Strahan
4ca7f46863
doas: init at 6.0
Portable version of the OpenBSD `doas` command.
2017-11-07 16:34:50 -05:00