
Doas mastery - ingve
http://www.tedunangst.com/flak/post/doas-mastery
======
jacobvosmaer
I just locked myself out of an OpenBSD 6.0 box by putting the 'persist'
keyword in doas.conf.

doas: syntax error at line 1

The word 'persist' does not occur in 'man doas.conf', so maybe this feature is
so new it is not in OpenBSD 6.0? Watch out before you try it out yourself.

~~~
gbrown_
This option only got added in recently. I think it would have been better if
this were pointed out in the post. But trying not to sound too snide there's
something to be said for checking the man page before copying config off the
internet.

~~~
jacobvosmaer
Sure, it was my mistake on two counts (not keeping a root session AND blindly
changing the config). That does not necessarily mean I am alone in making that
mistake so I thought I would try to warn others.

------
daptaq
Hope the portable OpenDoas version will implement this feature soon. I'm
slowly replacing parts of my Void Linux server with more and more OpenBSD
utilities, and have probably already added enough that RMS would conciser
giving the system it's own name

~~~
notaplumber
There is no official portable versions, and any of the current unofficial
versions include their own PAM implementations (OpenBSD doesn't use PAM).

Now that OpenBSD doas(1) uses kernel assisted features, i.e: 'persist' is
implemented as tty ioctl's, the likelihood of those landing on other systems
is remote.

------
slasaus
Really love the new persist option. It makes `doas su -` less compelling when
you have to run multiple commands and use a complicated password.

~~~
Athas
I find the implementation very compelling too - it uses kernel support. That
really simplifies an otherwise very complicated and security-sensitive code
path.

------
faho
What I don't understand about doas: Why does it keep some variables by
default, and why does that include $USER and $HOME?

------
snvzz
keepenv was removed in the doas from openbsd 6.0.

I expected better from an article that's been published after the 6.0 release.

------
micro_softy
They've added doas to the ramdisk.

Naive Q: Is doas any better than envgiduid and envdir? And if so, how?

~~~
micro_softy
s/envgiduid/envuidgid/

