Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How many of you are using doas?sudo?what about root tty1?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  

Which one is your primary way to access root
doas
25%
 25%  [ 9 ]
sudo
51%
 51%  [ 18 ]
tty login root
20%
 20%  [ 7 ]
root disabled/single-user bootup
2%
 2%  [ 1 ]
Total Votes : 35

Author Message
coalms
n00b
n00b


Joined: 28 Nov 2023
Posts: 21

PostPosted: Mon Dec 04, 2023 7:49 am    Post subject: How many of you are using doas?sudo?what about root tty1? Reply with quote

Honestly, do you prefer having programs like sudo and doas in your "daily driver"? Or you you just avoid the security escalation vulnerability of having a program such at this and just run tty1 root tmux/screen? If tty then have you though about hardening your keyboard and xorg so programs cannot ctrl+alt+fX on an open root tty xorg emulating a tty to sniff your password?

PS I wourld have made this into a poll but no such option appears so I guess I do not have the permission to do so, if an admin sees this do poll it if possible

Edit: realised I should have posted this on gentoo chat sub-forum where I have both poll rights and thinking about it now imo is a more fitting place to post it, but at this point I made enough posts for today where deleting this and reposting it there wourld give me an error(too many posts), unless this is moved Ill repost tomorrow

    Moved the topic to "Gentoo Chat" subforum for you.
    You should be able to add poll now.
      -- Zucca

Thanks Zucca :D


Last edited by coalms on Tue Dec 05, 2023 12:43 am; edited 1 time in total
Back to top
View user's profile Send private message
spica
Guru
Guru


Joined: 04 Jun 2021
Posts: 330

PostPosted: Mon Dec 04, 2023 10:02 am    Post subject: Reply with quote

Navigating complex discussions about borderline cases can be likened to a sausage stick:
one end has the exclusive "root user," while the other end lacks any root access.
The reality, much like the savory truth in this metaphor, lies nestled somewhere in the middle.
Back to top
View user's profile Send private message
Zucca
Moderator
Moderator


Joined: 14 Jun 2007
Posts: 3728
Location: Rasi, Finland

PostPosted: Mon Dec 04, 2023 10:31 am    Post subject: Reply with quote

I'm using doas, as I found its construction (code) quite simple. This in hopes that it's less prone to security flaws.
_________________
..: Zucca :..

My gentoo installs:
init=/sbin/openrc-init
-systemd -logind -elogind seatd

Quote:
I am NaN! I am a man!
Back to top
View user's profile Send private message
lemon426
n00b
n00b


Joined: 29 Nov 2023
Posts: 34

PostPosted: Mon Dec 04, 2023 10:54 am    Post subject: Reply with quote

Hello!

For my part, I use sudo more often. But for some time now (well over a month now), I've been using doas. The fact that I can (partly) read the source code and understand it helps a lot. And in terms of optimization (although I'm sure it's not much), doas is really very small in size!
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54579
Location: 56N 3W

PostPosted: Mon Dec 04, 2023 11:21 am    Post subject: Reply with quote

coalms'

I use sudo but its usually
Code:
sudo su -
to get root access for a string of commands.

Why?
fortune wrote:
It is fruitless to indoctrinate a superannuated canine with innovative maneuvers
and I'm one of those. :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 6067
Location: Removed by Neddy

PostPosted: Mon Dec 04, 2023 11:23 am    Post subject: Reply with quote

I just use su - to get a root shell :(
_________________
Quote:
Removed by Chiitoo
Back to top
View user's profile Send private message
rfx
Tux's lil' helper
Tux's lil' helper


Joined: 19 Apr 2023
Posts: 142
Location: de-by

PostPosted: Mon Dec 04, 2023 11:31 am    Post subject: Reply with quote

+1 sudo
Back to top
View user's profile Send private message
NichtDerHans
Apprentice
Apprentice


Joined: 27 Jan 2023
Posts: 177

PostPosted: Mon Dec 04, 2023 11:36 am    Post subject: Reply with quote

Naib wrote:
I just use su - to get a root shell :(


+1
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5132
Location: Bavaria

PostPosted: Mon Dec 04, 2023 12:09 pm    Post subject: Reply with quote

Naib wrote:
I just use su - to get a root shell :(


+1
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22698

PostPosted: Mon Dec 04, 2023 1:58 pm    Post subject: Reply with quote

I use a root login on a console for serious maintenance. I use my user in an xterm running /bin/su -l for routine root administration. Also, everything that can be run under setpriv --nnp is, so most of my shells cannot use /bin/su to elevate.
Back to top
View user's profile Send private message
NeglectedRudderPug
n00b
n00b


Joined: 04 Oct 2023
Posts: 29

PostPosted: Mon Dec 04, 2023 3:57 pm    Post subject: Reply with quote

Personally, I just use the command:

Quote:
su -


From the GUI, and log directly in as root on tty where necessary.

I'm of the view sudo has it's place when you're dealing with multiple users on larger systems where you must regulate and control root access. But on a local system with one user, it's just more convenient to use su, so I don't have to write sudo before each root command. (My root and local account passwords are different though. :oops:)
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1845

PostPosted: Mon Dec 04, 2023 4:43 pm    Post subject: Reply with quote

As many others here, I've never seen any need to do anything other than "su -". At one time I'm sure this is essentially all anyone running Linux used until Ubuntu started that whole trend with no root password, where sudo was the only option. Always disliked that whole idea.

Tom
Back to top
View user's profile Send private message
spica
Guru
Guru


Joined: 04 Jun 2021
Posts: 330

PostPosted: Mon Dec 04, 2023 5:27 pm    Post subject: Reply with quote

Code:
sudo bash
I run sudo bash as the dash key is too distant for my pinky.
Back to top
View user's profile Send private message
grknight
Retired Dev
Retired Dev


Joined: 20 Feb 2015
Posts: 1927

PostPosted: Mon Dec 04, 2023 5:35 pm    Post subject: Reply with quote

spica wrote:
Code:
sudo bash
I run sudo bash as the dash key is too distant for my pinky.

This can get you in trouble with environment bleeding in from the user. This can be errors, or at worst, have a bad actor take control if the user is compromised.

It is best to use su - or sudo -i to prevent the environment issues.
Back to top
View user's profile Send private message
Goverp
Advocate
Advocate


Joined: 07 Mar 2007
Posts: 2181

PostPosted: Mon Dec 04, 2023 7:51 pm    Post subject: Reply with quote

Naib wrote:
I just use su - to get a root shell :(

+1
_________________
Greybeard
Back to top
View user's profile Send private message
spica
Guru
Guru


Joined: 04 Jun 2021
Posts: 330

PostPosted: Mon Dec 04, 2023 8:56 pm    Post subject: Reply with quote

grknight wrote:
spica wrote:
Code:
sudo bash
I run sudo bash as the dash key is too distant for my pinky.

This can get you in trouble with environment bleeding in from the user. This can be errors, or at worst, have a bad actor take control if the user is compromised.

It is best to use su - or sudo -i to prevent the environment issues.


This is a good point, thanks!
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3886

PostPosted: Mon Dec 04, 2023 9:51 pm    Post subject: Reply with quote

Naib wrote:
I just use su - to get a root shell :(

+1
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
Zucca
Moderator
Moderator


Joined: 14 Jun 2007
Posts: 3728
Location: Rasi, Finland

PostPosted: Mon Dec 04, 2023 11:06 pm    Post subject: Reply with quote

Looks like I'm in the minority with doas. :o
_________________
..: Zucca :..

My gentoo installs:
init=/sbin/openrc-init
-systemd -logind -elogind seatd

Quote:
I am NaN! I am a man!
Back to top
View user's profile Send private message
flexibeast
Guru
Guru


Joined: 04 Apr 2022
Posts: 465
Location: Naarm/Melbourne, Australia

PostPosted: Mon Dec 04, 2023 11:12 pm    Post subject: Reply with quote

'su -l' for me also, with the '-l' making sure i don't have a hybrid user+root environment that can create various issues. And, yeah, this is probably because i started using Linux long before Ubuntu's "sudo all the things" approach became widespread.

That said, what potential problems are there with using 'sudo' or 'doas' all the time instead of 'su'?
Back to top
View user's profile Send private message
coalms
n00b
n00b


Joined: 28 Nov 2023
Posts: 21

PostPosted: Tue Dec 05, 2023 1:20 am    Post subject: Damn Reply with quote

To be honest I am baffled by the results up until this point, the points I have seen just up until now are simple, doas is an unofficial port and while some users see it as a vulnerability not having the right kernel access as the bsd og the compactness of code is
su -,sudo -i or any sudo variation is quite hardened spaghetti code which I would have originally though the gentoo community would stay away from
tty is cumbersome to switch all the time and yet the most secure out of all to administer the system without booting to single-user or init=/bin/bash

personally on a daily driver its tty for me and in case I have to leave my machine emerging while I am away from home i prefix my commands with a comma
Code:

,(){
   eval "$@ && exit || exit"
}

but that is because of my living environment anyhow

nevertheless I was secretly hoping that someone uses an obscure "new" command or something like "root passwd shell /root/mnt/rootusb/bin/bash, auto-mountable encrypted usb, tty12 on /root/mnt/rootusb/dev/tty12 and otherwise disabled unless mounted ,root path points first to /mnt/rootusb/bin, usb unlocks only when the libra sodiac sign aligns with neptune and passes my blood test sample as original and fresh etc etc"
Back to top
View user's profile Send private message
psycho
Guru
Guru


Joined: 22 Jun 2007
Posts: 542
Location: New Zealand

PostPosted: Tue Dec 05, 2023 2:08 am    Post subject: Reply with quote

Depends if we're counting running or just typing them. If I need root access for something unusual I'll type su in a terminal, but I have a few scripts that use sudo to start/stop services or whatever. So on a typical day I'm probably using sudo the most (but I'm not typing it, I'm doing GUI stuff that's using it in the background). Actually typing the instruction though, it's nearly always su.
Back to top
View user's profile Send private message
flexibeast
Guru
Guru


Joined: 04 Apr 2022
Posts: 465
Location: Naarm/Melbourne, Australia

PostPosted: Tue Dec 05, 2023 3:05 am    Post subject: Reply with quote

@coalms:

Well, there are instances where i use (open)doas too. Here's a more complete picture:

* As part of starting up my GUI environment on my (Gentoo) laptop, a kitty terminal is opened, containing several tabs. One of those is a 'root' tab, with an 'su -l' session. Normally i'm in other tabs, but for tasks (or more likely, series of tasks) requiring root, i'll switch to the 'root' tab, switching back to other tabs when local root isn't necessary.

* i use opendoas on my laptop, but for specific tasks requiring different privileges (e.g. using Wireshark), not as a generic tool to do whatever i want as root.

* i use doas on my OpenBSD server, e.g. running a PHP admin script as the 'www' user.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22698

PostPosted: Tue Dec 05, 2023 3:08 am    Post subject: Re: Damn Reply with quote

I do not recall the state of the code or the configuration language for doas. I recall that the configuration language for sudo is rather unpleasant to work with, and suspect that many sites confer far more sudo privilege than is needed simply because assigning an exactly correct amount is too cumbersome in the grammar.
coalms wrote:
personally on a daily driver its tty for me and in case I have to leave my machine emerging while I am away from home i prefix my commands with a comma
Code:
,(){
   eval "$@ && exit || exit"
}
What is the point of this? If you want the shell to go away, just exec "$@". Using eval is usually wrong. Using CMD && exit || exit looks unnecessarily complex. If you do not want to exec, you could use ; exit instead of the && || combination.
Back to top
View user's profile Send private message
coalms
n00b
n00b


Joined: 28 Nov 2023
Posts: 21

PostPosted: Tue Dec 05, 2023 5:31 am    Post subject: Re: Damn Reply with quote

Hu wrote:
What is the point of this? If you want the shell to go away, just exec "$@". Using eval is usually wrong. Using CMD && exit || exit looks unnecessarily complex. If you do not want to exec, you could use ; exit instead of the && || combination.

That was a mistake I wrote this from memory, here is the correct one

Code:

trap 'exit' INT
eval "$@ && exit || exit " || exit


It is just excessive fail-safes,I do not have the leniency to stand around my portable device when emerging and for work and living environment related reasons/being around mischievous individuals having my device open is a reason to format and go again, I won't ever leave a xorg server open in these cases but rather use a tty, if I am using the device actively ill just "emerge -xyz @world", if however I have to leave the presence of my device I run ", emerge -xyz @world", simply if emerge fails then exit, if emerge succeeds exit, if exit fails. . . exit, worse case scenario if there was a "cancel exit command" vulnerability someone could take advantage of by spamming ctrl+c or ctrl+z it wourld still exit because of trap

edit: as far as I remember i put the last || exit after the quotes to catch ctrl+z actions, thinking about it I could probably trap these as well,eh food for thought
edit2: just checked online, trapping ctrl+z is more like ctrl+Zombies since the script will never die, dunno if it was why i did so with || exit or not


Last edited by coalms on Tue Dec 05, 2023 5:58 am; edited 3 times in total
Back to top
View user's profile Send private message
coalms
n00b
n00b


Joined: 28 Nov 2023
Posts: 21

PostPosted: Tue Dec 05, 2023 5:49 am    Post subject: Re: Damn Reply with quote

Hu wrote:
I do not recall the state of the code or the configuration language for doas. I recall that the configuration language for sudo is rather unpleasant to work with, and suspect that many sites confer far more sudo privilege than is needed simply because assigning an exactly correct amount is too cumbersome in the grammar.


iirc doas is cumbersome to configure only on edge cases but very easy to deal with with normal staff, with automation scripts once I wanted to allow non-wheel users to execute a user owned script containing "doas /path/to/non/sticky/bit/root/script" apparently if you want to do so you couldn't use "doas name-of-non-sticky-bit-root-script-without-whole-path-even-if-its-the-first-file-on-path.sh" and you have to allow rights to the user or group to execute that exact path on doas.conf, its very cut and dry since as far as I understood from that interaction it doesn't check the path before executing doas, it just passes $@ to doas as it is and compairs to doas.conf, sudo on the other hand has so many options that I just avoid using it completely, especially when using githab scripts I go by interpreting the intended purpose based on the man page and do it by hand, I am probably the most backwards person in this poll tbh and that is why I started it, wanna see what's up with your interactions, but then again just like you said sites give more sudo privilages than they need to so I tend to be safe
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum