From nobody Wed Sep 17 19:34:21 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cRpqf4jpBz67wnq; Wed, 17 Sep 2025 19:34:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cRpqf16pTz4B7r; Wed, 17 Sep 2025 19:34:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758137662; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uZBXQzqk0Vh2cA6bpxsm9MyUDqBv614P+Kd4077wx7Y=; b=vc4BYlVUx/TjLmUZNttYe6jvcZeUh7sjqciAQyRU4EOhim+JnHfvlbB7mcYWdhFu55J5i4 dplL353/WXC2ntn+rXl1meMaZWker1ZJeL60b7kIMhkocDxL1CqAXCPEt3vDiQw1Z5HMzl OREt9ANXikyo97meVjIiabv6iYrvocUO9Ce16LOqKCTD2bI4xAEsuuUDTjVn3XWNK6HHdv kUoHLcsbMksjyB5v+XtNxjAMX0XM2NmcwnoWAl0Ktj9zmLRN/wx3EbCEywL+xo4NIjzum+ CtKL2uPyhW3P777ypP7LksUnb5wqH3XsBZlrb9eQNPcpDo2c83/Z7b7wmcfLwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758137662; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uZBXQzqk0Vh2cA6bpxsm9MyUDqBv614P+Kd4077wx7Y=; b=nVYb7+jfFBA1dToGNWn8PH+1aNvySws3CdrI2HHfEKB/Q8WiLNmmJ6m/8rKYNI577j4mND XoC93IXSn98e1Y6h9xQMB3vR7p0AbB+lvxPn1UcNBEZ8B/gUjz1TFeFRDfe/hsKrrS6msj Q8OmO7EsMniR7GZSyffMNV5hMfmATRF1gMzs0XpdRhoBbVErZIwQTQ9qEuC7vDQQQFIDQZ z8EJJ9krAhGYogAOiI7OS4abQeUbt2YZsBuGX0N0WPhKBL7POC4ynfkQ+lRGlrCDDtWG+J Jsiz1YUuXdHn3rjiKtPOiw2gsWWl+EhFakFwQ0E5EaUtWf6E5fZpoEAURcvy3A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758137662; a=rsa-sha256; cv=none; b=lb/JvE3bmGrzrqDjcheoJuj/Pup5OTbkEvK1MHIzOhB1NcsDc7PA7DJ/f9EwgEY4kZWK6c aaV/LweUfz3XyQ9yNNj7eOeCQkFnz2heQ0oFTp784P+yNYcjBs8+L+kLKWuhgvtV67cYcW qd8M39gAyctoZEFTMaA2SE/pQhM5f5HGWlSgtcep1jFL19Nk80RT/mJAVg+rRjOPgqVOZP A6VHksM6F66R6UBLFNMQIOJOamwd0XuD2mIm1fNIgUySlNFFPKMKh/KyKkBqV3WpC76LeI lrHHnVubNEa5QWwAfadApo6kmXJIySBugGtQvJCxzdlVx/tHkbejb2OrEMRI9g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cRpqf0ZrDzgQX; Wed, 17 Sep 2025 19:34:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58HJYLJT014202; Wed, 17 Sep 2025 19:34:21 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58HJYLfV014199; Wed, 17 Sep 2025 19:34:21 GMT (envelope-from git) Date: Wed, 17 Sep 2025 19:34:21 GMT Message-Id: <202509171934.58HJYLfV014199@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Baptiste Daroussin Subject: git: 24e5700d4707 - stable/15 - nuageinit: Add doas support List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bapt X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 24e5700d470718f5c729cc69a62d67bd1ca8a8f4 Auto-Submitted: auto-generated The branch stable/15 has been updated by bapt: URL: https://cgit.FreeBSD.org/src/commit/?id=24e5700d470718f5c729cc69a62d67bd1ca8a8f4 commit 24e5700d470718f5c729cc69a62d67bd1ca8a8f4 Author: Jesús Daniel Colmenares Oviedo AuthorDate: 2025-09-11 16:54:24 +0000 Commit: Baptiste Daroussin CommitDate: 2025-09-17 19:33:57 +0000 nuageinit: Add doas support * Set mode of etc directory to 0755. * Use user.localbase sysctl instead of /usr/local. * Add test case for doas. * Set ${LOCALBASE} instead of /usr/local in nuageinit(7) man page. Reviewed by: bapt@ Approved by: bapt@ Differential Revision: https://reviews.freebsd.org/D52437 (cherry picked from commit 9a829e865697e623a046800545be7781a117125e) --- libexec/nuageinit/nuage.lua | 62 +++++++++++++++++++++++++++++++++++- libexec/nuageinit/nuageinit | 3 ++ libexec/nuageinit/nuageinit.7 | 9 +++++- libexec/nuageinit/tests/nuageinit.sh | 12 ++++++- 4 files changed, 83 insertions(+), 3 deletions(-) diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua index b042698f97e7..ef3cfd994fe1 100644 --- a/libexec/nuageinit/nuage.lua +++ b/libexec/nuageinit/nuage.lua @@ -8,6 +8,17 @@ local unistd = require("posix.unistd") local sys_stat = require("posix.sys.stat") local lfs = require("lfs") +local function getlocalbase() + local f = io.popen("sysctl -in user.localbase 2> /dev/null") + local localbase = f:read("*l") + f:close() + if localbase == nil or localbase:len() == 0 then + -- fallback + localbase = "/usr/local" + end + return localbase +end + local function decode_base64(input) local b = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' input = string.gsub(input, '[^'..b..'=]', '') @@ -277,11 +288,59 @@ local function addsshkey(homedir, key) end end +local function adddoas(pwd) + local chmodetcdir = false + local chmoddoasconf = false + local root = os.getenv("NUAGE_FAKE_ROOTDIR") + local localbase = getlocalbase() + local etcdir = localbase .. "/etc" + if root then + etcdir= root .. etcdir + end + local doasconf = etcdir .. "/doas.conf" + local doasconf_attr = lfs.attributes(doasconf) + if doasconf_attr == nil then + chmoddoasconf = true + local dirattrs = lfs.attributes(etcdir) + if dirattrs == nil then + local r, err = mkdir_p(etcdir) + if not r then + return nil, err .. " (creating " .. etcdir .. ")" + end + chmodetcdir = true + end + end + local f = io.open(doasconf, "a") + if not f then + warnmsg("impossible to open " .. doasconf) + return + end + if type(pwd.doas) == "string" then + local rule = pwd.doas + rule = rule:gsub("%%u", pwd.name) + f:write(rule .. "\n") + elseif type(pwd.doas) == "table" then + for _, str in ipairs(pwd.doas) do + local rule = str + rule = rule:gsub("%%u", pwd.name) + f:write(rule .. "\n") + end + end + f:close() + if chmoddoasconf then + chmod(doasconf, "0640") + end + if chmodetcdir then + chmod(etcdir, "0755") + end +end + local function addsudo(pwd) local chmodsudoersd = false local chmodsudoers = false local root = os.getenv("NUAGE_FAKE_ROOTDIR") - local sudoers_dir = "/usr/local/etc/sudoers.d" + local localbase = getlocalbase() + local sudoers_dir = localbase .. "/etc/sudoers.d" if root then sudoers_dir= root .. sudoers_dir end @@ -585,6 +644,7 @@ local n = { update_packages = update_packages, upgrade_packages = upgrade_packages, addsudo = addsudo, + adddoas = adddoas, addfile = addfile } diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit index 5541f6d0f164..29340a3d91ea 100755 --- a/libexec/nuageinit/nuageinit +++ b/libexec/nuageinit/nuageinit @@ -140,6 +140,9 @@ local function users(obj) if u.sudo then nuage.addsudo(u) end + if u.doas then + nuage.adddoas(u) + end else nuage.warn("invalid type : " .. type(u) .. " for users entry number " .. n) end diff --git a/libexec/nuageinit/nuageinit.7 b/libexec/nuageinit/nuageinit.7 index e5da5cf342e1..b527c984970c 100644 --- a/libexec/nuageinit/nuageinit.7 +++ b/libexec/nuageinit/nuageinit.7 @@ -308,7 +308,14 @@ Ignored if an encrypted password is already provided. Boolean to determine if the user account should be locked. .It Ic sudo A string or an array of strings which should be appended to -.Pa /usr/local/etc/sudoers.d/90-nuageinit-users +.Pa ${LOCALBASE}/etc/sudoers.d/90-nuageinit-users +.It Ic doas +A string or an array of strings which should be appended to +.Pa ${LOCALBASE}/etc/doas.conf +.Pp +Instead of hardcoding the username, you can use +.Sy %u Ns , +which will be replaced by the current username. .El .Pp A special case exist: if the entry is a simple string with the value diff --git a/libexec/nuageinit/tests/nuageinit.sh b/libexec/nuageinit/tests/nuageinit.sh index 619df019cc4f..2b7c5226c97a 100644 --- a/libexec/nuageinit/tests/nuageinit.sh +++ b/libexec/nuageinit/tests/nuageinit.sh @@ -120,12 +120,16 @@ users: gecos: Foo B. Bar primary_group: foobar sudo: ALL=(ALL) NOPASSWD:ALL + doas: permit persist %u as root groups: users passwd: $6$j212wezy$7H/1LT4f9/N3wpgNunhsIqtMj62OKiS3nyNwuizouQc3u7MbYCarYeAHWYPYb2FT.lbioDm2RrkJPb9BZMN1O/ - name: bla sudo: - "ALL=(ALL) NOPASSWD:/usr/sbin/pw" - "ALL=(ALL) ALL" + doas: + - "deny %u as foobar" + - "permit persist %u as root cmd whoami" EOF atf_check /usr/libexec/nuageinit "${PWD}"/media/nuageinit nocloud atf_check /usr/libexec/nuageinit "${PWD}"/media/nuageinit postnet @@ -148,7 +152,13 @@ EOF sed -i "" "s/freebsd:.*:1001/freebsd:freebsd:1001/" "${PWD}"/etc/master.passwd atf_check -o file:expectedpasswd cat "${PWD}"/etc/master.passwd atf_check -o file:expectedgroup cat "${PWD}"/etc/group - atf_check -o inline:"foobar ALL=(ALL) NOPASSWD:ALL\nbla ALL=(ALL) NOPASSWD:/usr/sbin/pw\nbla ALL=(ALL) ALL\n" cat ${PWD}/usr/local/etc/sudoers.d/90-nuageinit-users + localbase=`sysctl -ni user.localbase 2> /dev/null` + if [ -z "${localbase}" ]; then + # fallback + localbase="/usr/local" + fi + atf_check -o inline:"foobar ALL=(ALL) NOPASSWD:ALL\nbla ALL=(ALL) NOPASSWD:/usr/sbin/pw\nbla ALL=(ALL) ALL\n" cat "${PWD}/${localbase}/etc/sudoers.d/90-nuageinit-users" + atf_check -o inline:"permit persist foobar as root\ndeny bla as foobar\npermit persist bla as root cmd whoami\n" cat "${PWD}/${localbase}/etc/doas.conf" } nocloud_network_head()