From nobody Sun Jun 06 18:36:35 2021 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8671D95E035 for ; Sun, 6 Jun 2021 18:36:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FylZq3HYVz3k9L for ; Sun, 6 Jun 2021 18:36:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 55F1F3F1 for ; Sun, 6 Jun 2021 18:36:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 156IaZRo070822 for ; Sun, 6 Jun 2021 18:36:35 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 156IaZL1070821 for ports-bugs@FreeBSD.org; Sun, 6 Jun 2021 18:36:35 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 256233] security/doas: target user's login class gets ignored Date: Sun, 06 Jun 2021 18:36:35 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: bugs.freebsd@scourger.nl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256233 --- Comment #26 from bugs.freebsd@scourger.nl --- Ok, maybe it's considered intended behaviour and not a bug. But it would be nice if this is mentioned in the manual page somehow, because the current description of -S doesn't make this clear at all. I think many people would expect it to be similar to "su -", when in fact it isn't. Right now I'm rea= lly at a loss of what the -S is supposed to do, and in what ways it is intended= to be different from -s. So I did a few more tests hoping to wrap my head around it. Until now, I've mostly been testing without the keepenv setting. However, when keepenv is defined in doas.conf, things get weird. Observe the difference in behaviour without and with keepenv: permit nopass alice as bob In this case, "doas -u bob -S" resets all environment variables, and you = end up with a very minimal environment. permit nopass keepenv alice as bob With keepenv defined, "doas -u bob -S" actually results in a shell with a= ll environment variables set according to bob's (!!!) login class. This includ= es the language! It also includes variables from the "setenv" line in login.co= nf. With keepenv, doas -S is exactly doing what I always expected it do when keepenv is NOT set! What's happening here? Regarding original design and consistency between platforms, I'd like to mention that upstream (doas on OpenBSD) doesn't even have the -S flag at al= l. Maybe there's a good reason they never included it. --=20 You are receiving this mail because: You are the assignee for the bug.=