doas is a utility created by Ted Unagst (an OpenBSD developer) that aimed to replace sudo for most ordinary use cases. He explained why he wrote doas in a blog post: doas - dedicated openbsd application subexecutor.
The gist is that sudo is hard to configure and does a lot more then the standard user needs.
doas was created in order to replace sudo for regular folks like me and you.
However, doas only targets OpenBSD, and lacked features that I felt were missing from it and sudo as well.
Furthermore, all ports I looked at weren't production ready & poorly written.
Instead of creating my own port, I decided to re-write doas and create a new version that fixes the issues I care about.
-
Secure. Users must not be able to abuse the utility, and it should protect users from making stupid mistakes.
-
Easy. The utility should be easy to audit, to maintain, to extend, and to contribute to.
-
Friendly. Rule creation should be straightforward. Rules should be easy to understand and easy to debug.
-
Powerful. Rules should be short, concise, and allow fine-grained control.
-
Feature Parity. This project should have complete feature parity with the original utility.
To achieve these goals, the following design decisions were made:
- The whole project was implemented in modern C++
- Explicit is better then implicit (for instance, rule commands must be absolute paths)
- Prefer using the standard library when possible - for the sake of security and maintainability.
- Commands are globs, which allows the same rule to be used for many executables.
- Arguments are PCRE-compliant regular expressions, which allows the creation of fine-grained rules.
pre-compiled .deb and .rpm packages are uploaded on each release.
The project is currently available in a Copr:
$ sudo dnf copr enable odedlaz/suex
$ sudo dnf install -y suexYou can also build it from source:
$ git clone https://github.com/odedlaz/suex.git
$ sudo dnf install -y cmake pam-devel elfutils-devel rubygem-ronn gcc-c++
$ mkdir -p suex/build && cd suex/build && cmake .. && cd ..The project has a pre-compiled deb available at the release page.
You can also build it from source:
$ git clone https://github.com/odedlaz/suex.git
$ sudo apt install -y cmake libpam-dev libdw-dev ruby-ronn g++ rpm
$ mkdir -p suex/build && cd suex/build && cmake .. && cd ..[!] A PPA is coming soon.
[!] coming s 6255 oon...
The project is in beta and will be until it reaches the 1.0 milestone.
I don't expect any major features to be added until then.
In order to reach 1.0 the project must:
- get a good-enough unit & system test coverage.
- pass a professional security audit.
- have a continuous test & integration pipeline.
- be available on major client distributions, i.e: Ubuntu, Fedora, Arch
- have both an faq & examples page that have enough quality content in them
The main author is Oded Lazar
I gladly accept contributions via GitHub pull requests.
If you are interested in contributing but not sure where to start, feel free to contact me.
Once I feel this method is not effective anymore, I'll probably open a slack / irc channel.