Uplift Privileges on FreeBSD

[vermaden]

Original article here.
Consider this when replying.

FreeBSD, The FreeBSD Foundation, and The FreeBSD Forums are not associated with the content of this article.

 

[elephant]

I've been using mdo(1) for a month now. It does all I need as a simpler sudo(8) replacement.

Realizing this, I just ran

$ mdo pkg remove sudo

 

[freethread]

I will try using it instead of doas, which is specific to FreeBSD, without using ports. I really like this.

 

[bakul]

Here is a tinier version!

$ cat imp.c # imp for impersonate
#include <stdio.h>
#include <unistd.h>
#define _s(x)   #x
#define s(x)    _s(x)
int main(int c, char**v) {
    char* e = 0;
    if (c < 2) e = "Usage: imp cmd [args]";
    else if (geteuid() != 0) e = "imp: set euid on imp";
    else if (getuid() != 0 && getuid() != UID) e = "imp: uid not 0 or "s(UID);
    else if (setreuid(0, -1) != 0) e = "imp: setreuid failed";
    else if (execvp(v[1], v+1) != 0) e = "imp: execvp failed";
    fprintf(stderr, "%s\n", e);
    return 1;
}
$ cc -Wall -DUID=`id -u` -O3 -o imp imp.c
$ size imp
   text    data     bss     dec     hex filename
   1629     448    1416    3493     da5 a.out
$ sudo sh -c "chown 0:0 imp; chmod 4755 imp"
$ ls -l imp
-rwsr-xr-x  1 root wheel 6144 Mar  1 09:37:18 2026 imp
$ ./imp id -u
0

 

[hedwards]

I'll have to take a look at mdo. I personally don't really like these tools, I've just had them on too many systems where they use the same password as the user and aren't restricted to any specific tasks to like them and remain active for a period afterwards.

But, life marches on, I hadn't heard about mdo before and I'll have to look into it. It's nice to use groups and permissions, but it's also nice to be able to drop that as well quickly after completing whatever.

 

[jardows]

I am surprised at mdo, and that I hadn't come across it before this article. Being built-in certainly is preferred over a 3rd party program. I've setup doas before, primarily for working with bhyve VM's. This will be fun to learn!

 

[mer]

I will try using it instead of doas, which is specific to FreeBSD, without using ports. I really like this.

I believe doas actually came from OpenBSD.

 

[scottro]

mer doas is from OpenBSD. FreeBSD has it, but the persist feature doesn't work, so you have to type your password every time. There is, however, opendoas, which honors the persist feature in /usr/local/etc/doas.conf so if you type a password it will stay in effect for a few minutes.

 

[mer]

mer doas is from OpenBSD. FreeBSD has it, but the persist feature doesn't work, so you have to type your password every time. There is, however, opendoas, which honors the persist feature in /usr/local/etc/doas.conf so if you type a password it will stay in effect for a few minutes.

Interesting. I've got doas-6.3p13 installed on a 15-release system and have not had to type in password. But that is likely due to my config (single user systems at home) having "nopass" for my user.

Yes I know not ideal but as I said, single user systems at home.

 

[fernandel]

Interesting. I've got doas-6.3p13 installed on a 15-release system and have not had to type in password. But that is likely due to my config (single user systems at home) having "nopass" for my user.

Yes I know not ideal but as I said, single user systems at home.

I have single user system to and doas. I start to use mdo and l like it.

 

[mer]

fernandel Thanks. I will have to add that to my list of "new things to learn"

 

[freethread]

I believe doas actually came from OpenBSD.

Yes, sorry, I want to say mdo is specific to FreeBSD and using it (mdo) instead of doas. My english use italian semantics. Sorry.

 

[mer]

Yes, sorry, I want to say mdo is specific to FreeBSD and using it (mdo) instead of doas. My english use italian semantics. Sorry.

Not a problem. My italian is limited to counting to 10 as my Sicilian grandfather taught me.

 

[thutuid]

mdo looks nice, but I hesitate using it as a replacement for sudo/doas because it does not prompt for credentials. What happens if we execute a program as our user, and it attempts to call mdo?

 

[scottro]

I'm finding certain things don't work correctly with it. Trivial things, for instance a script that goes sudo something sudo alsothis, and if I change it to mdo -i something alsothis, it won't start to do the script till I exit. Also finding a few things act differently with doas (using opendoas, that one that allows the persist option). Neither of these are complaints, or asking for help, just a mention that neither seems to be a drop in replacement.

That being said, either one can be used for 99% of what I do.

 

[fernandel]

I'm finding certain things don't work correctly with it. Trivial things, for instance a script that goes sudo something sudo alsothis, and if I change it to mdo -i something alsothis, it won't start to do the script till I exit. Also finding a few things act differently with doas (using opendoas, that one that allows the persist option). Neither of these are complaints, or asking for help, just a mention that neither seems to be a drop in replacement.

That being said, either one can be used for 99% of what I do.

I didn't find any problem . Whatever I use doas it works with mdo the same.

 

[vermaden]

How to use mdo(1) in scripts:

% cat /var/log/auth.log           
cat: /var/log/auth.log: Permission denied

% mdo -i cat /var/log/auth.log | tail -3
Mar  4 16:04:00 f25 doas[23632]: vermaden ran command sysctl dev.acpi_ibm.0.fan_level=2 as root from /home/vermaden
Mar  4 16:05:00 f25 doas[57707]: vermaden ran command sysctl dev.acpi_ibm.0.fan=0 as root from /home/vermaden
Mar  4 16:05:00 f25 doas[64090]: vermaden ran command sysctl dev.acpi_ibm.0.fan_level=0 as root from /home/vermaden