I just recently decided to migrate to opendoas.
I am using doas in my scripts to elevate privileges, the problem is that the doas bit is kicked off in each sub-process, so it appears persist does nothing.
Aside from executing an arbitrary command with doas in the main process, is there some other way I can persist my privileges? I don't recall having this issue with sudo, but at the same token, different processes certainly required sudo credentials to be entered, so I'm not entirely sure how that worked.
I suppose what I'm looking for then is similar to the way gpg / pass works. If I unlock my password store in one terminal and then use another tab or even remote computer to get another secret, I don't need to enter my credentials again. I suppose this can be a security risk. I think the system should behave consistently across the board otherwise, the added security of one tool is wiped away by the security holes of another. While admin privileges on the system aren't identical to someone gaining my secrets, , I think they could be just as damaging.
In that instance, I would be logged in my machine and unlock my password store. For an attacker to steal my passwords, he or she would need to also be logged into my machine and with my password manager unlocked, merely request passwords.
So, perhaps getting to the point:
1. What is the best approach to being prompted just once for doas if I spawn sub processes?
2. Though doas has been around for quite a few years, sudo has been around since 1986 and is maintained by OpenBSD. It can't be all that bad and even sudo is available on Apple. Perhaps my best bet is just to revert back to sudo until doas extends the persist feature?
EDIT: I tested my earlier statement after thinking that it might work, but it doesn't. I tried invoking an arbitrary command via doas so that child processes wouldn't need to authenticate, but that did not work.
So, I think I'm back to using sudo. I will just make sure my configuration is correct.
I am using doas in my scripts to elevate privileges, the problem is that the doas bit is kicked off in each sub-process, so it appears persist does nothing.
Aside from executing an arbitrary command with doas in the main process, is there some other way I can persist my privileges? I don't recall having this issue with sudo, but at the same token, different processes certainly required sudo credentials to be entered, so I'm not entirely sure how that worked.
I suppose what I'm looking for then is similar to the way gpg / pass works. If I unlock my password store in one terminal and then use another tab or even remote computer to get another secret, I don't need to enter my credentials again. I suppose this can be a security risk. I think the system should behave consistently across the board otherwise, the added security of one tool is wiped away by the security holes of another. While admin privileges on the system aren't identical to someone gaining my secrets, , I think they could be just as damaging.
In that instance, I would be logged in my machine and unlock my password store. For an attacker to steal my passwords, he or she would need to also be logged into my machine and with my password manager unlocked, merely request passwords.
So, perhaps getting to the point:
1. What is the best approach to being prompted just once for doas if I spawn sub processes?
2. Though doas has been around for quite a few years, sudo has been around since 1986 and is maintained by OpenBSD. It can't be all that bad and even sudo is available on Apple. Perhaps my best bet is just to revert back to sudo until doas extends the persist feature?
EDIT: I tested my earlier statement after thinking that it might work, but it doesn't. I tried invoking an arbitrary command via doas so that child processes wouldn't need to authenticate, but that did not work.
So, I think I'm back to using sudo. I will just make sure my configuration is correct.
.
