Solved DOAS_USER environment variable

[ekvz]

While DOAS_USER is not documented in doas(1) it is in the original OpenBSD man page (https://man.openbsd.org/doas) as:

DOAS_USER is set to the name of the user executing doas.

I did some testing and it turns out FreeBSDs port also sets this environment variable. Not to the user running doas but to the user the command is being executed with though which is somewhat pointless in my opinion. Posts like View: https://old.reddit.com/r/voidlinux/comments/e7iu29/help_doas_specify_home_for_command/fa3gbjn/
also seem to suggest that the expected value of DOAS_USER is the calling users name not the resulting users.

My doas.conf file looks like this:

permit nopass myuser as root cmd /usr/local/lib/some/script

Using the account myuser to run doas /usr/local/lib/some/script results in DOAS_USER having the value of root. Omitting as root in doas.conf or adding -u root to the doas command does not change this behavior. Is this expected, am i missing something obvious here or is this a bug?

Edit: Using a group name in doas.conf instead of the username also does not change the behavior.

 

[ekvz]

After checking the source i am pretty sure it's a bug. doas uses getpwuid(3) to get usernames from ids and expects the returned buffer to stay valid even while it does more calls to getpwuid(3) (to get information on the target user). From my test it seems that getpwuid(3) always reuses the same buffer so the second call overwrites the information retrieved by the first one resulting in information on the target user being stored where doas expects the information on the calling user to be.

I guess i'll have to file a bug report sooner or later. Given i need to register with github first it will probably be rather later though.

Edit: It's already fixed in the latest sources.