Solved How to allow users to issue sudo command and be root and skip asking for password when sudo command is issued.

[ziomario]

Would be interesting if we can execute bhyve as normal user using devfs.rules. Because doas/sudo does not work. Something like this,can work ?

nano /etc/devfs.rules

add path 'vm*" mode 0666 group operator

 

[ziomario]

Solution seems to be :

permit nopass marietto as root cmd bhyve

 

[NapoleonWils0n]

Solution seems to be :

permit nopass marietto as root cmd bhyve

does this work for you

# permit user
permit keepenv :marietto

# bhyve
permit nopass marietto cmd bhyve

# root as root
permit nopass keepenv root as root

you need root as root at the bottom of the doas.conf
the order of the rules matters

 

[ziomario]

To do :

permit keepenv :marietto
permit nopass keepenv root as root

it does not mean to have found the solution for this problem. That's because I'm trying to run some selected applications only as root and/or without using the password. Your solution extends it to an unlimited number of applications. And that's not good. I really hoped that :

permit nopass marietto as root cmd bhyve

would work,but it doesn't.

 

[ziomario]

I keep the bhyve scripts in /bhyve and I've added the path /bhyve to /home/marietto/.zshrc and on /root/.zshrc like this :

# sudo nano /home/marietto/.zshrc

export PATH=/bhyve:$PATH
# zsh autocompletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve


and in /root/.zshrc :

# sudo nano /root/.zshrc

export PATH=/bhyve:$PATH
# zsh autocompletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

with :

nano /usr/local/etc/doas.conf :

permit nopass :wheel as root cmd bhyve-win
permit nopass :wheel as root cmd bhyve-lin
permit nopass :wheel as root cmd 12-Win-11-vm12

but when I try to run the vm like this :

[marietto@marietto /bhyve]==> doas 10-Debian-Now_wine-tkg-vm10

it says :

doas: 10-Debian-Now_wine-tkg-vm10: command not found

even if /bhyve is in $PATH :

[marietto@marietto /bhyve]==> echo $PATH              
/bhyve:/home/marietto/bin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin

and it is also on :

zstyle ":completion:*:(sudo|su|doas):*" command-path

Why ? f I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the bhyve scripts in /bhyve.

Instead :

nano /usr/local/etc/doas.conf :


permit nopass :wheel as root cmd bhyve-win
permit nopass :wheel as root cmd bhyve-lin
permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12



[marietto@marietto /bhyve]==> doas 12-Win-11-vm12
doas: Operation not permitted

 

[ziomario]

I had an illumination and I found how it works :

[marietto@marietto /bhyve]==> doas /bhyve/12-Win-11-vm12

I think that maybe there is some kind of issue/bug with how PATH interacts with doas.

 

[ziomario]

And finally,the solution that works :

# permit :wheel
# permit nopass keepenv marietto
# permit nopass keepenv root as root

permit nopass marietto cmd qemu-system-x86_64-debian_fs
permit nopass marietto cmd qemu-system-x86_64_debian_now
permit nopass marietto cmd qemu-system-x86_64_debian_proxy
permit nopass marietto cmd qemu-system-x86_64_debian_warp
permit nopass marietto cmd qemu-system-x86_64-debian_tuxler
permit nopass marietto cmd zpool
permit nopass marietto cmd mount
permit nopass marietto cmd fsck

permit nopass marietto as root cmd /usr/sbin/bhyve-win
permit nopass marietto as root cmd /usr/sbin/bhyve-lin
permit nopass marietto as root cmd /bhyve/12-Win-11-vm12
permit nopass marietto as root cmd /bhyve/01-Ubuntu-2310-vm1
permit nopass marietto as root cmd /bhyve/10-Debian-Now_wine-tkg-vm10
permit nopass marietto as root cmd /bhyve/02-Ubuntu-2310-vm2-hidden

the virtual machine should launched using this form :

[marietto@marietto /bhyve]==> doas /bhyve/10-Debian-Now_wine-tkg-vm10

without adding /bhyve,it will not work.