Playing with mdo(1)

[BigSneakyDuck]

Doesn't opendoas do persistance? I think it does on Linux. (and I don't know its disadvantages).

Unfortunately persistence of opendoas is not like-for-like with persistence of doas on OpenBSD. To quote Ted Unangst, original creator of doas: https://web.archive.org/web/20250812140828/https://flak.tedunangst.com/post/doas-mastery

The authentication information doas uses is recorded in the kernel and attached to the current session. Unlike filesystem tickets, it is not accessible to other users and difficult to fake. The timeout will always take place in real time, not computer time, meaning that adjusting the system clock backwards can not grant new life to an expired ticket. Repeated executions will reset the timeout, but only if the rule is marked persist. Rules cannot be both persist and nopass, nor will nopass rules extend the timeout.

This is why proper implementation of doas requires changes to the kernel and hence why persistence does not work at present for the doas(1) port to FreeBSD. To get it to work would really mean creating a native doas(1) implementation.

While the opendoas(1) port allows persistence, it cannot do so in a way that is consistent with the security philosophy of doas(1) as its creator intended.

Also be aware that the opendoas(1) repo has not had any commits for 4 years. It's not the kind of tool I'd want to be using an unmaintained version of. https://github.com/Duncaen/OpenDoas/commits/master/