Solved security/doas can't work with zsh alias

alphachi

Member

Reaction score: 7
Messages: 49

Code:
% cat /usr/local/etc/doas.conf
permit nopass keepenv fbsd as root
permit nopass keepenv root as root
% id -nu
fbsd
% doas id -nu
root
% echo $SHELL
/usr/local/bin/zsh
% doas echo $SHELL
/usr/local/bin/zsh
% alias
vi=vim
% doas alias
%
% doas -s 
# alias
vi=vim
As this shows, doas doesn't know any alias, so "doas vi" can't invoke installed vim. Now I have to run "doas -s" in a tmux window and stay it for alias requirements.

Is this reasonable or just my mistake? How to enable zsh alias for doas? Thanks!
 

tingo

Daemon

Reaction score: 399
Messages: 2,060

You should ask yourself this: does doas (or sudo) work with aliases in any shell?
 
OP
OP
A

alphachi

Member

Reaction score: 7
Messages: 49

I know it doesn't work with any shell on base system like csh/tcsh, so I want to try another shell in Ports like zsh.
 

ANOKNUSA

Aspiring Daemon

Reaction score: 372
Messages: 675

I think tingo's point was that doas and sudo are supposed to work with commands, not aliases. I've never tried running an alias with sudo, bur I just tried and found that an alias created interactively in a shell session doesn't carry over when running sudo -Es either. So you'll need to try setting the alias in the shell configuration file for each user. If they don't work then, they won't work at all.

On top of tingo's question, I would ask: What's the difference between a regular user account with complete, password-free administrative access, and the root account?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,764
Messages: 30,893

sudo(8) wipes the environment except the variables mentioned with env_keep. Never really tested it with aliases but I'm pretty sure those are wiped along with the environment. I'm betting doas(1) does something similar.

It would be a serious security risk if aliases were inherited from the user. Imagine what would happen if the vi alias, besides opening the editor, also resets the root password?
 

tobik@

Daemon
Developer

Reaction score: 1,378
Messages: 1,909

doas doesn't know any alias
Yes, the simple technical reason is that it does not use a shell to execute the commands you give it. It just uses plain old regular execvp(2).

There is however a trick you can use to tell zsh to expand aliases for the word after doas before executing the command line (see zshmisc(1) under ALIASING). Just add this to your ~/.zshrc:
Code:
alias doas='doas '
% doas echo $SHELL
This doesn't do what you think it does. $SHELL is expanded by your local shell before doas even runs and its value is then simply passed to /bin/echo as an argument.
 
OP
OP
A

alphachi

Member

Reaction score: 7
Messages: 49

It works:
Code:
alias doas='doas '
Then I RTFM zshmisc(1):
ALIASING
Every eligible word in the shell input is checked to see if there is an
alias defined for it. If so, it is replaced by the text of the alias
if it is in command position (if it could be the first word of a simple
command), or if the alias is global. If the replacement text ends with
a space, the next word in the shell input is always eligible for pur-
poses of alias expansion.
An alias is defined using the alias builtin;
global aliases may be defined using the -g option to that builtin.​
Thanks for your help. I have marked this thread as "Solved".
 
Top