this post was submitted on 30 Apr 2024
79 points (92.5% liked)
Linux
5231 readers
145 users here now
A community for everything relating to the linux operating system
Also check out !linux_memes@programming.dev
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Is there something wrong with doas? I thought doas was smaller with less of an attack surface.
The only problem I found was, that it has no real alternative to
sudoedit
Is that similar to
visudo
?Not really
visudo
is only to edit the sudoers file.sudoedit
is a better way to edit system files.It seems Poettering is convinced
doas
, while decreasing attack surface, depends on SUID binary implementation which is a concern in its own right. Poettering is trying to eliminate that dependency in his `run0' implementation to reduce the attack surface even further.The relevant excerpt from the long chain of posts from Poettering's mastodon.social account is copied below:
Read the rest where he explains
run0
's use and functionality beyond the design logic.Thanks for the insight. I think I understand what he is trying to do but is a little too low-level for me to really grasp the technicalities.
it is. arguing attack surface with systemd IMO is a losing battle though.
Why do you say that? It seems that Poettering's reasoning for avoiding SUID binaries is sound.
Some scripts or programs assume sudo by default. It's a stupid thing but also annoying.
The main problem with sudo and doas is that they are not developed by Lennart. Seriously.
I consider that a positive.