X-Git-Url: https://git.armaanb.net/?p=opendoas.git;a=blobdiff_plain;f=README.md;h=b0764966b3c1314fc7a067e227b675fd072ec1c1;hp=e6f5749019861c420f888b5acf3ba23eb8f69ab8;hb=HEAD;hpb=9474e418d2184e86408f0dce09ca250e36138672 diff --git a/README.md b/README.md index e6f5749..b076496 100644 --- a/README.md +++ b/README.md @@ -1,63 +1,31 @@ -# OpenDoas: a portable version of OpenBSD's `doas` command +# OpenDoas +> a portable version of OpenBSD's `doas` command -`doas` is a minimal replacement for the venerable `sudo`. It was -initially [written by Ted Unangst](http://www.tedunangst.com/flak/post/doas) -of the OpenBSD project to provide 95% of the features of `sudo` with a -fraction of the codebase. +`doas` is a minimal replacement for the venerable `sudo`. It was initially [written by Ted Unangst](http://www.tedunangst.com/flak/post/doas) of the OpenBSD project to provide 95% of the features of `sudo` with a fraction of the codebase. -## Building and installation discouragements +This fork insults you, similar to how `sudo` can. To enable, add the "insult" option to your `doas.conf` -There are a few steps you have to carefully consider before building and installing -opendoas: +## Building and installation discouragements +There are a few steps you have to carefully consider before building and installing opendoas: -* There are less eyes on random doas ports, just because sudo had a vulnerability - does not mean random doas ports are more secure if they are not reviewed - or pam is configured incorrectly. -* If you want to use pam; You have to [configure pam](#pam-configuration) - and failing to do so correctly might leave a big open door. -* Use the configure script to configure the opendoas. -* Use the default make target to build the software. -* If you really want to install a setuid binary that depends on - pam being correctly configured, use the make install target - to install the software. +* There are less eyes on random doas ports, just because sudo had a vulnerability does not mean random doas ports are more secure if they are not reviewed. +* Use the configure script. +* Use the default make target. ## About the port - This is not an official port/project from OpenBSD! -As much as possible I've attempted to stick to `doas` as tedu desired -it. As things stand it's essentially just code lifted from OpenBSD with -PAM or shadow based authentication glommed on to it. - -Compatibility functions in libopenbsd come from openbsd directly -(`strtonum.c`, `reallocarray.c`, `strlcpy.c`, `strlcat.c`), -from openssh (`readpassphrase.c`) or from sudo (`closefrom.c`). - -The PAM and shadow authentication code does not come from the OpenBSD project. - -### pam configuration - -I will not ship pam configuration files, they are distribution specific and -its simply not safe or productive to ship and install those files. - -If you want to use opendoas on your system and there is no package that -ships with a working pam configuration file, then you have to write and -test it yourself. +As much as possible I've attempted to stick to `doas` as tedu desired it. As things stand it's essentially just code lifted from OpenBSD with shadow based authentication glommed on to it. -A good starting point is probably the distribution maintained `/etc/pam.d/sudo` -file. +Compatibility functions in libopenbsd come from openbsd directly (`strtonum.c`, `reallocarray.c`, `strlcpy.c`, `strlcat.c`), from openssh (`readpassphrase.c`) or from sudo (`closefrom.c`). -### Perist/Timestamp/Timeout +The shadow authentication code does not come from the OpenBSD project. -The persist feature is disabled by default and can be enabled with the configure -flag `--with-timestamp`. +### Persist/Timestamp/Timeout +The persist feature is disabled by default and can be enabled with the configure flag `--with-timestamp`. -This feature is new and potentially dangerous, in the original doas, a kernel API -is used to set and clear timeouts. This API is openbsd specific and no similar API -is available on other operating systems. +This feature is new and potentially dangerous, in the original doas, a kernel API is used to set and clear timeouts. This API is openbsd specific and no similar API is available on other operating systems. -As a workaround, the persist feature is implemented using timestamp files -similar to sudo. +As a workaround, the persist feature is implemented using timestamp files similar to sudo. -See the comment block in `timestamp.c` for an in-depth description on how -timestamps are created and checked to be as safe as possible. +See the comment block in `timestamp.c` for an in-depth description on how timestamps are created and checked to be as safe as possible.