Повышение привилегий с помощью doas.
Определим операционную систему.
lsb_release --all
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
Sudo не установлен по умолчанию, что облегчает работу в данном случае.
sudo
-bash: sudo: command not found
Обновим индекс пакета.
su - -c "apt update"
Hit:1 http://ftp.task.gda.pl/debian bookworm InRelease
Get:2 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Hit:3 http://ftp.task.gda.pl/debian bookworm-updates InRelease
Fetched 48.0 kB in 0s (127 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Установите пакет doas.
su - -c "apt install --yes doas"
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
linux-image-6.1.0-25-amd64
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
opendoas
The following NEW packages will be installed:
doas opendoas
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 27.4 kB of archives.
After this operation, 91.1 kB of additional disk space will be used.
Get:1 http://ftp.task.gda.pl/debian bookworm/main amd64 opendoas amd64 6.8.2-1+b1 [23.7 kB]
Get:2 http://ftp.task.gda.pl/debian bookworm/main amd64 doas amd64 6.8.2-1+b1 [3,716 B]
Fetched 27.4 kB in 0s (77.6 kB/s)
Selecting previously unselected package opendoas.
(Reading database ... 38272 files and directories currently installed.)
Preparing to unpack .../opendoas_6.8.2-1+b1_amd64.deb ...
Unpacking opendoas (6.8.2-1+b1) ...
Selecting previously unselected package doas.
Preparing to unpack .../doas_6.8.2-1+b1_amd64.deb ...
Unpacking doas (6.8.2-1+b1) ...
Setting up opendoas (6.8.2-1+b1) ...
Setting up doas (6.8.2-1+b1) ...
Processing triggers for man-db (2.11.2-2) ...
Создайте пустой файл конфигурации с соответствующими правами.
su -- -c “install --mode=0400 --owner=root --group=root /dev/null /etc/doas.conf”
Проверим права доступа к файлам.
ls -l /etc/doas.conf
-r-------- 1 root root 0 May 11 19:29 /etc/doas.conf
Создайте специальную группу.
su - -c "groupadd --gid 90 doas"
Добавьте пользователя в созданную группу.
su - -c "usermod --append --groups doas cryptoparty"
Проверьте группы пользователей.
groups
cryptoparty cdrom floppy audio dip video plugdev users netdev
Войдите в новую группу.
newgrp doas
groups
doas cdrom floppy audio dip video plugdev users netdev cryptoparty
Создайте базовую конфигурацию для повышения привилегий.
su - -c "tee /etc/doas.conf <<EOF
permit group doas, do not ask for a password again for some time
permit persist :doas as root
permit user cryptoparty to execute apt update and upgrade without password
permit nopass setenv { PATH=/usr/bin:/usr/sbin:/sbin:/bin } cryptoparty as root cmd apt args update
permit nopass setenv { PATH=/usr/bin:/usr/sbin:/sbin:/bin } cryptoparty as root cmd apt args upgrade
EOF"
permit group doas, do not ask for a password again for some time
permit persist :doas as root
permit user cryptoparty to execute apt update and upgrade without password
permit nopass setenv { PATH=/usr/bin:/usr/sbin:/sbin:/bin } cryptoparty as root cmd apt args update
permit nopass setenv { PATH=/usr/bin:/usr/sbin:/sbin:/bin } cryptoparty as root cmd apt args upgrade
Проверьте файл конфигурации.
su - -c "doas -C /etc/doas.conf && echo 'Config: OK' || echo 'Config: Error'"
Config: OK
Выполните команду от имени root.
doas whoami
doas (cryptoparty @debian) password: ************
root
Используйте неинтерактивный режим для повышения привилегий.
doas -n apt
doas: Authentication required
doas -n -u daemon apt update
doas: Operation not permitted
doas -n apt update
Hit:1 http://ftp.task.gda.pl/debian bookworm InRelease
Hit:2 http://security.debian.org/debian-security bookworm-security InRelease
Hit:3 http://ftp.task.gda.pl/debian bookworm-updates InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
см. также:
