Go home

As computer users, we frequently need to escalate our user privileges, to edit write-protected files, update software, etc. The de facto tool to do this with on Linux and other Unix-like systems is sudo. sudo is a great tool that “just works”. It has a simple user interface, great helper programs like sudoedit, and a config file that lets you control every aspect of the program and permission logic. This configurability is especially helpful for sysadmins of multi-user systems and pubnixes. As a side effect of all this though, sudo is immense, and has tons of features that most people will never use or want. This leads to security issues due to the massive codebase (see the sheer number of sudo CVEs), and over reliance on complex software. There is, however, a solution: doas.

doas is a privilege escalation tool developed by the OpenBSD team, specifically Ted Unangst, and was first introduced in OpenBSD 5.8 (Oct 2015). It is a BSD-specific utility, however there is a portable fork, OpenDoas, which works on Linux via PAM and/or shadow authentication. According to its README, OpenDoas aims to provide 95% of the features of sudo with a fraction of the codebase (1/50th to be precise). In the 5% of features that got left behind, however, was one of my favorites, the ability for sudo to insult you whenever you got your password wrong. With this option (enabled by putting Defaults insults in your /etc/sudoers file), sudo chooses a random insult to berate you with every time you make a typo. It’s by no means a necessary feature, and an understandable cut, however I like the flair and personality that it adds. So, I added the functionality into my fork of OpenDoas.

It works in about the same way that it works on sudo, with the same insults and all. To enable it, just add the “insult” to your doas.conf in the relevant “permit” lines. I doubt that this would ever be merged into the mainline source tree (so I won’t even try), but I will keep my fork up to date with the upstream, so security, et cetera, is not a concern.

Example insults:

$ doas ls
doas (armaa@frost.armaanb.net) password:
Maybe if you used more than just two fingers...
doas: Authentication failed

$ doas ls
doas (armaa@frost.armaanb.net) password:
I've seen penguins that can type better than that.
doas: Authentication failed

Switching to doas from sudo is incredibly easy, and can be done in 2 minutes. Just build/install doas (it might already be in your package repositories), write a doas.conf (well explained in doas.conf(5)), and optionally, alias sudo to doas in your shell so you remember to use it.