Date: Fri, 23 Jul 2021 18:32:09 +0200
To: Ariadne Conill <ariadne@dereferenced.org>
Cc: ~alpine/devel@lists.alpinelinux.org
Subject: Re: [3.15] System change proposal: Move sudo to community
From: =?UTF-8?Q?S=C3=B6ren?= Tempel <soeren@soeren-tempel.net>
References: <b99f9e90-d03c-9df2-565c-f8bf313cac2@dereferenced.org>
In-Reply-To: <b99f9e90-d03c-9df2-565c-f8bf313cac2@dereferenced.org>
Message-Id: <3CK6IULB0AU8E.2M0ZOYDKAU46I@8pit.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

Ariadne Conill <ariadne@dereferenced.org> wrote:
> ## Documentation
>
> This will need to be documented in the release notes.  We should recommen=
d=20
> `doas` as the preferred pivot tool, noting that `sudo` is available in=20=

> `community` if explicitly wanted.

I am all for replacing sudo with something else. The problem I have with
doas is that there is presently no official port to Linux by the OpenBSD
folks so we would probably just end up recommending installation of
OpenDoas (main/doas) [1] which is not an official port/project from
OpenBSD project.

Porting doas from OpenBSD to Linux is actually not that trivial. For
instance, Linux does not have the TIOCSETVERAUTH ioctl used by OpenBSD's
doas version for persisting authentication [2]. For this reason,
OpenDoas disables the persist feature by default and refers to their
optional persist implementation as "new and potentially dangerous", we
presently enabled this "potentially dangerous" code by default btw
(--with-timestamp). Similarly, Linux also does not have other library
functions used by OpenBSD's doas version such as setusercontext [3] and
there is just a possibly for vulnerabilities to occur in the portability
layer of OpenDoas. For example, see CVE-2019-25016 [4] where the
LOGIN_SETPATH setusercontext flag was not correctly mimicked in
OpenDoas.

In my view OpenDoas actually deviates quite heavily from the original
OpenBSD doas codebase which is why I am personally still using sudo.
There are also somewhat "simpler" ports, for example the oasis patchset
by Michael Forney [5] though it is also subject to the problem outlined
above [6].

I think OpenDoas is a great project, I am just unsure if we really want
to recommend it by default given the fact that it requires suid and is
an unofficial port.

> Additionally, we do not have to support `sudo` for a 2 year lifecycle,
> since there are no LTS branches for it.

Please not that OpenBSD upstream also only offers support for 1 year,
i.e. the two most recent releases [7].

On a side note: There is also some interesting research which allows
implementing a sudo-like utility on Linux without requiring suid
binaries [8]. Unfortunately, while the Linux kernel module required for
this approach was in upstream staging for a while it has been removed a
long time ago [9].

Greetings,
S=C3=B6ren

[1]: https://github.com/Duncaen/OpenDoas
[2]: https://man.openbsd.org/tty.4#TIOCSETVERAUTH
[3]: https://man.openbsd.org/setusercontext
[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-25016
[5]: https://github.com/oasislinux/oasis/blob/dce7387ae2c7293204031c7698d2f=
ca5995e3f84/pkg/openbsd/patch/0015-doas-Port-to-linux-musl.patch
[6]: https://github.com/oasislinux/oasis/commit/6dfea0c1af69f11b41fba979746=
b5615a5ec477b#r49125998
[7]: https://www.openbsd.org/faq/faq10.html#Patches
[8]: https://doi.org/10.1145/1400097.1400101
[9]: https://github.com/torvalds/linux/commit/2d629030ca649bd4a7356befedbe7=
bbefa840b21