Hi,

I'm trying to configure doas to allow running one shell script without
requiring password. I've read the manual page and (I think) understood
it, however I still cannot wrap my head around the behaviour.

When I have this in my wheel.conf, everything works fine:

	permit persist :wheel
	permit nopass :wheel cmd /usr/local/bin/dock-network

However, once I switch the lines around like this:

	permit nopass :wheel cmd /usr/local/bin/dock-network
	permit persist :wheel

It does not work anymore:

	$ doas -n /usr/local/bin/dock-network
	doas: Authentication required

And I just do not understand why the order should matter. As for why I
even bother, I want to have the nopass in separate file in /etc/doas.d,
but I was not able to get it to work at all if it was in two separate
files.

Actually, now that I think about it, all my attempts with multiple files
matched the alphabetical order from the second (not working) case. But
for these two rules order just should not matter, no?

Thank you in advance for any advice regarding this.

W.


-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

On Mon Apr 18, 2022 at 4:40 AM CEST, Wolf wrote:
> When I have this in my wheel.conf, everything works fine:
>
> 	permit persist :wheel
> 	permit nopass :wheel cmd /usr/local/bin/dock-network
>
> However, once I switch the lines around like this:
>
> 	permit nopass :wheel cmd /usr/local/bin/dock-network
> 	permit persist :wheel
>
> It does not work anymore:
>
> 	$ doas -n /usr/local/bin/dock-network
> 	doas: Authentication required

this does look like a bug. i opened a bug report[0] since i realise i
have ran into the same thing myself.

[0]: https://github.com/Duncaen/OpenDoas/issues/99

Hey,

The order of your rules matters.
"The last matching rule determines the action taken."
https://man.openbsd.org/doas.conf

You have to start with a 'general' rule, then add more specific below.
You can also add user directly instead of :group to be more strict.