Skip to main content
Topic: I installed doas, to get away from sudo, but what do I do with sudo now? (Read 2271 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

I installed doas, to get away from sudo, but what do I do with sudo now?

not sure where to post this, system or software but i think it should belong here right? sry if not.
anyways, i read about the insecureness of sudo, and installed doas and made the config file. I can use it now.
But i cannot find anywhere in the internet of what to do with sudo after that or how to delete sudo.

Only thing i head was that something like make package was hardcoded for sudo and that i can change some aliases (why if its just the name since that is what alias means right? whats the point of that).

And im not sure what to do with sudo now, whats the point of installing doas, when you still have sudo in your system.


Re: I installed doas, to get away from sudo, but what do I do with sudo now?

Reply #2
I've been running doas without sudo on my system for about 6 months now. The experience has been really good, doas has everything I need and has a very intuitive configuration syntax. You can remove sudo from Arch and Artix just fine without any major problems regarding the system itself.

Speaking from my experience, you'll eventually face some problems along the way, as you mentioned some packages are hard-coded with sudo by default. One way to fix this is simply creating a soft link on /usr/bin pointing /usr/bin/sudo to /usr/bin/doas. Then every time a package try to use sudo it will instead use doas. However keep in mind not every package will work with this, because doas does not have all the features sudo has, starting with flags, so if some package uses a flag doas does not have, it will not work. This is probably the best way for a lazy person to have a smooth transition from sudo to doas.

Another way (the one I use) is to simply not symlink and let things error-out so I can fix them myself either changing a config file or compiling the package again with doas support.

You mentioned makepkg is hard-coded to sudo, this is not true. You can edit /etc/makepkg.conf, on the last line there's a PACMAN_AUTH variable, you can just change it to doas and pacman will use doas along with makepkg.

Some couple tips I got from my experience:

If you use an AUR helper like paru (or yay), you can go to /etc/paru.conf and simply uncomment the [bin] line along with Sudo = doas, and now your AUR helper will also use doas.

A bit of a newbie advise is that sometimes you'll make mistakes to your doas.conf and you won't be able to use doas to fix it. Don't panic, you can use su or go to tty and login with root, then you won't need doas to edit /etc/doas.conf.

When using nopass in doas.conf, try to use args instead of the full command whenever possible, here are some examples from my doas.conf.
Code: [Select]
permit nopass :wheel as root cmd dinitctl args start wireguard
permit nopass :wheel as root cmd dinitctl args stop wireguard
permit nopass :wheel as root cmd dinitctl args restart dhclient
permit nopass :wheel as root cmd dinitctl args list

permit nopass :wheel as root cmd reboot
permit nopass :wheel as root cmd poweroff

permit nopass :wheel as root cmd cp args /etc/resolv.conf.fix /etc/resolv.conf
permit nopass :wheel as root cmd chattr args +i /etc/resolv.conf
permit nopass :wheel as root cmd chattr args -i /etc/resolv.conf

Re: I installed doas, to get away from sudo, but what do I do with sudo now?

Reply #3
I've been running doas without sudo on my system for about 6 months now. The experience has been really good, doas has everything I need and has a very intuitive configuration syntax. You can remove sudo from Arch and Artix just fine without any major problems regarding the system itself.

Speaking from my experience, you'll eventually face some problems along the way, as you mentioned some packages are hard-coded with sudo by default. One way to fix this is simply creating a soft link on /usr/bin pointing /usr/bin/sudo to /usr/bin/doas. Then every time a package try to use sudo it will instead use doas. However keep in mind not every package will work with this, because doas does not have all the features sudo has, starting with flags, so if some package uses a flag doas does not have, it will not work. This is probably the best way for a lazy person to have a smooth transition from sudo to doas.

Another way (the one I use) is to simply not symlink and let things error-out so I can fix them myself either changing a config file or compiling the package again with doas support.

You mentioned makepkg is hard-coded to sudo, this is not true. You can edit /etc/makepkg.conf, on the last line there's a PACMAN_AUTH variable, you can just change it to doas and pacman will use doas along with makepkg.

Some couple tips I got from my experience:

If you use an AUR helper like paru (or yay), you can go to /etc/paru.conf and simply uncomment the [bin] line along with Sudo = doas, and now your AUR helper will also use doas.

A bit of a newbie advise is that sometimes you'll make mistakes to your doas.conf and you won't be able to use doas to fix it. Don't panic, you can use su or go to tty and login with root, then you won't need doas to edit /etc/doas.conf.

When using nopass in doas.conf, try to use args instead of the full command whenever possible, here are some examples from my doas.conf.
Code: [Select]
permit nopass :wheel as root cmd dinitctl args start wireguard
permit nopass :wheel as root cmd dinitctl args stop wireguard
permit nopass :wheel as root cmd dinitctl args restart dhclient
permit nopass :wheel as root cmd dinitctl args list

permit nopass :wheel as root cmd reboot
permit nopass :wheel as root cmd poweroff

permit nopass :wheel as root cmd cp args /etc/resolv.conf.fix /etc/resolv.conf
permit nopass :wheel as root cmd chattr args +i /etc/resolv.conf
permit nopass :wheel as root cmd chattr args -i /etc/resolv.conf


thank you very much brother. I will screenshot this and do this someday because im kindoff too lazy for this right now, perhaps in a few hours. I hope thats okay, it happens so often to me that im too lazy for stuff like that :( I dont use yay very often anyways, same with AUR. still thank you because I will need it later.
should I remove sudo though? if yes how? also whats so insecure about sudo again in the first place?

 

Re: I installed doas, to get away from sudo, but what do I do with sudo now?

Reply #4
That's really your call, you can choose to keep both or not.
also whats so insecure about sudo again in the first place?
I personally have nothing against sudo besides it having a bunch of features I'll never use. I actually still use sudo on my main desktop and on some servers. Couple people complain about password persistence on sudo (once you enter your root password it has a timeout until you have to enter it again), but that's not really a security concern for most people. doas has this persistence disabled by default.
capezotte already provided a very good link from the arch wiki on how to remove packages (sudo included as sudo is a package), I suggest you choose the flags that best fits your needs, you can also do "man pacman" for a complete list of flags.
For example, if you chose the first and simplest option mentioned on that link you'd do
Code: [Select]
# pacman -R sudo