And I guess I can't really blame them. Their mental modal is: I need to run `sudo X`. Because, well, that's what the runbook-they-got-from-their-previous-job, Google, or ChatGPT says.
The response they get does not get them any nearer to being able to run `sudo X`. So, they get angry, and push back. Unless you can get someone to sit down, reflect, and think about what they really want to achieve, this is a situation that is very hard to resolve.
So, that's one more reason I love `doas`: it leads to, eh, valuable conversations.
You joke, but I found something like this in the wild. It was an old legacy sco system been around forever and I was asked to do some maintenance work on it. It used rsh to talk to other machines. But I was having a hell of a hard time finding the rsh command. After a lot of pouring over script sources I found it had been renamed to something else. when I asked their sysadmin WTF was going on with this system. he said it had been done for security. Which is still stupid but I have to admit it may work against your normal "script of the month" style attack. It certainly worked for me.
It probably was done for security, the r- utilities being the security pitfalls that they are. It's not defending against attacks. It is, in fact, defending against exactly you, a person who comes along and wants to use the r- utilities. It's a compromise between (most likely) "We mustn't use r- utilities on our LAN any more, and must remove them everywhere." and "This is SCO Unix; it's not even OpenServer.".
I think this says way more about you than the teammates you're condescending to. I've never had someone "get angry, and push back" when you simply and clearly explain "things have changed here...X isn't the command you want and you need to use Y, and here's how you do it". But I get that a mentor-like approach doesn't let you polish you BOFH creds and put the contemptable little people in their place.
> I've never had someone "get angry, and push back" when you simply and clearly explain "things have changed here...X isn't the command you want and you need to use Y, and here's how you do it".
And you're replying to someone who has. Life is funny like that.
There are, at both ends. Both the "script kiddies" who cannot deviate from scripts because they lack almost any knowledge at all; and the knowledgeable ones who know that there are subtle differences between sudo and doas which require doing things slightly differently to achieve the same effect.
One time we hired someone who interviewed extremely well. They were filling a compliance auditing role, but had credibly talked a lot about their experience as a security engineer in a Unix shop.
On their first day, I was helping them set up their laptop:
- You need to run `sudo X`
- types `X-but-misspelled`
- No, that's `sudo`, then `X`
- types `sudo_X-but-misspelled` (literally `sudo`-underscore-`misspelled version of X`)
- I mean, with a space after `sudo`, like using sudo to run X.
- types `sudo_X`
- Have you used sudo?
- Finally types `sudo X`.
I saved a screenshot of our zoom so I could show our mutual boss later. They ghosted us after a week.
Huh. A Unix security engineer who doesn't have sudo (or presumably doas) in muscle memory? Interesting.
Doas is doa on Linux at least. Last I checked maybe 6 months ago the password timeout feature was still broke. You get asked for the password every single time you run doas even if it was just 2 seconds prior. Maddening. Apparently this has been the state for years now?
It is because openbsd persists the auth via a cookie in the terminal. that is, to do it the openbsd way a change in the tty code is required. It is odd that the linux port does not track the process id or something.
edit: I was looking at the opendoas project and it does something with the persist option, still reading the code but it looks like it sets some sort of timestamp on file descriptor 0. update: found it, here is the timestamp code. probably a user space version of what openbsd doas does in the kernel.
So linux doas is trying to do something. Note that per that mail post I found doas auth persist has a different scope than sudo auth persist. this can have implications in a scripted environment.
As mentioned elsewhere, this is because it relies upon a kernel mechanism that Linux simply does not have, and fixing this involves fixing Linux.
To which I add that it is important not to conflate Jesse Smith's doas, the portable doas that has code for different operating systems including OpenBSD, with Duncan Overbruck's OpenDoas, the "open" doas that is tied to Linux has has had the code for other operating systems removed and mechanisms copied in from sudo for things like timeout flag files.
15 comments
[ 0.21 ms ] story [ 45.4 ms ] thread-Ehm, I try to `sudo X` and it says command not found
-Yup, that's by design. Try `doas X`
-Well, I tried sudo again and it just doesn't work. What is the root password? I need this, like, an hour ago. Do the needfull!!1!
-Sure, have your manager call me...
And I guess I can't really blame them. Their mental modal is: I need to run `sudo X`. Because, well, that's what the runbook-they-got-from-their-previous-job, Google, or ChatGPT says.
The response they get does not get them any nearer to being able to run `sudo X`. So, they get angry, and push back. Unless you can get someone to sit down, reflect, and think about what they really want to achieve, this is a situation that is very hard to resolve.
So, that's one more reason I love `doas`: it leads to, eh, valuable conversations.
And you're replying to someone who has. Life is funny like that.
* https://github.com/Duncaen/OpenDoas/issues/116#issuecomment-...
On their first day, I was helping them set up their laptop:
- You need to run `sudo X`
- types `X-but-misspelled`
- No, that's `sudo`, then `X`
- types `sudo_X-but-misspelled` (literally `sudo`-underscore-`misspelled version of X`)
- I mean, with a space after `sudo`, like using sudo to run X.
- types `sudo_X`
- Have you used sudo?
- Finally types `sudo X`.
I saved a screenshot of our zoom so I could show our mutual boss later. They ghosted us after a week.
Huh. A Unix security engineer who doesn't have sudo (or presumably doas) in muscle memory? Interesting.
Doas mastery - https://news.ycombinator.com/item?id=12429050 - Sept 2016 (15 comments)
http://man.openbsd.org/tty.4#TIOCSETVERAUTH
A post I found on the rational behind this mechanism.
https://marc.info/?l=openbsd-misc&m=150032397404966&w=2
edit: I was looking at the opendoas project and it does something with the persist option, still reading the code but it looks like it sets some sort of timestamp on file descriptor 0. update: found it, here is the timestamp code. probably a user space version of what openbsd doas does in the kernel.
https://github.com/Duncaen/OpenDoas/blob/master/timestamp.c
So linux doas is trying to do something. Note that per that mail post I found doas auth persist has a different scope than sudo auth persist. this can have implications in a scripted environment.
To which I add that it is important not to conflate Jesse Smith's doas, the portable doas that has code for different operating systems including OpenBSD, with Duncan Overbruck's OpenDoas, the "open" doas that is tied to Linux has has had the code for other operating systems removed and mechanisms copied in from sudo for things like timeout flag files.
* https://github.com/slicer69/doas
* https://github.com/Duncaen/OpenDoas