From nobody Wed Sep 17 19:42:28 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cRq106Pmjz67xNh; Wed, 17 Sep 2025 19:42:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cRq103qSfz4GZ5; Wed, 17 Sep 2025 19:42:28 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758138148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fSUG0k92Gwu4Sh3s4M8IIqsBDe+taH8KA6ayQpKSggU=; b=GDWG801F5SlEcTeiA7D4nj007iBPZyyzJAuyYhLqAnAx8XVS63gY2YkZOqhbgr0qzcPvIm oeJccle7pChq8KvRoNJ6x0ebSJwGjRiu3uun/WIZQxVKxir+kwY6g//Q26heXrYqIEqhDu zict2KfNNDKX4O3GP4d2tD7Rf+CFzQQoipuX5Qpa66xntb406kmCnZPDLS4swQDwHh1oVR jb/LyquIFWM6XMBLY8OJQvtJTxRh10KKDZzXX+U519DT7Ly7l9wjCALs4/WhK9ikDtKSbd AI6u6JIW4BIfp3kRiwGOIT7e7Qf051aXs6XC94ohB9JaU48INlgEHhpWCJp93Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758138148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fSUG0k92Gwu4Sh3s4M8IIqsBDe+taH8KA6ayQpKSggU=; b=M9lrd2ZhX1Ws6Vz8A3q4CZNQTq/U00s4uYeDpAQJdgtamsFnT/+aPONi9Gxutz94YHFpBm 0YcSCaNpX21mvnnhhdr7fcv/L277PoBTRaqhqzcULBM5jQDcP9KcneGa6fHWUC91Z1GKUm L8cz0Mmmgf7yBN3rB88E04QeLId6xChXWXxTaZUUIqFnLuZlWyZp8A/eLc4IyQH6lLU/2L nUdIcDGhWB7C4zz35Lz1RAH//N/mhMRd+HPKX2Nk7H4F9a07c5zFZJVnfb/WAe2tIz1ldM vIPGyx9ASRxivUxzkRHOOGU95je81eiDet/nuPIqr4tIsduek0DNhlaNYGsrSg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758138148; a=rsa-sha256; cv=none; b=Uf0JILq6WC5LEYm4IwACAhC0MnQuvh05z54MVwKxcjqE4iJ+d4yV8DD+m1h+DVkNFfUBeq vdYBeUGZ4Cc9mnVnxyrd9relm2rhpbqd2BMa5oCfHr3sGCgfT7ERpXWu3DpDNRUcmFGH83 Yt9znUOaE2lop8j3LkTz+hAqQP6VEsUl3aLlR978pFN9Yk9gkugAVdqTxBMyYLvEWhWGkU WGTPgch8QMDHBs2QF2RIZJbFGqf2DOS9jRegDKD/uZDw3KfXjXRK08WFOphJFW9/jz2oDW ppaVAJR5beWtR2DEoILahSniiFD9kpuDYDQHRTin1udQzveL/fstLPbIhP1DvQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cRq103FqZzggt; Wed, 17 Sep 2025 19:42:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58HJgSW3033552; Wed, 17 Sep 2025 19:42:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58HJgS7H033549; Wed, 17 Sep 2025 19:42:28 GMT (envelope-from git) Date: Wed, 17 Sep 2025 19:42:28 GMT Message-Id: <202509171942.58HJgS7H033549@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Baptiste Daroussin Subject: git: cbd62452bff6 - stable/14 - nuageinit: Add doas support List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bapt X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: cbd62452bff6bc8837c9cffeaa4c9f43b99995ce Auto-Submitted: auto-generated The branch stable/14 has been updated by bapt: URL: https://cgit.FreeBSD.org/src/commit/?id=cbd62452bff6bc8837c9cffeaa4c9f43b99995ce commit cbd62452bff6bc8837c9cffeaa4c9f43b99995ce Author: Jesús Daniel Colmenares Oviedo AuthorDate: 2025-09-11 16:54:24 +0000 Commit: Baptiste Daroussin CommitDate: 2025-09-17 19:42:03 +0000 nuageinit: Add doas support * Set mode of etc directory to 0755. * Use user.localbase sysctl instead of /usr/local. * Add test case for doas. * Set ${LOCALBASE} instead of /usr/local in nuageinit(7) man page. Reviewed by: bapt@ Approved by: bapt@ Differential Revision: https://reviews.freebsd.org/D52437 (cherry picked from commit 9a829e865697e623a046800545be7781a117125e) --- libexec/nuageinit/nuage.lua | 62 +++++++++++++++++++++++++++++++++++- libexec/nuageinit/nuageinit | 3 ++ libexec/nuageinit/nuageinit.7 | 9 +++++- libexec/nuageinit/tests/nuageinit.sh | 12 ++++++- 4 files changed, 83 insertions(+), 3 deletions(-) diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua index b042698f97e7..ef3cfd994fe1 100644 --- a/libexec/nuageinit/nuage.lua +++ b/libexec/nuageinit/nuage.lua @@ -8,6 +8,17 @@ local unistd = require("posix.unistd") local sys_stat = require("posix.sys.stat") local lfs = require("lfs") +local function getlocalbase() + local f = io.popen("sysctl -in user.localbase 2> /dev/null") + local localbase = f:read("*l") + f:close() + if localbase == nil or localbase:len() == 0 then + -- fallback + localbase = "/usr/local" + end + return localbase +end + local function decode_base64(input) local b = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' input = string.gsub(input, '[^'..b..'=]', '') @@ -277,11 +288,59 @@ local function addsshkey(homedir, key) end end +local function adddoas(pwd) + local chmodetcdir = false + local chmoddoasconf = false + local root = os.getenv("NUAGE_FAKE_ROOTDIR") + local localbase = getlocalbase() + local etcdir = localbase .. "/etc" + if root then + etcdir= root .. etcdir + end + local doasconf = etcdir .. "/doas.conf" + local doasconf_attr = lfs.attributes(doasconf) + if doasconf_attr == nil then + chmoddoasconf = true + local dirattrs = lfs.attributes(etcdir) + if dirattrs == nil then + local r, err = mkdir_p(etcdir) + if not r then + return nil, err .. " (creating " .. etcdir .. ")" + end + chmodetcdir = true + end + end + local f = io.open(doasconf, "a") + if not f then + warnmsg("impossible to open " .. doasconf) + return + end + if type(pwd.doas) == "string" then + local rule = pwd.doas + rule = rule:gsub("%%u", pwd.name) + f:write(rule .. "\n") + elseif type(pwd.doas) == "table" then + for _, str in ipairs(pwd.doas) do + local rule = str + rule = rule:gsub("%%u", pwd.name) + f:write(rule .. "\n") + end + end + f:close() + if chmoddoasconf then + chmod(doasconf, "0640") + end + if chmodetcdir then + chmod(etcdir, "0755") + end +end + local function addsudo(pwd) local chmodsudoersd = false local chmodsudoers = false local root = os.getenv("NUAGE_FAKE_ROOTDIR") - local sudoers_dir = "/usr/local/etc/sudoers.d" + local localbase = getlocalbase() + local sudoers_dir = localbase .. "/etc/sudoers.d" if root then sudoers_dir= root .. sudoers_dir end @@ -585,6 +644,7 @@ local n = { update_packages = update_packages, upgrade_packages = upgrade_packages, addsudo = addsudo, + adddoas = adddoas, addfile = addfile } diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit index 5541f6d0f164..29340a3d91ea 100755 --- a/libexec/nuageinit/nuageinit +++ b/libexec/nuageinit/nuageinit @@ -140,6 +140,9 @@ local function users(obj) if u.sudo then nuage.addsudo(u) end + if u.doas then + nuage.adddoas(u) + end else nuage.warn("invalid type : " .. type(u) .. " for users entry number " .. n) end diff --git a/libexec/nuageinit/nuageinit.7 b/libexec/nuageinit/nuageinit.7 index e5da5cf342e1..b527c984970c 100644 --- a/libexec/nuageinit/nuageinit.7 +++ b/libexec/nuageinit/nuageinit.7 @@ -308,7 +308,14 @@ Ignored if an encrypted password is already provided. Boolean to determine if the user account should be locked. .It Ic sudo A string or an array of strings which should be appended to -.Pa /usr/local/etc/sudoers.d/90-nuageinit-users +.Pa ${LOCALBASE}/etc/sudoers.d/90-nuageinit-users +.It Ic doas +A string or an array of strings which should be appended to +.Pa ${LOCALBASE}/etc/doas.conf +.Pp +Instead of hardcoding the username, you can use +.Sy %u Ns , +which will be replaced by the current username. .El .Pp A special case exist: if the entry is a simple string with the value diff --git a/libexec/nuageinit/tests/nuageinit.sh b/libexec/nuageinit/tests/nuageinit.sh index 619df019cc4f..2b7c5226c97a 100644 --- a/libexec/nuageinit/tests/nuageinit.sh +++ b/libexec/nuageinit/tests/nuageinit.sh @@ -120,12 +120,16 @@ users: gecos: Foo B. Bar primary_group: foobar sudo: ALL=(ALL) NOPASSWD:ALL + doas: permit persist %u as root groups: users passwd: $6$j212wezy$7H/1LT4f9/N3wpgNunhsIqtMj62OKiS3nyNwuizouQc3u7MbYCarYeAHWYPYb2FT.lbioDm2RrkJPb9BZMN1O/ - name: bla sudo: - "ALL=(ALL) NOPASSWD:/usr/sbin/pw" - "ALL=(ALL) ALL" + doas: + - "deny %u as foobar" + - "permit persist %u as root cmd whoami" EOF atf_check /usr/libexec/nuageinit "${PWD}"/media/nuageinit nocloud atf_check /usr/libexec/nuageinit "${PWD}"/media/nuageinit postnet @@ -148,7 +152,13 @@ EOF sed -i "" "s/freebsd:.*:1001/freebsd:freebsd:1001/" "${PWD}"/etc/master.passwd atf_check -o file:expectedpasswd cat "${PWD}"/etc/master.passwd atf_check -o file:expectedgroup cat "${PWD}"/etc/group - atf_check -o inline:"foobar ALL=(ALL) NOPASSWD:ALL\nbla ALL=(ALL) NOPASSWD:/usr/sbin/pw\nbla ALL=(ALL) ALL\n" cat ${PWD}/usr/local/etc/sudoers.d/90-nuageinit-users + localbase=`sysctl -ni user.localbase 2> /dev/null` + if [ -z "${localbase}" ]; then + # fallback + localbase="/usr/local" + fi + atf_check -o inline:"foobar ALL=(ALL) NOPASSWD:ALL\nbla ALL=(ALL) NOPASSWD:/usr/sbin/pw\nbla ALL=(ALL) ALL\n" cat "${PWD}/${localbase}/etc/sudoers.d/90-nuageinit-users" + atf_check -o inline:"permit persist foobar as root\ndeny bla as foobar\npermit persist bla as root cmd whoami\n" cat "${PWD}/${localbase}/etc/doas.conf" } nocloud_network_head()