Skip to content

gn0/dors

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 
rustfmt.toml
rustfmt.toml
 
 

Repository files navigation

dors: A re-implementation of OpenBSD's doas that aims at statically guaranteed correctness

This project is still experimental. Do not use in security-critical environments.

dors lets you execute commands or edit files as another user. It aims to be a drop-in replacement for OpenBSD's doas, which itself aims to be an alternative to sudo that has significantly fewer features and is thus easier to make correct.

Since you are here, another project that you might be interested in is sudo-rs.

Contents

  1. Features
  2. Goals and non-goals
  3. Differences from doas
  4. License

Features

  • deny ...
  • permit ... cmd ... (command execution)
  • permit ... edit ... (file editing)
    • This functionality is not part of doas. Yes, I know ... the point of both doas and dors is their simplicity. But this is a feature that I have personally wanted in dors.
  • permit ... edit ... with glob patterns
  • permit nopass ...
  • permit nolog ...
  • permit persist ...
  • permit keepenv ...
  • permit setenv { ... } ...
  • permit ... as ... without pseudo-terminal
    • This requires setting the DORS_TTY_HIJACKING environment variable to confirm that you are aware of the risks.
  • permit ... as ... with pseudo-terminal

Further things to do:

  • Test business logic where system calls are involved.
    • Where possible, make functions pure by moving system calls to main.rs.
    • Where necessary, mock system calls.
  • Audit the code base.
  • Explore whether further correctness guarantees could be encoded in types.
  • Explore whether certain invariants could be proved statically.
    • FFI to code extracted by Rocq (via CertiCoq).
    • FFI to code extracted by F*.
    • Invariants verified with Creusot.
  • Port dors to NetBSD, FreeBSD, Illumos, and macOS (Tier 1 and Tier 2 platforms supported by Rust).

Goals and non-goals

Goals:

  • Guarantee correctness statically.
  • Serve as a drop-in replacement for doas.

Non-goals:

  • Add new features.
  • Port to OpenBSD where doas is native.

Differences from doas

Escaping is only accepted inside strings

doas accepts escaping anywhere in the configuration file. For example, the following two configuration lines are treated as equivalent:

permit :adm
perm\it :adm

However, dors does not accept the second line. Escaping is only allowed in strings, as in this example:

permit setenv { FOO="\x62ar" } :adm

User and group IDs are not accepted, only user and group names

doas accepts user and group IDs, not only user and group names, in the configuration file. For example:

permit :1000

However, dors does not accept this line.

Relative paths for commands in rules are always resolved as if PATH=/usr/bin

[Note: Add example.]

In dors, absolute paths are strongly recommended.

dors -C ... requires permit nopass if invoked with -n

[Note: Add example.]

License

For now, proprietary, but will get a free software license later.

About

A re-implementation of OpenBSD's doas that aims at statically guaranteed correctness

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages