{"id":4200,"date":"2024-11-01T07:36:02","date_gmt":"2024-10-31T22:36:02","guid":{"rendered":"https:\/\/matoken.org\/blog\/?p=4200"},"modified":"2024-11-01T07:36:04","modified_gmt":"2024-10-31T22:36:04","slug":"use-persistence-function-persist-with-opendoas-on-linux","status":"publish","type":"post","link":"https:\/\/matoken.org\/blog\/2024\/11\/01\/use-persistence-function-persist-with-opendoas-on-linux\/","title":{"rendered":"Linux\u4e0a\u306eOpenDoas\u3067\u6c38\u7d9a\u6a5f\u80fd(persist)\u3092\u4f7f\u3046"},"content":{"rendered":"<p><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"48\" height=\"48\" viewBox=\"0 0 48 48\"><g fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"4\"><path d=\"M6 6h36v36H6\"><\/path><path d=\"M6 6v36l18-6V12zm12 16v4\"><\/path><\/g><\/svg><!-- https:\/\/icon-sets.iconify.design\/icon-park-outline\/push-door\/ --><\/p>\n<div class=\"paragraph\">\n<p>OpenBSD\u7531\u6765\u306eDoas\u30b3\u30de\u30f3\u30c9\u3068\u3044\u3046\u3082\u306e\u304c\u3042\u308a\u307e\u3059\uff0eLinux\u7b49\u3067\u306esudo\u306b\u4f3c\u305f\u3082\u306e\u3067\u3059\u304c\uff0c\u5c0f\u3055\u304f\u30b7\u30f3\u30d7\u30eb\u3067\u3059\uff0e\u3053\u306eDoas\u30b3\u30de\u30f3\u30c9\u306e\u79fb\u690d\u7248\u306eOpenDoas\u306fLinux\u306a\u3069\u3067\u3082\u52d5\u4f5c\u3057\u307e\u3059\uff0e<br \/>\nsudo\u30b3\u30de\u30f3\u30c9\u306f1\u5ea6\u8a8d\u8a3c\u306b\u6210\u529f\u3059\u308b\u3068\u305d\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u3067\u3057\u3070\u3089\u304f\u306e\u9593\u8a8d\u8a3c\u304c\u5fc5\u8981\u306a\u304fsudo\u304c\u5b9f\u884c\u3067\u304d\u3066\u4fbf\u5229\u3067\u3059\u304c\uff0cOpenBSD\u306eDoas\u3067\u306f\u540c\u69d8\u306e\u6a5f\u80fd\u3092OpenBSD\u306ekernel API\u3092\u4f7f\u3063\u3066\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u3092\u78ba\u8a8d\u3057\u3066\u304a\u308a\u3053\u306eAPI\u306fOpenBSD\u3060\u3051\u306e\u3082\u306e\u306a\u306e\u3067\u5f53\u521dOpenDoas\u306b\u306f\u5b9f\u88c5\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u3067\u3057\u305f\uff0e<br \/>\n\u3044\u3064\u306e\u9593\u306b\u304bOpenDoas\u306b\u3082\u5b9f\u88c5\u3055\u308c\u3066\u3044\u308b\u306e\u306b\u6c17\u3065\u3044\u305f\u306e\u3067\u8a66\u3057\u3066\u307f\u307e\u3057\u305f\uff0e<\/p>\n<\/div>\n<div class=\"ulist\">\n<ul>\n<li>\n<p><a href=\"https:\/\/github.com\/Duncaen\/OpenDoas\">Duncaen\/OpenDoas: A portable fork of the OpenBSD <code>doas<\/code> command<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/cvsweb.openbsd.org\/src\/usr.bin\/doas\/\">src\/usr.bin\/doas\/<\/a><\/p>\n<\/li>\n<\/ul>\n<\/div>\n<p><!--more--><\/p>\n<div class=\"paragraph\">\n<p>GitHub\u3092\u898b\u308b\u3068\u3053\u306e\u8fba\u3067\u5165\u3063\u305f\u3088\u3046\u3067\u3059\uff0e\u7d50\u69cb\u524d\u3067\u3059\u306d\u2026\u2026\uff0e<\/p>\n<\/div>\n<div class=\"ulist\">\n<ul>\n<li>\n<p><a href=\"https:\/\/github.com\/Duncaen\/OpenDoas\/commit\/27235dd398ab05cf7f992efe2027efc70fa0da0c#diff-7ea37791fb833311c42839877b8451c57a5b1d966c3909ccf60db95f286e7ea3R264\">add support for the verified auth ioctls using &#8216;persist&#8217; rules. ok de\u2026 \u00b7 Duncaen\/OpenDoas@27235dd<\/a><\/p>\n<\/li>\n<\/ul>\n<\/div>\n<div class=\"paragraph\">\n<p>Debian\/Raspberry Pi OS\u306b\u306f\u30d1\u30c3\u30b1\u30fc\u30b8\u304c\u3042\u308b\u306e\u3067\u3053\u3061\u3089\u3092\u4f7f\u3044\u307e\u3059\uff0e<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre>$ rmadison opendoas\nopendoas   | 6.8.2-1       | stable         | source, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x\nopendoas   | 6.8.2-1       | testing        | source, armel, armhf, i386, mips64el, ppc64el, s390x\nopendoas   | 6.8.2-1       | unstable       | source, armel, armhf, i386, mips64el, ppc64el, s390x\nopendoas   | 6.8.2-1       | unstable-debug | source\nopendoas   | 6.8.2-1+b1    | stable         | amd64\nopendoas   | 6.8.2-1+b1    | testing        | amd64, arm64, riscv64\nopendoas   | 6.8.2-1+b1    | unstable       | amd64, arm64, riscv64\n$ apt show opendoas\nPackage: opendoas\nVersion: 6.8.2-1\nPriority: optional\nSection: admin\nMaintainer: Scupake &lt;scupake@riseup.net&gt;\nInstalled-Size: 99.3 kB\nProvides: doas\nDepends: libc6 (&gt;= 2.33), libpam0g (&gt;= 0.99.7.1)\nBreaks: doas (&lt;&lt; 6.8.2)\nReplaces: doas (&lt;&lt; 6.8.2)\nHomepage: https:\/\/github.com\/Duncaen\/OpenDoas\nDownload-Size: 20.9 kB\nAPT-Manual-Installed: yes\nAPT-Sources: http:\/\/raspbian.raspberrypi.org\/raspbian bookworm\/main armhf Packages\nDescription: minimal replacement for sudo, with persist support\n OpenDoas: a portable version of OpenBSD's doas command\n doas is a minimal replacement for the venerable sudo. It was initially written\n by Ted Unangst of the OpenBSD project to provide 95% of the features of sudo\n with a fraction of the codebase.<\/pre>\n<\/div>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">OpenDoas\u306e\u5c0e\u5165<\/div>\n<div class=\"content\">\n<pre>$ sudo apt install opendoas<\/pre>\n<\/div>\n<\/div>\n<div class=\"paragraph\">\n<p>sudo\u30b3\u30de\u30f3\u30c9\u3067\u306esodo\u30b0\u30eb\u30fc\u30d7\u306e\u3088\u3046\u306b <code>wheel<\/code> \u30b0\u30eb\u30fc\u30d7\u3092\u4f5c\u6210\u3057\uff0c\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306e\u30e6\u30fc\u30b6\u30fc\u304cdoas\u3092\u4f7f\u3048\u308b\u3088\u3046\u306b\u3059\u308b\u3053\u3068\u306b\u3057\u307e\u3059\uff0e(sudo\u30b0\u30eb\u30fc\u30d7\u3092\u6d41\u7528\u3057\u3066\u3082\u826f\u304b\u3063\u305f\u304b\u3082?)<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre>$ sudo addgroup --system wheel <b class=\"conum\">(1)<\/b>\n$ sudo usermod -aG wheel matoken <b class=\"conum\">(2)<\/b>\n$ grep ^wheel: \/etc\/group <b class=\"conum\">(3)<\/b>\nwheel:x:140:matoken<\/pre>\n<\/div>\n<\/div>\n<div class=\"colist arabic\">\n<ol>\n<li>\n<p><code>wheel<\/code> \u30b0\u30eb\u30fc\u30d7\u306e\u4f5c\u6210<\/p>\n<\/li>\n<li>\n<p><code>wheel<\/code> \u30b0\u30eb\u30fc\u30d7\u306b\u30e6\u30fc\u30b6\u30fc <code>matoken<\/code> \u3092\u8ffd\u52a0<\/p>\n<\/li>\n<li>\n<p>\u78ba\u8a8d<\/p>\n<\/li>\n<\/ol>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">doas\u306e\u8a2d\u5b9a<\/div>\n<div class=\"content\">\n<pre>$ sudo install -m 0400 \/dev\/zero \/etc\/doas.conf\n$ echo 'permit persist     :wheel' | sudo tee \/etc\/doas.conf <b class=\"conum\">(1)<\/b>\npermit persist  :wheel\n$ ls -l \/etc\/doas.conf <b class=\"conum\">(2)<\/b>\n-r-------- 1 root root 22 11\u6708  1 05:46 \/etc\/doas.conf<\/pre>\n<\/div>\n<\/div>\n<div class=\"colist arabic\">\n<ol>\n<li>\n<p><code>\/etc\/doas.conf<\/code> \u306b <code>whell<\/code> \u30b0\u30eb\u30fc\u30d7\u304cdoas\u3067\u6a29\u9650\u5909\u66f4\u3067\u304d\u308b\u3088\u3046\u306b\u8a2d\u5b9a\uff0c <code>persist<\/code> \u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u6c38\u7d9a\u5316\u3082\uff0e<\/p>\n<\/li>\n<li>\n<p>\u30d5\u30a1\u30a4\u30eb\u6a29\u9650\u78ba\u8a8d<\/p>\n<\/li>\n<\/ol>\n<\/div>\n<div class=\"admonitionblock note\">\n<table  class=\" table table-hover\" >\n<tr>\n<td class=\"icon\">\n<div class=\"title\">Note<\/div>\n<\/td>\n<td class=\"content\">\n<div class=\"exampleblock\">\n<div class=\"title\">Example 1. DOAS.CONF(5)\u3088\u308a<\/div>\n<div class=\"content\">\n<div class=\"literalblock\">\n<div class=\"content\">\n<pre>persist  After the user successfully authenticates, do not ask for a password again for some time.<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">doas\u3068\u6c38\u7d9a\u5316\u306e\u52d5\u4f5c\u78ba\u8a8d<\/div>\n<div class=\"content\">\n<pre>$ doas -s <b class=\"conum\">(1)<\/b>\ndoas: Operation not permitted\n$ newgrp wheel <b class=\"conum\">(2)<\/b>\n$ doas -s <b class=\"conum\">(3)<\/b>\ndoas (matoken@raspberrypi) password:\n#\nexit\n$ doas -s <b class=\"conum\">(4)<\/b>\n#\nexit\n$ doas ls -lA \/run\/doas\/\ntotal 0\n---------- 1 root wheel 0 Nov  1  2024 29125-5366-34816-25582434-1001\n$ doas -s <b class=\"conum\">(5)<\/b>\ndoas (matoken@raspberrypi) password:<\/pre>\n<\/div>\n<\/div>\n<div class=\"colist arabic\">\n<ol>\n<li>\n<p>\u30b0\u30eb\u30fc\u30d7\u306b\u8ffd\u52a0\u3057\u305f\u3051\u3069\u53cd\u6620\u3055\u308c\u3066\u3044\u306a\u3044\u72b6\u614b\u306a\u306e\u3067\u6a29\u9650\u304c\u306a\u3044<\/p>\n<\/li>\n<li>\n<p>\u3068\u308a\u3042\u3048\u305anewgrp\u30b3\u30de\u30f3\u30c9\u3067\u5229\u7528\u53ef\u80fd\u306b<\/p>\n<\/li>\n<li>\n<p>1\u5ea6\u76ee\u306edoas\u306f\u8a8d\u8a3c\u304c\u5fc5\u8981<\/p>\n<\/li>\n<li>\n<p>\u3059\u3050\u306bdoas\u3092\u53e9\u304f\u3068\u8a8d\u8a3c\u304c\u5fc5\u8981\u306a\u3044<\/p>\n<\/li>\n<li>\n<p>\u6642\u9593\u304c\u7d4c\u3063\u3066\u304b\u3089\u518d\u5ea6doas\u3092\u5b9f\u884c\u3059\u308b\u3068\u8a8d\u8a3c\u304c\u5fc5\u8981<\/p>\n<\/li>\n<\/ol>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">\u6c38\u7d9a\u5316\u306e\u30af\u30ea\u30a2<\/div>\n<div class=\"content\">\n<pre>$ doas -s <b class=\"conum\">(1)<\/b>\ndoas (matoken@raspberrypi) password:\n#\nexit\n$ doas -L <b class=\"conum\">(2)<\/b>\n$ doas -s <b class=\"conum\">(3)<\/b>\ndoas (matoken@raspberrypi) password:<\/pre>\n<\/div>\n<\/div>\n<div class=\"colist arabic\">\n<ol>\n<li>\n<p>1\u5ea6\u76ee\u306e\u5b9f\u884c<\/p>\n<\/li>\n<li>\n<p><code>-L<\/code> \u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u6c38\u7d9a\u5316\u306e\u8a8d\u8a3c\u3092\u30af\u30ea\u30a2<\/p>\n<\/li>\n<li>\n<p>\u3059\u3050\u306bdoas\u3092\u5b9f\u884c\u3057\u3066\u3082\u6c38\u7d9a\u5316\u306e\u8a8d\u8a3c\u304c\u30af\u30ea\u30a2\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u518d\u5ea6\u8a8d\u8a3c\u304c\u5fc5\u8981<\/p>\n<\/li>\n<\/ol>\n<\/div>\n<div class=\"admonitionblock note\">\n<table  class=\" table table-hover\" >\n<tr>\n<td class=\"icon\">\n<div class=\"title\">Note<\/div>\n<\/td>\n<td class=\"content\">\n<div class=\"exampleblock\">\n<div class=\"title\">Example 2. DOAS(1)\u3088\u308a<\/div>\n<div class=\"content\">\n<div class=\"literalblock\">\n<div class=\"content\">\n<pre>-L          Clear any persisted authentications from previous invocations, then immediately exit.  No command is executed.<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<div class=\"paragraph\">\n<p>\u3068\u3044\u3046\u611f\u3058\u3067\u666e\u901a\u306b\u4f7f\u3048\u305d\u3046\u3067\u3059\uff0e<br \/>\n\u3061\u306a\u307f\u306bsudo\u30b3\u30de\u30f3\u30c9\u3067\u306f\u6c38\u7d9a\u5316\u306e\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u6642\u9593\u306f\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3067\u5909\u66f4\u53ef\u80fd\u3067\u3059\u304c\uff0cdoas\u3067\u306f\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u3066\u304a\u308a\u8a2d\u5b9a\u3067\u306f\u5909\u66f4\u3067\u304d\u306a\u3044\u3088\u3046\u3067\u3059\uff0e<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre>timestamp_set(fd, 5 * 60);<\/pre>\n<\/div>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"title\">\u74b0\u5883<\/div>\n<div class=\"content\">\n<pre>$ dpkg-query -W opendoas\nopendoas        6.8.2-1\n$ lsb_release -dr\nNo LSB modules are available.\nDescription:    Raspbian GNU\/Linux 12 (bookworm)\nRelease:        12\n$ arch\narmv7l\n$ grep ^Model \/proc\/cpuinfo\nModel           : Raspberry Pi 3 Model B Rev 1.2<\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>OpenBSD\u7531\u6765\u306eDoas\u30b3\u30de\u30f3\u30c9\u3068\u3044\u3046\u3082\u306e\u304c\u3042\u308a\u307e\u3059\uff0eLinux\u7b49\u3067\u306esudo\u306b\u4f3c\u305f\u3082\u306e\u3067\u3059\u304c\uff0c\u5c0f\u3055\u304f\u30b7\u30f3\u30d7\u30eb\u3067\u3059\uff0e\u3053\u306eDoas\u30b3\u30de\u30f3\u30c9\u306e\u79fb\u690d\u7248\u306eOpenDoas\u306fLinux\u306a\u3069\u3067\u3082\u52d5\u4f5c\u3057\u307e\u3059\uff0e sudo\u30b3\u30de\u30f3\u30c9\u306f1 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"webmentions_disabled_pings":false,"webmentions_disabled":false,"activitypub_content_warning":null,"activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"federated","footnotes":""},"categories":[809,6,546],"tags":[1124,1125],"class_list":["post-4200","post","type-post","status-publish","format-standard","hentry","category-bookworm-raspberry-pi-os","category-linux","category-raspberry-pi-os","tag-doas","tag-opendoas"],"_links":{"self":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts\/4200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/comments?post=4200"}],"version-history":[{"count":2,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts\/4200\/revisions"}],"predecessor-version":[{"id":4202,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/posts\/4200\/revisions\/4202"}],"wp:attachment":[{"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/media?parent=4200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/categories?post=4200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/matoken.org\/blog\/wp-json\/wp\/v2\/tags?post=4200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}