Sudo is a utility that let you run a command with root privileges, but the the issue with sudo is that it has so many
lines of code, when the source code is compressed to a zip file it is around 5.6mb whereas opendoas that
around 53kb
The more lines of code the bigger the attack vector, now that something I don’t want when running the command with root
privileges, so I decided to replace sudo with doas.
On Arch Linux it is quite easy, first run the installation command.
sudo pacman -S opendoas
Create a new file /etc/doas.conf with the following content
permit setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :wheel
Now test the command by uninstalling sudo, assuming your account is in the wheel group.
doas pacman -R sudo
Than secure the doas.conf file
doas chown -c root:root /etc/doas.conf
doas chmod -c 0400 /etc/doas.conf
Well done you’ve completed setting up doas.
Optional Stuff
Creating sudo Symlink to doas
ln -s $(which doas) /usr/bin/sudo
Creating a safe environment for editing doas.conf similar to visudo.
Create /root/script/vidoas and add the following, you may want to replace nvim with your preferred text editor. 🙂
#!/bin/dash
DOASDIR="/tmp/doas-$(date +%s)"
mkdir $DOASDIR
chmod 700 $DOASDIR
DOASFILE="$DOASDIR/doas.conf"
cp /etc/doas.conf $DOASFILE
chmod 600 $DOASFILE
nvim $DOASFILE
sync
doas -C $DOASFILE && echo "valid config" && cp $DOASFILE /etc/doas.conf && chmod 400 /etc/doas.conf || echo "invalid config"
sync
rm -rf $DOASDIR
Than create /usr/local/bin/vidoas and add the following
#!/bin/dash
if [ "$(id -u)" != 0 ]; then
doas /root/script/vidoas
else
/root/script/vidoas
fi
Change the permission of both files.
doas chmod 700 /root/script/vidoas
doas chmod 755 /usr/local/bin/vidoas
Then test it by running vidoas it should should create a temporary file inside the preferred text editor, on exit it
will apply the changes if there is no errors.