Single password root/user system with doas
Author: Jonathan Vasquez <firstname.lastname@example.org> Last Updated: 2023-05-04-0830 Running On: FreeBSD 14.0-CURRENT (main-n262716-d713e0891ff9/GENERIC/amd64)
For the majority of my time using UNIX-like systems, originally Linux, and now FreeBSD, I've always preferred to administer my system with root by using
su -. During my daily computing, most of the processes (X11, etc) are going to be running as unprivileged users. However, when I'm using a computer, what I really like to do is actually jump deep into the machine world and explore it.. A world full of possibilities. So many things to explore, so many things to discover. Oh, where does 0x4000000 lead to?
With that said, it would be annoying to always have to type
sudo <cmd> when I'm trying to just be immersed in the machine as root. I want to tinker with it. Change sysctls, create and destroy boot environments. Compile stable/13 and main, and easily just restart my computer, and check out how the system is running on my current hardware, without having to commit. Just reboot into my original boot environment, and I'm done!
For me to have that level of immersion and happiness, I have to be root all the time. As I said, when I'm browsing the web and paying bills, it's definitely gonna be as a normal user. But there will be an open Terminal that will usually also be a Root Terminal
-;;-. Just know what you are doing and you'll be ok. And when you mess up, well.. it's fine because you are on ZFS. Just rollback lol. FreeBSD, ZFS, Boot Environmnents, and the way that FreeBSD system upgrading / administration are done, are just meant to be. It's bulletproof.
At the same time, there are a few other things on my mind:
- I normally just use
su -to switch to root.
- The con is that I need root to have their own password.
- To solve that problem, you can just make root and your own user, have the same password, so you don't need to remember two passwords, but then now you have two accounts with the same password. Since this is mostly a single user system, it doesn't matter. If you were able to actually get physical access to the machine and decrypt it, etc, then the internal system password is meaningless. The attacker could just dump the data directly onto another box given that they would have already passed the decryption stage.
- This problem could be solved by using
sudo, letting your user account use sudo to become root, and then disabling root's password by starring the password as follows:
# Example root@leslie:~ # pw user mod root -w random Password for 'root' is: xZehM8xUED root@leslie:~ # pw user show root root:$6$OB4oeqr/6slrckcf$Wq1JvSjFFM4zmHbYBnEkwu58SSOR.lGQHM2aNWJduD0Bde8nlTiqiBWyBM.CSsjFw3trinUy4y0ZqWFY5Vc8S1:0:0::0:0:Charlie &:/root:/bin/sh # Commands to star root's password: root@leslie:~ # pw user mod root -w no root@leslie:~ # pw user show root root:*:0:0::0:0:Charlie &:/root:/bin/sh
The problem here is that now you have
sudo and its giant codebase. The alternative is to use
doas (a lighter replacement for sudo developed by Ted Unangst from OpenBSD) and an alias to wrap
su. Once you get
doas set up though, you won't be able to use the
persist feature which lets you use
doas without it asking you for the password again for a period of time. This only works on OpenBSD.
After thinking about it for a bit, I decided that it's ok not to have
persist, and it's not a feature that I truly want or need. Given the goals stated earlier, all I really want to do is essentially let my real user account be able to
su - for itself, and accept that user account's password as root authorization. So if that's the case, let's basically replace
su - (in a sense) with
doas and get that benefit! So first switch to root either via
sudo -i, or
sudo su -, whatever you want lol. Substitute any users below for your own. Make sure you got backups in case you screw something up :P :
root@leslie:~ # pkg install doas
doas to allow the user
jon to run any commands as root.
root@leslie:~ # vim /usr/local/etc/doas.conf permit jon as root
Disable root logins by removing root's password. You should see a :*: at the beginning:
root@leslie:~ # pw user mod root -w no root@leslie:~ # pw user show root root:*:0:0::0:0:Charlie &:/root:/bin/sh
Switch to user
jon and remap
su to be
doas su. This allows us to wrap our long time friend
doas becoming our gatekeeper.
root@leslie:~ # su -l jon jon@leslie:~ $ vim ~/.shrc alias su="doas su"
Congrats you are now able to use a system that:
- Only has one password you need to care about.
- Uses your own user that is not root.
- You cannot login as root.
- You can escalate to root by typing
su -as normal which is actually now
If when trying to remove the root password you get any of these messages:
root@leslie:/usr/home/jon # pw user mod root -w no pw: entry inconsistent pw: pw_copy(): Invalid argument
root@leslie:/usr/home/jon # passwd Changing local password for root New Password: Retype New Password: passwd: entry inconsistent passwd: pam_chauthtok(): Error in service module
You'll want to use the
vipw command to manually remove the password field from the root account, and then you
can retry the commands above. It should be good afterwards.
In the example above, we had:
After removing the password field (second column), it would look like this:
and then if you star out the field with the above steps, it would look like this:
You could technically just manually star it out, but I kept it as is to allow one to re-use the system commands, and allow the documentation to flow better.