Single password root/user system with doas
Author: Jonathan Vasquez <jon@xyinn.org>
Last Updated: 2023-05-04-0830
Running On: FreeBSD 14.0-CURRENT (main-n262716-d713e0891ff9/GENERIC/amd64)Preface
For the majority of my time using UNIX-like systems, originally Linux, and now FreeBSD, I've always preferred to administer my system with root by using su -. During my daily computing, most of the processes (X11, etc) are going to be running as unprivileged users. However, when I'm using a computer, what I really like to do is actually jump deep into the machine world and explore it.. A world full of possibilities. So many things to explore, so many things to discover. Oh, where does 0x4000000 lead to?
With that said, it would be annoying to always have to type sudo <cmd> when I'm trying to just be immersed in the machine as root. I want to tinker with it. Change sysctls, create and destroy boot environments. Compile stable/13 and main, and easily just restart my computer, and check out how the system is running on my current hardware, without having to commit. Just reboot into my original boot environment, and I'm done!
For me to have that level of immersion and happiness, I have to be root all the time. As I said, when I'm browsing the web and paying bills, it's definitely gonna be as a normal user. But there will be an open Terminal that will usually also be a Root Terminal -;;-. Just know what you are doing and you'll be ok. And when you mess up, well.. it's fine because you are on ZFS. Just rollback lol. FreeBSD, ZFS, Boot Environmnents, and the way that FreeBSD system upgrading / administration are done, are just meant to be. It's bulletproof.
At the same time, there are a few other things on my mind:
- I normally just use
su -to switch to root.- The con is that I need root to have their own password.
- To solve that problem, you can just make root and your own user, have the same password, so you don't need to remember two passwords, but then now you have two accounts with the same password. Since this is mostly a single user system, it doesn't matter. If you were able to actually get physical access to the machine and decrypt it, etc, then the internal system password is meaningless. The attacker could just dump the data directly onto another box given that they would have already passed the decryption stage.
- This problem could be solved by using
sudo, letting your user account use sudo to become root, and then disabling root's password by starring the password as follows:
# Example
root@leslie:~ # pw user mod root -w random
Password for 'root' is: xZehM8xUED
root@leslie:~ # pw user show root
root:$6$OB4oeqr/6slrckcf$Wq1JvSjFFM4zmHbYBnEkwu58SSOR.lGQHM2aNWJduD0Bde8nlTiqiBWyBM.CSsjFw3trinUy4y0ZqWFY5Vc8S1:0:0::0:0:Charlie &:/root:/bin/sh
# Commands to star root's password:
root@leslie:~ # pw user mod root -w no
root@leslie:~ # pw user show root
root:*:0:0::0:0:Charlie &:/root:/bin/shThe problem here is that now you have sudo and its giant codebase. The alternative is to use doas (a lighter replacement for sudo developed by Ted Unangst from OpenBSD) and an alias to wrap su. Once you get doas set up though, you won't be able to use the persist feature which lets you use doas without it asking you for the password again for a period of time. This only works on OpenBSD.
After thinking about it for a bit, I decided that it's ok not to have persist, and it's not a feature that I truly want or need. Given the goals stated earlier, all I really want to do is essentially let my real user account be able to su - for itself, and accept that user account's password as root authorization. So if that's the case, let's basically replace su - (in a sense) with doas and get that benefit! So first switch to root either via su -, sudo -i, or sudo su -, whatever you want lol. Substitute any users below for your own. Make sure you got backups in case you screw something up :P :
Install doas
root@leslie:~ # pkg install doasTell doas to allow the user jon to run any commands as root.
root@leslie:~ # vim /usr/local/etc/doas.conf
permit jon as rootDisable root logins by removing root's password. You should see a :*: at the beginning:
root@leslie:~ # pw user mod root -w no
root@leslie:~ # pw user show root
root:*:0:0::0:0:Charlie &:/root:/bin/shSwitch to user jon and remap su to be doas su. This allows us to wrap our long time friend su with doas, thus doas becoming our gatekeeper.
root@leslie:~ # su -l jon
jon@leslie:~ $ vim ~/.shrc
alias su="doas su"Congrats you are now able to use a system that:
- Only has one password you need to care about.
- Uses your own user that is not root.
- You cannot login as root.
- You can escalate to root by typing
su -as normal which is actually nowdoas su.
Seamless transition.
Troubleshooting
If when trying to remove the root password you get any of these messages:
root@leslie:/usr/home/jon # pw user mod root -w no
pw: entry inconsistent
pw: pw_copy(): Invalid argumentor
root@leslie:/usr/home/jon # passwd
Changing local password for root
New Password:
Retype New Password:
passwd: entry inconsistent
passwd: pam_chauthtok(): Error in service moduleYou'll want to use the vipw command to manually remove the password field from the root account, and then you
can retry the commands above. It should be good afterwards.
In the example above, we had:
root:$6$OB4oeqr/6slrckcf$Wq1JvSjFFM4zmHbYBnEkwu58SSOR.lGQHM2aNWJduD0Bde8nlTiqiBWyBM.CSsjFw3trinUy4y0ZqWFY5Vc8S1:0:0::0:0:Charlie &:/root:/bin/shAfter removing the password field (second column), it would look like this:
root::0:0::0:0:Charlie &:/root:/bin/shand then if you star out the field with the above steps, it would look like this:
root:*:0:0::0:0:Charlie &:/root:/bin/shYou could technically just manually star it out, but I kept it as is to allow one to re-use the system commands, and allow the documentation to flow better.