Consider replacing sudo with doas
Overview
If you have ever used a linux system, chances are you also used the sudo program before - probably to execute a specific program with root permissions. On sudo’s official website, they state:
Sudo (su “do”) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments […]
While that is true, sudo provides a lot more functionality than just running a command with root permissions. It comes with a fully-featured plugin architecture, allows for defining complex rule sets and much more. While having such fine-grained control might be helpful in a corporate environment, as a regular user, it is unlikely that you will need that level of detailed control.
What is the problem with sudo?
So what exactly is the problem with sudo then? Isn’t it a good thing to have all this functionality? Well, yes and no. The codebase of the sudo program consists of hundreds of thousands of lines of code. With a larger codebase, performing a security audit becomes a lot more difficult and also a lot more time-consuming. Therefore, the chances of critical vulnerabilities ending up in the code are much higher, compared to a smaller program.
Just recently, a severe vulnerability (CVE-2021-3156) was published, that allowed an unprivileged user exploiting that vulnerability to elevate privileges to root without any authentication. While the vulnerability got patched very quickly, this is not the first time that happened. A search on the CVE-Mitre database for “sudo” returns 141 matches, indicating a history of vulnerabilities, many of which are considered to be high severity. It is likely that additional vulnerabilities will be identified in the future.
What to use, if not sudo? doas!
So, what should I use, if not sudo, you might ask? The answer is doas. It allows you to do exactly what most of you will use sudo for: To permit a user or group to perform actions with root permissions. And unlike sudo, doas features a simple and easy-to-use syntax for its rules.
Additionally, the codebase of doas is less than 4000 lines of code, making it significantly smaller in size and reducing its attack surface. This is reflected in the CVE-Mitre database, where a search for “doas” returns only 2 results.
Also, some operating systems already use doas as the default program in place of sudo. The most prominent example is OpenBSD, which switched from sudo to doas in 2015.
Installing doas
To install doas, you can just use your distribution’s package manager
or build it from source if it is not available. In my case on VoidLinux,
the command sudo xbps-install opendoas
can be used.
Next, you probably want to make sure, your user can use doas to
elevate privileges. These permissions can be specified in
/etc/doas.conf
. To add your user, simply add:
permit username as root
.
If you want to allow a user to execute a specifc program as root
without a password, you can add:
permit nopass username as root cmd /path/to/program
. More
information can be found in the doas.conf manpage.
After installing doas, you can choose to uninstall sudo from your system and use doas instead. It is worth noting that on some distributions, it may not be possible to directly uninstall sudo due to potential dependencies that could be affected. For instance, on VoidLinux, it is necessary to ignore the sudo package before removing it.
Problems with doas
Personally, I have found doas to be a great replacement for sudo in almost all cases, with only a few exceptions. One such exception is VeraCrypt, which is hardcoded to use the sudo binary and therefore does not work with doas by default. However, there is an open issue addressing this problem, including potential workarounds.
In the rare instances when doas has caused difficulties with other software, using an alias for sudo to doas has typically resolved the issue.
Summary
So, - is sudo bad? Well, not necessarily. But unless you are sysadmin that requires very specific permission rule sets, sudo is overkill for you.
By switching to doas, you get a tool, that has a smaller attack surface, provides equivalent basic functionality, and has a more intuitive syntax for configuration files (in my opinion).
Give it a try!