OK, so to begin with, I was wrong about doas only allowing environment variables to be preserved on a per-command basis. (I.e., I thought you could only say "preserve vars X, Y, and Z for each command, and that you couldn’t say “preserve these environment variables regardless of what command I run”. This was due to me misreading OpenBSD’s doas.conf manpage (doas.conf(5) - OpenBSD manual pages). The Arch Wiki page for doas at doas - ArchWiki corrected my understanding here, the syntax to use for enabling an environment variable to be passed through on a per-user or per-group (rather than per-command) basis is apparently:
permit setenv { VAR1 VAR2 } :group
I’ll amend my original post to reflect this.
To follow up on my previous review of doas porting feasibility, I’ve taken a look at both Kicksecure and Whonix running under Qubes OS. Here are the results. Just like before, a checkmark means “looks like it can be ported” or “isn’t necessary”, while no checkmark means it’s likely to be problematic.
/etc/sudoers.d/qt_x11_no_mitshm
- Specifies an environment variable to be preserved that affects all utilities on the system that leverage Qt. Depending on how exactly this rule is used, this could be trivial to translate, or it could be slightly tricky.
Defaults env_keep += "QT_X11_NO_MITSHM"- translates to (roughly):
permit setenv { QT_X11_NO_MITSHM } :sudo
/etc/sudoers.d/qubes
- This looks like a generic account-wide nopasswd exception for the
qubesgroup. There’s some SELinux stuff going on with it that can’t be ported, but since Kicksecure is based on Debian I don’t expect this to be a problem (I don’t believe SELinux is even used in Whonix or other Debian-based Qubes).
/etc/sudoers.d/qubes-input-trigger
- Contains several NOPASSWD exceptions for starting various Qubes input-related services as root. There are four sets of nine services each, each set is handled by one line of sudoers config, which covers all nine services with the help of a regex match. We don’t get regex matching in doas, so this would have to be replaced with 36 lines of doas configuration. Not great, but not horrible.
user ALL=(root) NOPASSWD:/bin/systemctl --no-block start qubes-input-sender-keyboard@event[0-9].service- translates to
permit nopass user as root cmd /bin/systemctl args --no-block start qubes-input-sender-keyboard@event0.service, plus eight more lines withevent1.service,event2.service, etc.
/etc/sudoers.d/umask
- Trouble. This one changes umask settings for sudo commands in general. doas handles umask configuration entirely on its own and does not allow the end-user to configure it. Thus this cannot be translated. Depending on what doas’s umask settings are and how vital this configuration is, this may or may not be a blocker.
edit: somehow the O in “OK” got replaced by a smiling emoji, fixed it