104

Is there an advantage of using doas over sudo (thelemmy.club)

submitted 5 months ago by whyisthesheep@thelemmy.club to c/linux@lemmy.ml

72 comments fedilink hide all child comments

I see people talking about doas saying it's just like sudo but with less features. I'm just wondering if there is any situation where you should use doas or if it's just personal preference.

top 50 comments

sorted by: hot top controversial new old

[-] lily33@lemm.ee 81 points 5 months ago* (last edited 5 months ago)

On the one hand, doas is simpler. Less code means less bugs, and lower chance someone manages to hack it and gain admin rights. On the other hand, sudo is more popular, and so has a lot more people double-checking its security. Ultimately, I don't think it matters - when someone unauthorized gains admin rights, usually it's not due to bug in sudo or doas, but other problems.

[-] tetris11@lemmy.ml 15 points 5 months ago

Well said. Check your firewalls, check your ssh config, liberally use user repositories, and always tip the guard (donate to GNU)

[-] CsXGF8uzUAOh6fqV@lemmy.world 18 points 5 months ago

I use doas just because. It's not necessary at all, but it can't hurt either (I think). It might be a bit more secure (fewer features -> fewer code -> fewer bugs -> fewer vulnerabilities, need to give password more often). Kinda cool if you want more minimalism for fun (I replaced startx with sx...)

[-] gorysubparbagel@lemmy.world 2 points 5 months ago

You can change the config so you don't need to give the password every time.

Adding the persist option only requires it once every few minutes within a terminal session.

https://manpages.debian.org/bullseye/doas/doas.conf.5.en.html#persist

load more comments (1 replies)

[-] Kalcifer@sh.itjust.works 16 points 5 months ago

doas, afaik, was originally made for FreeBSD, so some of its features aren't compatible with/haven't been implemented for Linux. That may or may not be an important issue for you to consider.

[-] rmicielski@slrpnk.net 14 points 5 months ago

OpenBSD actually, but close

[-] Andromxda@lemmy.dbzer0.com 16 points 5 months ago

Doas is more secure, sudo has had a few critical vulnerabilities in the past, because the codebase is much larger. Sudo has like a million features that most people don't need, but they significantly increase attack surface.

[-] corsicanguppy@lemmy.ca 17 points 5 months ago

Doas is more secure, sudo has had a few critical vulnerabilities in the past, because

.. it's newer. You wanted to say "it's newer." It has nowhere near the history, and looks better because it's newer.

Please, now, trot out the "use sudo if you're old" memes, because we grew that skin extra thick over the systemd counter-hate.

[-] Communist@lemmy.ml 12 points 5 months ago

I just use doas because sudo has a bunch of features i don't care about or use, and doas does everything i need while being significantly smaller.

[-] fuckwit_mcbumcrumble@lemmy.world 10 points 5 months ago

Does the size of a 6kb program really make that much of a difference?

Side note: If I'm reading this right (ignoring dependencies) sudo is 6kb while doas is 14kb.

[-] fahfahfahfah@lemmy.billiam.net 16 points 5 months ago

Sudo is 6 megabytes

[-] atzanteol@sh.itjust.works 18 points 5 months ago

Damn, that's like 4 floppies!

[-] pmk 5 points 5 months ago

The concern is not storage space, but potential bugs leading to security issues. For OpenBSD this is very important, and so they made doas.

load more comments (2 replies)

[-] Sickday@kbin.run 14 points 5 months ago

6,054.0 kB, not 6 vs 14.0 kB

[-] fuckwit_mcbumcrumble@lemmy.world 13 points 5 months ago

Ya know, I wish I could at least say something about being european and using commas instead of periods for decimal points, but I can't even say that. Still 6MB fully installed is nothing these days.

[-] acockworkorange@mander.xyz 6 points 5 months ago

And here I am wondering what went so wrong with sudo that it needs 6 fucking mibibytes to work its simple magic.

[-] atzanteol@sh.itjust.works 9 points 5 months ago

Yeah, it's gonna take forever to download over my 14.4k baud modem.

STOP PICKING UP THE PHONE MOM!

[-] tabular@lemmy.world 10 points 5 months ago

Less lines of code needed means less chances of errors and potential vulnerabilities (if number and quality of eyeballs were the same)

[-] taladar@sh.itjust.works 3 points 5 months ago

Also only really applies if you are comparing programs in the same programming language as some programs have lines that are significantly more expressive than others. Conversely, some languages have constructs that are significantly more bug-prone than others (e.g. for loops with explicit integer indices instead of higher order functions like map or iterators to iterate over a collection).

load more comments (1 replies)

[-] Communist@lemmy.ml 2 points 5 months ago

No, but it's cleaner and designed for my usecase, and no real work to setup for me, all I had to do was add an alias

[-] matcha_addict@lemy.lol 12 points 5 months ago

When I thought about this question, I decided to ditch both sudo and doas entirely. I am certain this is an unpopular opinion, but I preferred setting up a granular permission + user system instead, and keeping root privileges for only a handful of use cases (primarily for system updates and package installations).

For anything else, a dedicated user is created, and given only permissions to do that exact thing only. Many of these users have no shell access at all, and for the ones that do, I use a password manager so I don't have to memorize passwords for all of these users.

[-] atzanteol@sh.itjust.works 23 points 5 months ago

Did you know that you can configure sudo to only grant access to specific programs?

[-] matcha_addict@lemy.lol 6 points 5 months ago

Yes I did, and that's a very good point. What sudo does not allow me to do is grant a user access to modify or read specific files or directories. I can get both that and access to executing specific programs using a users/groups permission system.

Another thing I don't like about sudo is that you end up using the same password for everything, which is also the password for logging in. Putting higher privileges behind my same login password opens me to a single point of failure.

load more comments (15 replies)

[-] WalrusByte@lemmy.world 12 points 5 months ago

From what I hear, doas is more secure. I don't think it matters though, as long as you keep your system updated. I use sudo still.

[-] zephr_c@lemm.ee 9 points 5 months ago

It's really only more secure in the sense that in general more complicated programs have more things that can go wrong with them. Either bugs, or just user error.

That is a valid concern, and most people don't need or use any of sudo's extra features, so it's completely reasonable to switch to doas because of that, but it's not like there's some glaring security flaw in sudo that most people really need to worry about. Especially if they're not doing weird things in the config, which would mostly be the same people who could easily switch to doas anyway.

[-] whyisthesheep@thelemmy.club 5 points 5 months ago

Thank you I think I will stick with sudo.

[-] Yuki@kutsuya.dev 3 points 5 months ago

How is it more secure?

[-] youRFate@feddit.de 9 points 5 months ago

Afaik much smaller code base and as such easier to audit.

load more comments (7 replies)

[-] MonkderZweite@feddit.ch 8 points 5 months ago

Doas has about 90% of features with 10% of code size of sudo.

And rdo/ssu have ~140 lines of C code. Anyone knows similiar?

[-] PoorPocketsMcNewHold@lemmy.ml 8 points 5 months ago

Well, i believe in all showcased cases from people here, they are NOT replacing sudo entirely (Except if some are from BSD or if I'm incorrect with this assumption). They are just replacing their user habit with doas and use that command instead. In the end, all unix scripts or apps expect using sudo (If not, su) so... ### What's even the need to ?

Size : Installed on top of the already system present sudo.
Security : Only perhaps if you made a sudo alias to doas (But since it isn't entirely 1:1 identical, if anyone have a cleaner way of implementing that, I'm all hear)
Simplicity : You now have two tools. A easy to use keycard, and a key. The second is more complicated to use, so you use it rarely but it's still two tools instead of one.
Less dependencies : Again, unless you can actually replace it ENTIRELY, it's just an added tool (Still almost dependency free)

Really looking to corrections if i do some

[-] Presi300@lemmy.world 7 points 5 months ago

You feel smarter... Yeah, that's pretty much it.

[-] wgs 6 points 5 months ago

I find the config syntax cleaner.

[-] jimbolauski@lemm.ee 5 points 5 months ago

Security may be more likely to approve some users having doas, sudo is a no go in many restricted environment.

[-] Samueru@lemmy.world 5 points 5 months ago

doas uses like 10MIB less of mem than sudo.

[-] delirious_owl@discuss.online 8 points 5 months ago

What's the point of using MiB if you're just gonna say "like" lol

[-] Samueru@lemmy.world 2 points 5 months ago

Because it is not exactly 10MiB. Should have used about instead of like though.

load more comments (7 replies)

[-] lengau@midwest.social 3 points 5 months ago

BTW I use pkexec

load more comments

this post was submitted on 23 Mar 2024

104 points (95.6% liked)

Linux

47332 readers

1287 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz