Fix various bugs

- Fix bug that caused lock file to persist between edits
- Fix bugs in configuration creation and parsing
- Fix bugs in command line parsing

Author: odedlaz

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.0
+current_version = 0.2.0
 message = Bump version: {current_version} →  {new_version}
 commit = True
 tag = False

CMakeLists.txt

@@ -63,7 +63,7 @@ set(CPACK_PACKAGE_NAME "doas")
 set(CPACK_PACKAGE_VENDOR "odedlaz")
 set(CPACK_DEBIAN_PACKAGE_MAINTAINER "Oded Lazar")
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "execute commands as another user")
-set(CPACK_PACKAGE_VERSION "0.1.0")
+set(CPACK_PACKAGE_VERSION "0.2.0")
 set(CPACK_DEBIAN_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION}")
 set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "${CPU_ARCH}")
 set(CPACK_OUTPUT_FILE_PREFIX "${CMAKE_SOURCE_DIR}/pkg")

README.md

@@ -17,53 +17,6 @@ The gist is that `sudo` is hard to configure and does a lot more then the standa
 The original utility only targeted *OpenBSD*, and lacked features that I felt were missing from it and `sudo` as well.  
 Furthermore, all ports I looked at weren't production read & poorly written.
 
-## Changes compared to the original
-
-### Security checks
-
-The original `doas` doesn't check the owners & permissions of the binary and configuration file.
-`sudo` checks those, but only warns the user.
-
-This version ensures the binary and configuration file are owned by `root:root`.  
-It also ensures the binary has [setuid](https://en.wikipedia.org/wiki/Setuid), and that the configuration file has only read permissions.
-
-Furthermore, only full paths of commands are allowed in the configuration file.  
-The idea is that privileged users (i.e: members of the *wheel* group) need to explicitly set the rule instead of depending on the running user's path.
-
-### Edit mode
-
-```bash
-doas -E
-```
-
-`doas` allows any privileged user (i.e: members of the *wheel* group) to edit the configuration file safely.
-Furthermore, if the configuration file is corrupted, privileged users can still access it and edit it.
-
-The edit option is similar to `visudo`, it creates a copy of the configuration and updates the real configuration only when the copy is valid.
-
-Non-privileged users are not allowed to edit the configuration.
-
-### Verbose mode
-
-```
-doas -V
-```
-
-`doas` allows to show logging information to privileged users. That information shows which rules are being loaded & how they are processed.  
-
-Non-privileged users are not allowed to turn on verbose mode.
-
-###  Dump mode
-
-```
-doas -D
-```
-
-`doas` allows the user to dump the permissions it loaded to screen.  
-group permissions and command globs are expanded into individual rules as well.
-
-privileged users see the permissions of all users instead of only their own.
-
 ## Project Goals
 
 * ***Secure***. User's must not be able to abuse the utility, and it should protect the user from making stupid mistakes.
@@ -110,6 +63,10 @@ $ mkdir -p doas/build && cd doas/build && cmake .. && cd ..
 
 **[!]** If you're familiar with [direnv](https://oded.blog/2016/12/29/direnv/) and use  [fish shell](https://fishshell.com/) you'll enjoy a pre-baked environment.
 
+## Project Status
+
+Version `0.2.0` is out and has complete feature parity with the original `doas`.
+
 ## Authors
 
 The main author is [Oded Lazar](https://oded.blog/whoami/)
@@ -122,7 +79,52 @@ If you are interested in contributing but not sure where to start, feel free to
 
 Once I feel this method is not effective anymore, I'll probably create a slack channel or IRC channel.
 
+## Changes compared to the original
+
+### Security checks
+
+The original `doas` doesn't check the owners & permissions of the binary and configuration file.
+`sudo` checks those, but only warns the user.
+
+This version ensures the binary and configuration file are owned by `root:root`.  
+It also ensures the binary has [setuid](https://en.wikipedia.org/wiki/Setuid), and that the configuration file has only read permissions.
+
+Furthermore, only full paths of commands are allowed in the configuration file.  
+The idea is that privileged users (i.e: members of the *wheel* group) need to explicitly set the rule instead of depending on the running user's path.
+
+### Edit mode
+
+```bash
+doas -E
+```
+
+`doas` allows any privileged user (i.e: members of the *wheel* group) to edit the configuration file safely.
+Furthermore, if the configuration file is corrupted, privileged users can still access it and edit it.
 
+The edit option is similar to `visudo`, it creates a copy of the configuration and updates the real configuration only when the copy is valid.
+
+Non-privileged users are not allowed to edit the configuration.
+
+### Verbose mode
+
+```
+doas -V
+```
+
+`doas` allows to show logging information to privileged users. That information shows which rules are being loaded & how they are processed.  
+
+Non-privileged users are not allowed to turn on verbose mode.
+
+###  Dump mode
+
+```
+doas -D
+```
+
+`doas` allows the user to dump the permissions it loaded to screen.  
+group permissions and command globs are expanded into individual rules as well.
+
+privileged users see the permissions of all users instead of only their own.
 ## Examples
 
 Ted Unagst's wrote a great blog post called [doas mastery](https://www.tedunangst.com/flak/post/doas-mastery). Because the project has *complete feature parity* with the OpenBSD version, the mentioned post should be a good starting point.

include/version.h

@@ -1,5 +1,5 @@
 #pragma once
 
 namespace doas {
-#define VERSION "0.1.0"
+#define VERSION "0.2.0"
 }

man/doas.conf.md

@@ -8,7 +8,7 @@ in the **doas.conf** configuration file.
 
 rules have the following format:
 
-    **permit**|**deny** [*options*] *identity* [**as** *target*] [**cmd** *command* [**args** ...]]
+   **permit**|**deny** [*options*] *identity* [**as** *target*] [**cmd** *command* [**args** ...]]
 
 They consist of the following parts:
 

src/actions.cpp

@@ -87,6 +87,9 @@ void doas::EditConfiguration(const OptArgs &opts, const Permissions &permissions
     if (!utils::AskQuestion(prompt)) {
       throw doas::PermissionError("doas.conf is being edited from another session");
     }
+    if (remove(PATH_EDIT_LOCK) != 0) {
+      throw doas::IOError("%s: %s", PATH_EDIT_LOCK, std::strerror(errno));
+    }
   }
 
   if (!auth::Authenticate(permissions.PamService(), true, true)) {
@@ -99,7 +102,6 @@ void doas::EditConfiguration(const OptArgs &opts, const Permissions &permissions
   std::string tmpconf{"/tmp/doas.tmp"};
   utils::path::Touch(tmpconf);
   Permissions::SecureFile(tmpconf);
-  utils::path::Copy(PATH_CONFIG, tmpconf);
 
   DEFER({
           if (remove(PATH_EDIT_LOCK) != 0) {
@@ -112,6 +114,8 @@ void doas::EditConfiguration(const OptArgs &opts, const Permissions &permissions
           }
         });
 
+  utils::path::Copy(PATH_CONFIG, tmpconf);
+
   std::vector<char *> cmdargv{
       strdup(utils::GetEditor().c_str()),
       strdup(tmpconf.c_str()),

src/conf.cpp

@@ -101,7 +101,8 @@ const std::vector<std::string> &GetExecutables(const std::string &glob_pattern,
 
   if (retval != 0) {
     logger::debug() << "glob(\"" << glob_pattern << "\") returned " << retval << std::endl;
-    throw doas::IOError("no executables at %s", glob_pattern.c_str());
+    logger::warning() << "there are no executables at " << glob_pattern << std::endl;
+    return vec;
   }
 
   for (size_t i = 0; i < globbuf.gl_pathc; i++) {
@@ -251,7 +252,10 @@ Permissions::Permissions(const std::string &path, const std::string &auth_servic
     : path_{path}, auth_service_{auth_service} {
   if (path_ == PATH_CONFIG) {
     if (!path::Exists(path_)) {
-      path::Touch(path_);
+      std::fstream fs;
+      fs.open(path_, std::ios::out);
+      DEFER (fs.close());
+      fs << "# Welcome to doas!";
       Permissions::SecureFile(path_);
     }
 

src/doas.cpp

@@ -103,7 +103,7 @@ int Do(Permissions &permissions, const OptArgs &opts) {
   // up to here, we don't check if the file is valid
   // because the edit config command can edit invalid files
   if (!permissions.Size() > 0) {
-    throw doas::PermissionError("doas.conf is either invalid");
+    throw doas::PermissionError("doas.conf is either invalid or empty.\n! notice that you're not a member of 'wheel'");
   }
 
   if (opts.ShowPermissions()) {