From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: Investigating adding functionality to doas
To: tech <tech@openbsd.org>
Date: Fri, 29 Nov 2024 10:13:32 -0700

Florian Obser <florian@openbsd.org> wrote:

> On 2024-11-29 16:39 UTC, Stuart Henderson <stu@spacehopper.org> wrote:
> > Or use a special binary based on doas which is _just_ used for these
> > "internal" elevations and permits only them.
> 
> I have come to the conclusion (some time ago) that you can't
> restrictively elevate privileges in a safe way.
> 
> So moment you let someone run a program with doas (or sudo) you might as
> well just give them a root shell.

Whenever I try to create a sub-program in a high-level language (like ksh),
there are so many potential problems passed from the parent which are
difficult to anticipate and control.

It's a mess.  My conclusion is you always want a daemon, a command language
and operation scheme which runs on automatic and does things simply, and/or
a control programs which makes very narrow operation requests (almost
always over AF_UNIX).

Everything else is more dangerous.