us/config.template

SECURITY CONSIDERATIONS
=======================

1. commands must be given by absolute path, that's because if you do otherwise
	nopassword commands could be hijacked:

	in the config:
		nopass badguy as root cmd zzz
	in the shell:
		~ $ export PATH=/home/badguy/test:$PATH
		~ $ mkdir test
		~ $ printf '#!/bin/sh\nrm -rf --no-preserve-root' > test/zzz
		~ $ chmod +x test/zzz
		~ $ us zzz  #this deletes the filesystem without password!

IDEA 1
======

# this is a comment
# rules are goruped by user/group
# rules are structured somewhat like json, example:

# Only 'command' is allowed to run without a password, all the rest is blocked
ale {
	allow {
		command nopass
	}

	deny {
		/.*/
	}
}

IDEA 2 - THE DOAS WAY
=====================

# this is a comment
# every line is a rule
# rules are structured like this:

permit|deny [options] identity [as target] [cmd command [args ...]]

# look at doas.conf(5) for more information

IDEA 2-3
========

# reverse-doas way
-> identity permit|deny [command [args ...]] [options]

# but how would I distinguish between command and options? 
-> identity [options] permit|deny [command [args ...]]

# spaces are not a very good separatow when in comes to commands
-> identity,[options],permit|deny,[command [args ...]]

#
# this is kinda similar to a crontab, basically options are required
#

  # config structure:
  -> identity options as action [command [args ...]]
        ^        ^     ^   ^
     can be *    |     | permit, deny  
     can be nil (NULL) |
                     can be *
  
  # permit user "ale" to execute command "shutdown" as root without password:
    -> ale nopass root permit shutdown
  # permit members of the wheel group to execute any comands as any user:
    -> :wheel nil * permit
  # deny users of the wheel group to execute commands that begin with "sys":
  # this could be circumvented by having the command inside a shell script
    -> :wheel nil * deny /sys.*/
  # deny all users to execute all comands as any other user
    -> * nil * deny
#
# let's scramble things up to make more sense
#
     [action] options identity as [command [args ...]]
        ^        ^      ^    ^
        |        |  can both be * (any)  
        |  can be none, comma separated
      none: permit
      '!': deny (negate rule)

  # allow users of the wheel group to execute any command as root:
    -> none :wheel root
  # deny all users to execute commands that start with "sys"
    -> ! none * * /sys.*/

IDEA 3 - THE SUCKLESS WAY
=========================

configuration should happen inside a source file called config.h, to apply
changes to the configuration the program has to be recompiled
todo and notes added two files, TODO: things that still need to be taken care of that may be too long to write in the source code config.template: mockups of the config file 4 years ago			`SECURITY CONSIDERATIONS`
			`=======================`

			`1. commands must be given by absolute path, that's because if you do otherwise`
			`nopassword commands could be hijacked:`

			`in the config:`
			`nopass badguy as root cmd zzz`
			`in the shell:`
			`~ $ export PATH=/home/badguy/test:$PATH`
			`~ $ mkdir test`
			`~ $ printf '#!/bin/sh\nrm -rf --no-preserve-root' > test/zzz`
			`~ $ chmod +x test/zzz`
			`~ $ us zzz #this deletes the filesystem without password!`

			`IDEA 1`
			`======`

			`# this is a comment`
			`# rules are goruped by user/group`
			`# rules are structured somewhat like json, example:`

			`# Only 'command' is allowed to run without a password, all the rest is blocked`
			`ale {`
			`allow {`
			`command nopass`
			`}`

			`deny {`
			`/.*/`
			`}`
			`}`

			`IDEA 2 - THE DOAS WAY`
			`=====================`

			`# this is a comment`
			`# every line is a rule`
			`# rules are structured like this:`

			`permit\|deny [options] identity [as target] [cmd command [args ...]]`

			`# look at doas.conf(5) for more information`

			`IDEA 2-3`
			`========`

			`# reverse-doas way`
			`-> identity permit\|deny [command [args ...]] [options]`

			`# but how would I distinguish between command and options?`
			`-> identity [options] permit\|deny [command [args ...]]`

			`# spaces are not a very good separatow when in comes to commands`
			`-> identity,[options],permit\|deny,[command [args ...]]`

			`#`
			`# this is kinda similar to a crontab, basically options are required`
			`#`

			`# config structure:`
			`-> identity options as action [command [args ...]]`
			`^ ^ ^ ^`
			`can be * \| \| permit, deny`
			`can be nil (NULL) \|`
			`can be *`

			`# permit user "ale" to execute command "shutdown" as root without password:`
			`-> ale nopass root permit shutdown`
			`# permit members of the wheel group to execute any comands as any user:`
			`-> :wheel nil * permit`
			`# deny users of the wheel group to execute commands that begin with "sys":`
			`# this could be circumvented by having the command inside a shell script`
			`-> :wheel nil * deny /sys.*/`
			`# deny all users to execute all comands as any other user`
			`-> * nil * deny`
			`#`
			`# let's scramble things up to make more sense`
			`#`
			`[action] options identity as [command [args ...]]`
			`^ ^ ^ ^`
			`\| \| can both be * (any)`
			`\| can be none, comma separated`
			`none: permit`
			`'!': deny (negate rule)`

			`# allow users of the wheel group to execute any command as root:`
			`-> none :wheel root`
			`# deny all users to execute commands that start with "sys"`
			`-> ! none * * /sys.*/`

			`IDEA 3 - THE SUCKLESS WAY`
			`=========================`

			`configuration should happen inside a source file called config.h, to apply`
			`changes to the configuration the program has to be recompiled`