Doas rules for specific commands not functioning

Here’s the relevant part from my configuration.nix:

    security.doas = {
        enable = true;
        extraRules = [{
            groups = [ "wheel" ];
            keepEnv = true;
            persist = true;
            }];
      extraConfig = ''
          permit nopass :wheel as root cmd "${pkgs.systemd}/bin/systemctl reboot"
          permit nopass :wheel as root cmd "${pkgs.systemd}/bin/systemctl poweroff"
          permit nopass :wheel as root cmd "${pkgs.systemd}/bin/systemctl suspend"
          permit nopass :wheel as root cmd "${pkgs.coreutils}/bin/ls"
        '';
    };

However, doas systemctl reboot/poweroff/suspend still asks me for my password

doas ls also asks for a password, put it here just to see if the problem is in the specific commands, but appears that it is not the case

Have you read the generated /etc/doas.conf file?

Yes, I did. It looks fine to me but I don’t really understand the proper method to write those rules. I tried to do everything accordingly to the doas.conf man page but it doesn’t seem to work:

# To modify this file, set the NixOS options
# `security.doas.extraRules` or `security.doas.extraConfig`. To
# completely replace the contents of this file, use
# `environment.etc."doas.conf"`.

# extraRules

permit     setenv { SSH_AUTH_SOCK TERMINFO TERMINFO_DIRS  } :wheel   

permit   persist keepenv setenv { SSH_AUTH_SOCK TERMINFO TERMINFO_DIRS  } :wheel   

# extraConfig
permit nopass :wheel as root cmd "/nix/store/d9ff8aqv537mlhpinncx6dwc7a5ky6gk-systemd-255.6/bin/systemctl reboot"
permit nopass :wheel as root cmd "/nix/store/d9ff8aqv537mlhpinncx6dwc7a5ky6gk-systemd-255.6/bin/systemctl poweroff"
permit nopass :wheel as root cmd "/nix/store/d9ff8aqv537mlhpinncx6dwc7a5ky6gk-systemd-255.6/bin/systemctl suspend"
permit nopass :wheel as root cmd "/nix/store/ysqx2xfzygv2rxl7nxnw48276z5ckppn-coreutils-9.5/bin/ls"


# "root" is allowed to do anything.
permit nopass keepenv root

I am a bit uncomfortable with that commands starting with /nix/store/. . .
Maybe doas do not recognize ls, but the whole string /nix/store/ysqx2xfzygv2rxl7nxnw48276z5ckppn-coreutils-9.5/bin/ls. Can you test it (doas /nix/store/ysqx2xfzygv2rxl7nxnw48276z5ckppn-coreutils-9.5/bin/ls)?

1 Like

You are right, writing the full path before the command makes it run without a password. How would I make it work for just ls (and also other commands listed in my config file)

replacing the path with just the command (systemctl reboot, for instance) helped it, not sure if it’s the right way to do it though

From my experience with sudo rules, depending on the shell it expands the executable in different ways. To fix your problem you probably just need to copy the path from which ls. In my situation this is /run/current-system/sw/bin/ls. I would guess replacing each item with /run/current-system/sw/bin/<NAME> instead of the nix store path would fix it.

You probably don’t want to just do the command name because then a fake executable could be made to gain root permissions.

sudo rules are VERY different from doas rules (at least in my experience). What you wrote seemed like a good solution, but it doesn’t work. Still asks for a password when running the command from a cli