Anyone here running doas instead of sudo for root? Ive been reading some recent flaws in sudo and a comparison of the two. The footprint of doas is alot smaller source code in comparison. Before I try it out, I wanted to get some opinions on here first.
3 Likes
Elevating privilege is pretty important and the code supporting it has to be right. Yes, sudo had a glaring vulnerability in it, but do I think I should install some git code into PureOS, the company I trust to de-blob the Intel Management Engine? I think I will trust Purism and not jump into some random code like doas. Offer me an open Bluetooth driver and I might git that into my laptop …
Just offering a point of view as to why not to.
1 Like
Yes, it’s not sufficient to have good review-ability, what is more important is demand for review - which comes with wide adoption and usage. There are people looking at sudo code and finding programming errors leading to vulnerabilities. Who looks into doas code? Absence of CVEs doesn’t mean good security, might just be low attention.
This is just general consideration. But thanks for bringing it up, I was not aware of this program, and looking at this comparison
$ pacman -Si sudo | grep Install
Installationsgröße : 4557,19 KiB
$ pacman -Si opendoas | grep Install
Installationsgröße : 46,52 KiB
i think I know which privilege elevation tool I’ll be looking at next 
The particular recent flaw was only an issue if someone can first get local access to your computer. For personal computers if someone gets that access then you may have a major problem whether sudo is buggy or not.
That being said, noone likes CVEs! Although, as @ruff says, the only thing worse than a known CVE is an unknown CVE. 
If your threat model is such that sudo is a problem, you’re much better off using wheel and su.
FYI I use OpenBSD on some machines and recent versions of OpenBSD use doas and su. OpenBSD users can still find sudo in the ports packages and install if they want it, but vanilla OpenBSD hasn’t shipped with sudo for like the last 2 years.
Re: the GitHub repo - I can’t speak for the provenance of the doas version in the GitHub repo, though.