By admin |

The long-time use sudo command in Linux has been subject to security risks and is being deprecated and replaced with a much lighter command taken from OpenBSD called doas. The security risks have been identified in the National Vulnerability Database (NVD) CVE-2021-3156 as a High Risk. Sudo stands for superuser do whereas the doas command stands for dedicated openbsd application subexecutor. The sudo command package is roughly 20M in size whereas doas is only 570K in size. Having a much smaller code size should greatly reduce the attack vector that doas presents to malware & virus code writers over its predecessor.

The doas command has a much smaller footprint and was developed by Ted Unangst for OpenBSD. It is easy to install the replacement command in your Linux distro and disable sudo (not uninstall it), so that using the former insecure command will be averted. One does not want to attempt to uninstall and purge the sudo command in the Linux distro since this package has been intricately incorporated within the Linux system and attempting to do so might break many packages and render the system damaged. Disabling the sudo command instead is very easy to accomplish as well and does not negatively impact the system, but does prevent the Linux user from running it by mistake.

Install and Configure

Depending on the distro of Linux you're currently running, you may have a pre-configured package for doas. But, if you're like me, I'm running AV Linux MX Edition (a fork of Ubuntu and Debian) which does not. So, if you're running a derivative of Ubuntu or Debian yourself, to install the doas command in your Linux distro, you should visit slicer69's github port and clone the following from the github site using in the terminal:

git clone https://github.com/slicer69/doas

This obviously presumes that you have the git command installed ahead of time. Additionally, you should ensure that the following dependencies have been installed on your Linux system as well, and install them using sudo before proceeding:

build-essential make bison flex libpam0g-dev

You will be using the sudo command to install these dependencies or, alternatively, you can become root using su - and install them as well.

Once the dependencies have been installed, follow up by running the following series of commands in the terminal one after the other in succession:

make

sudo make install

make clean

If your distro has doas in its repository, then if running a Debian or one of its derivatives, such as Ubuntu, run the following command in the terminal:

sudo apt install doas

If running Arch Linux, then run:

sudo pacman -S opendoas

If running Fedora, Alma Linux, or Rocky Linux, then run:

sudo dnf install opendoas

Next, we need to configure doas by editing the following file as root:

/usr/local/etc/doas.conf         , or

/etc/doas.conf

using nano or your favorite text editor. The file did not exist on my system, so editing the file with nano creates the file in addition to adding content to it. Add the following lines to the doas.conf file as shown below:

permit persist username as root

# no password if you'd like

permit nopass <youruser>

or if you want to use group membership for using doas, such as the wheel group, then enter the line:

permit persist :wheel as root

Then, any member of the wheel group will be able to use doas versus sudo. Do not attempt to remove sudo from the system, however, as doing so will likely break your system.

Save and close the file. Read the options available for doas at man doas.conf.

Now, disable sudo by editing the sudoers file by running the command:

sudo visudo

and add the following line at the bottom of that file:

username ALL=(ALL:ALL) ALL, !ALL

This will prevent your user from issuing any command using sudo.

And, that's all there is to it. You can test your system to ensure that doas has been installed and configured properly by running a command, such as:

doas apt update && doas apt upgrade -y

If this is successful, then you're good to go. Now that you've disabled sudo, if you forget and run sudo instead of doas, you'll receive a warning by the system that sudo is not configured or you don't have permissions to use it.