How to properly avoid dozens of password prompt when using --sudo doas?

[amalgame21]

This is nice to see tomb support doas.
However when using tomb --sudo doas -D open -f tombfile -k tombfile.key
Sometimes the doas password prompt for about 30 times in order to do one successful mount.
The persist option did not work in the /etc/doas.conf
What is the proper way to avoid this? Thanks.

[Narrat]

As there are various implementations of doas around. Which one are you using?

[amalgame21]

As there are various implementations of doas around. Which one are you using?

OpenDoas

[Narrat]

Okay. Just to make sure: Could you paste how you set the persist option in the config?
There seems to be various ways but only one that is right.

[amalgame21]

I make the /etc/doas.conf just simply permit persist :wheel but still have this issue.
After creating this issue, I found a document in this repo: https://github.com/dyne/Tomb/blob/master/extras/test/doas.conf
I just copied all of the entries in the /etc/doas.conf and replace root with my username, it seems solved the problem.
Now I just create a script to uncomment those lines in /etc/doas.conf before (un)mount and comment out after (un)mount, but I think this is just some kind of work around.

I installed tomb with tomb-git in the aur, version 2.9.r67.g59d7331-1
My system is endeavouros

[amalgame21]

I switched to NixOS and this problem still exist.

I followed exactly the configuration here: https://nixos.wiki/wiki/Doas

And this is the outcome of /etc/doas.conf after applying the above config:

# To modify this file, set the NixOS options
# `security.doas.extraRules` or `security.doas.extraConfig`. To
# completely replace the contents of this file, use
# `environment.etc."doas.conf"`.

# extraRules

permit     setenv { SSH_AUTH_SOCK TERMINFO TERMINFO_DIRS  } :wheel   
permit   persist keepenv setenv { SSH_AUTH_SOCK TERMINFO TERMINFO_DIRS  } myusername 


# extraConfig


# "root" is allowed to do anything.
permit nopass keepenv root

And because of the immutable nature of NixOS, now I cannot use some custom scripts to manipulate /etc/doas.conf before and after the tomb command, which I did before in arch linux as a workaround.

Can't no one reproduce this problem? I can reproduce it on all of my machines .

[amalgame21]

Just like this, I input 8 passwords to mount a single tomb image.
One of them is from pinentry-gnome.

$ tomb -f -D --sudo doas -k ./security.tomb.key open ./security.tomb
tomb  .  Privilege escalation tool configured: doas
tomb [D] Identified caller: myusername (1000:1000)
tomb [D] Tomb command: open ./security.tomb
tomb [D] Caller: uid[1000], gid[1000], tty[/dev/pts/4].
tomb [D] Temporary directory: /tmp
tomb  .  Commanded to open tomb ./security.tomb
tomb [D] is_valid_tomb ./security.tomb
tomb [D] tomb file is readable
tomb [D] tomb file is a regular file
tomb [D] tomb file is not empty
tomb [D] Super user execution using doas
doas (myusername@nixos) password:
tomb [D] Super user execution using doas
doas (myusername@nixos) password:
tomb [D] Mapper: tomb.security.d276b4b18c3aaa1c6e5df7e270cc9eb256f462f70cc1760e7596ed6520383376.loop0
tomb [D] tomb file is not currently in use
tomb  .  Valid tomb file found: ./security.tomb
tomb [D] load_key argument: ./security.tomb.key
tomb [D] load_key: ./security.tomb.key
tomb [D] is_valid_key
tomb  .  Key is valid.
tomb  .  Mountpoint not specified, using default: /run/media/myusername/security
tomb (*) Opening security on /run/media/myusername/security
tomb [D] Super user execution using doas
doas (myusername@nixos) password:
tomb [D] Super user execution using doas
doas (myusername@nixos) password:
tomb [D] Super user execution using doas
doas (myusername@nixos) password:
tomb [D] Super user execution using doas
tomb  .  This tomb is a valid LUKS encrypted device.
tomb [D] Super user execution using doas
doas (myusername@nixos) password:
tomb  .  Cipher is "aes" mode "xts-plain64" hash "sha512"
tomb [D] Tomb key: ./security.tomb.key
tomb [D] Tomb name: security (to be engraved)
tomb  .  A password is required to use key ./security.tomb.key
tomb [D] asking password with tty=/dev/pts/4 lc-ctype=en_US.UTF-8
tomb [D] X11 display detected
tomb [D] using pinentry-gtk2
tomb [D] get_lukskey
tomb [D] Created tempfile: /tmp/2626325144242584501
tomb [D] gpg: AES256.CFB encrypted data
tomb [D] [GNUPG:] NEED_PASSPHRASE_SYM 9 3 2
tomb [D] gpg: encrypted with 1 passphrase
tomb [D] [GNUPG:] BEGIN_DECRYPTION
tomb [D] [GNUPG:] DECRYPTION_INFO 2 9 0
tomb [D] [GNUPG:] PLAINTEXT 62 1672840685
tomb [D] [GNUPG:] DECRYPTION_OKAY
tomb [D] [GNUPG:] GOODMDC
tomb [D] [GNUPG:] END_DECRYPTION
tomb [D] get_lukskey returns 0
tomb  .  Password OK.
tomb [D] Super user execution using doas
DM-UUID for device tomb.security.d276b4b18c3aaa1c6e5df7e270cc9eb256f462f70cc1760e7596ed6520383376.loop0 was truncated.
tomb [D] lo_preserve on /dev/loop0
tomb [D] Super user execution using doas
doas (myusername@nixos) password:
tomb (*) Success unlocking tomb security
tomb [D] Key size is 512 for cipher aes-xts-plain64
tomb [D] detecting filesystem of /dev/mapper/tomb.security.d276b4b18c3aaa1c6e5df7e270cc9eb256f462f70cc1760e7596ed6520383376.loop0
tomb  .  Filesystem detected: ext4
tomb [D] Tomb engraved as security
tomb  .  Checking filesystem via /dev/loop0
tomb [D] Super user execution using doas
fsck from util-linux 2.39.2
security: clean, 19489/50528256 files, 190373275/202112512 blocks
tomb [D] Super user execution using doas
tomb [D] Super user execution using doas
tomb [D] Super user execution using doas
tomb (*) Success opening security.tomb on /run/media/myusername/security
tomb  .  Last visit by myusername(1000) from /dev/pts/4 on nixos
tomb  .  on date Fri 15 Dec 2023 07:10:11 PM CST
tomb [D] Super user execution using doas
tomb [D] Super user execution using doas
tomb [D] updated control file /run/media/myusername/security/.uid = 1000
tomb [D] Super user execution using doas
tomb [D] Super user execution using doas
tomb [D] updated control file /run/media/myusername/security/.tty = /dev/pts/4
tomb [D] Super user execution using doas
tomb [D] Super user execution using doas
tomb [D] updated control file /run/media/myusername/security/.host = nixos
tomb [D] Super user execution using doas
tomb [D] Super user execution using doas
tomb [D] updated control file /run/media/myusername/security/.last = 1702638883
tomb [D] bind-hooks not found in /run/media/myusername/security
tomb [D] Super user execution using doas
tomb [D] Restoring access and modification time for ./security.tomb
tomb [D] Restoring access and modification time for ./security.tomb.key

[amalgame21]

NixOS is also using Duncaen's OpenDoas

https://github.com/NixOS/nixpkgs/blob/1cf35039f5c110d794039e6d715aeb8997c6cfc5/pkgs/tools/security/doas/default.nix#L16-L21

[amalgame21]

To describe exactly the "workaround" I mention above:
I just added the lines below in /etc/doas.conf

# permit nopass myusername cmd losetup
# permit nopass myusername cmd lsblk
# permit nopass myusername cmd mkfs.ext3
# permit nopass myusername cmd mkfs.ext4
# permit nopass myusername cmd mkfs.btrfs
# permit nopass myusername cmd touch
# permit nopass myusername cmd fsck
# permit nopass myusername cmd btrfs
# permit nopass myusername cmd tune2fs
# permit nopass myusername cmd mkdir
# permit nopass myusername cmd mount
# permit nopass myusername cmd rmdir
# permit nopass myusername cmd chown
# permit nopass myusername cmd umount
# permit nopass myusername cmd findmnt
# permit nopass myusername cmd e2fsck
# permit nopass myusername cmd resize2fs
# permit nopass myusername cmd lsof
# permit nopass myusername cmd kill
# permit nopass myusername cmd cryptsetup

I made a wrapper shell script of tomb working in this way:
The above lines in /etc/doas.conf are uncomment before running tomb commands, and comment them back after the tomb commands are finished.
Then only one password prompt is required for doas and other prompt is for pinentry, No more password nightmare.
I think leaving them uncommented may have some kind of security risk. (Even this wrapper script have some security risk IMO)
However this trick no longer work because /etc/doas.conf is unable to be modified directly in NixOS since it is read-only.

[JonasVautherin]

I also do have permit persist :wheel in my /etc/doas.conf, and I have the same issue. The thing is, I believe that the persist rule works: I wrote simple scripts that call doas multiple times, and I only have to enter the password once.

Somehow the tomb script loses that persistance, and I haven't understood why yet. Could it be doing stuff like forking or something that would create a "new environment"?

[jaromil]

When implementing doas support I also stumbled into this, noticing persist wasn't effective.

I don't know the exact cause, but recognize is very annoying: it actually prevents me from using doas.

I need a closer analysis to answer your last question, AFAIK we do not fork but many things were tried in the past...