"There is an unsafe incomplete reset of PATH in OpenDoas 6.6 through 6.8 when changing the user context." See https://github.com/Duncaen/OpenDoas/issues/45 for more discussion: "Thanks for the report, this is indeed a bug and this not matching the documentation I consider it a security issue and have requested a CVE for it (CVE-2019-25016), this used to be the default behavior but should have been correctly changed in 2019. One nuance about this is that the users PATH will be used when executing the first command if the rule allows any command, so with the rule permit :wheel, PATH=~/bin doas foo will execute foo from ~/bin. If the rule limits the execution to a specific command then the "safe" PATH is used, permit :wheel cmd foo would not execute ~/bin/foo (in this case the reset the PATH variable was already correct before this fix). This means before the fix, users who only had access to execute a specific command were not able to execute other command through a "unsafe" PATH. Users who were allowed to execute anything could change PATH to execute more things from PATH."
Please bump to 6.8.1. (NOTE: Provisionally calling it C1, but not super happy with that classification.)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc1b8dc0675ff0ff0c6d7c5b9576d3f6808bbdd commit 1bc1b8dc0675ff0ff0c6d7c5b9576d3f6808bbdd Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-30 21:37:21 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-30 21:37:21 +0000 app-admin/doas: security bump to 6.8.1 Bug: https://bugs.gentoo.org/767781 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> app-admin/doas/Manifest | 1 + app-admin/doas/doas-6.8.1.ebuild | 51 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+)
Unable to check for sanity: > no match for package: app-admin/doas-6.8.2
arm64 done
arm done
amd64 done all arches done
Please cleanup!
Cleanup done: commit 30e45562f3aa3d48e64d08fe5db01b39c84e42ca Author: Joonas Niilola <juippis@gentoo.org> Date: Sat Mar 20 09:10:15 2021 +0200 app-admin/doas: drop 6.0, 6.6.1, 6.8 Signed-off-by: Joonas Niilola <juippis@gentoo.org> delete mode 100644 app-admin/doas/doas-6.0.ebuild delete mode 100644 app-admin/doas/doas-6.6.1.ebuild delete mode 100644 app-admin/doas/doas-6.8.ebuild
New GLSA request filed.
Unable to check for sanity: > no match for package: app-admin/doas-6.8.1
This issue was resolved and addressed in GLSA 202107-11 at https://security.gentoo.org/glsa/202107-11 by GLSA coordinator Sam James (sam_c).