"There is an unsafe incomplete reset of PATH in OpenDoas 6.6 through 6.8 when changing the user context."
See https://github.com/Duncaen/OpenDoas/issues/45 for more discussion:
"Thanks for the report, this is indeed a bug and this not matching the documentation I consider it a security issue and have requested a CVE for it (CVE-2019-25016), this used to be the default behavior but should have been correctly changed in 2019.
One nuance about this is that the users PATH will be used when executing the first command if the rule allows any command,
so with the rule permit :wheel, PATH=~/bin doas foo will execute foo from ~/bin.
If the rule limits the execution to a specific command then the "safe" PATH is used, permit :wheel cmd foo would not execute ~/bin/foo (in this case the reset the PATH variable was already correct before this fix).
This means before the fix, users who only had access to execute a specific command were not able to execute other command through a "unsafe" PATH.
Users who were allowed to execute anything could change PATH to execute more things from PATH."
Please bump to 6.8.1.
(NOTE: Provisionally calling it C1, but not super happy with that classification.)
The bug has been referenced in the following commit(s):
Author: Sam James <email@example.com>
AuthorDate: 2021-01-30 21:37:21 +0000
Commit: Sam James <firstname.lastname@example.org>
CommitDate: 2021-01-30 21:37:21 +0000
app-admin/doas: security bump to 6.8.1
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Signed-off-by: Sam James <email@example.com>
app-admin/doas/Manifest | 1 +
app-admin/doas/doas-6.8.1.ebuild | 51 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+)
Unable to check for sanity:
> no match for package: app-admin/doas-6.8.2
all arches done