The long-time use sudo command in Linux has been subject to security risks and is being deprecated and replaced with a much lighter command taken from OpenBSD called doas. The security risks have been identified in the National Vulnerability Database (NVD) CVE-2021-3156 as a High Risk. Sudo stands for superuser do whereas the doas command stands for dedicated openbsd application subexecutor. The sudo command package is roughly 20M in size whereas doas is only 570K in size. Having a much smaller code size should greatly reduce the attack vector that doas presents to malware & virus code writers over its predecessor.
The doas command has a much smaller footprint and was developed by Ted Unangst for OpenBSD. It is easy to install the replacement command in your Linux distro and disable sudo (not uninstall it), so that using the former insecure command will be averted. One does not want to attempt to uninstall and purge the sudo command in the Linux distro since this package has been intricately incorporated within the Linux system and attempting to do so might break many packages and render the system damaged. Disabling the sudo command instead is very easy to accomplish as well and does not negatively impact the system, but does prevent the Linux user from running it by mistake.
Install and Configure
Depending on the distro of Linux you're currently running, you may have a pre-configured package for doas. But, if you're like me, I'm running AV Linux MX Edition (a fork of Ubuntu and Debian) which does not. So, if you're running a derivative of Ubuntu or Debian yourself, to install the doas command in your Linux distro, you should visit slicer69's github port and clone the following from the github site using in the terminal:
git clone https://github.com/slicer69/doas
This obviously presumes that you have the git command installed ahead of time. Additionally, you should ensure that the following dependencies have been installed on your Linux system as well, and install them using sudo before proceeding:
build-essential make bison flex libpam0g-dev
You will be using the sudo command to install these dependencies or, alternatively, you can become root using su - and install them as well.
Once the dependencies have been installed, follow up by running the following series of commands in the terminal one after the other in succession:
make
sudo make install
make clean
Next, we need to configure doas by editing the file:
/usr/local/etc/doas.conf
using nano or your favorite text editor. The file did not exist on my system, so editing the file with nano creates the file in addition to adding content to it. Add the following lines to the doas.conf file as shown below:
permit <youruser>
# no password if you'd like
permit nopass <youruser>
Save and close the file. Read the options available for doas at man doas.conf. Now, disable sudo by editing the visudo file using nano and comment out all lines that privilege users, such as root, admin, and <youruser>. And, that's all there is to it. You can test your system to ensure that doas has been installed and configured properly by running a command, such as:
doas apt update && doas apt upgrade -y
If this is successful, then you're good to go. Now that you've disabled sudo, if you forget and run sudo instead of doas, you'll receive a warning by the system that sudo is not configured or you don't have permissions to use it.
Comments