FreeBSD 15: Why You’ll Want It

33 points by eduard

0mp

It'll be interesting to see if mdo(1) attracts attention in third-party software as an alternative to sudo and doas.

valdemar

The note under "SECURITY CONSIDERATIONS" makes it sound like it is not really an alternative to sudo and doas in most cases.

The mdo program is geared to role-based scenarios. Consequently, it does not ask for any password or request other form of authentication before trying to establish new credentials, instead relying solely on the requester's credentials for this purpose.
- mccd
  
  Yeah, in the announcement
  
  FreeBSD introduces a native mechanism for controlled privilege escalation via mdo(1) and mac_do(4). This provides a built-in alternative to installing tools like sudo or doas when users need limited administrative capabilities.
  
  I'm curious when you'd reach for it.
  - enpo
    
    For instance if you have a deployment user, who'll need to restart a service after installing a new version of it. In Linux I'd allow a passwordless invocation of a tightly controlled script to solve the same use case.
    
    dlisboa
    
    Can’t you define a rule in sudoers with NOPASSWD for that?
    
    enpo
    
    Yes, that is what I do on Linux. But this is an alternate way if you don't otherwise need sudo or doas.
    
    acdw
    
    oh okay -- i was thinking it was a replacement, but it seems like I'll need to install doas anyway?