> Why should something like sudo not be "done" after 30 years?
Because new needs arise over time. For example, when I started in IT the "sudoedit" functionality was not present and so allowing someone to do "sudo vi …" would allow them breakout of the editor when it was running as root.
With sudoedit you can give people permissions to edit particular files with elevated permissions.
> Even OpenBSD gave up and implmented their own simplified replacement (doas).
They did not "give up": they found they needed only much simpler functionality shipped in the base OS. For example, sudo has functionality to talk to LDAP (which I've used at multiple jobs over the years), but is not needed for a local-only box. Once you need centralized account and privilege management, doas becomes much less useful.
> sudo has functionality to talk to LDAP
That is scary! I may need to look more at openbsd
The purpose is to allow users access by ldap criteria like group so the sodoers file need not be edited on each and every server.
https://www.sudo.ws/docs/man/sudoers.ldap.man/
Yeah, that’s not something I would expect a core until to do.
I would expect another system to query ldap.
> That is scary! I may need to look more at openbsd
Very useful when you're running fleets of systems that are more pet than cattle.
Ubuntu/Debian are moving to sudo using SSS to talk to LDAP (versus the current sudo-ldap package).
There's a Linux port of doas named OpenDoas
Distros come with sudo. Scripts assume sudo. Complexity exists there.
solved long ago. https://github.com/jirutka/doas-sudo-shim/
so do I uninstall sudo from my distro? What do I do on upgrade? This shim is available from alpine package manager, can I get it anywhere else?
It's single, self-contained shell script. If it's not packaged for one's distro, amd they don't know how to replace a command and keep it updated, then this shim is not for them, and that is ok.
For the technically inclined who like challenges, creating a distro package of this shim is the "hello world" equivalent for packaging.
Let's be honest, though. If you designed a new sudo in a system with doas(1) it would look nothing like modern sudo.
I can't remember the name, but I read about a rust project a few months ago which claimed that even doas had too much feature creep.
> I can't remember the name, but I read about a rust project a few months ago which claimed that even doas had too much feature creep.
Features are added because people cannot do X and want to, and so it is added.
I'm happy to have a spectrum of privilege-escalation utilities of varying capabilities, but just because one person does not need certain functionality (like talking to LDAP) does not mean I don't.