Doas

common/.gitignore

@@ -0,0 +1 @@
+/profile-sync-daemon

common/debian/postinst

@@ -8,12 +8,11 @@ if [ -f /etc/psd.conf ]; then
 	echo '->    created when psd is invoked the first time.'
 	echo '-> 2. A system service is no longer used. A user service is provided and can be'
 	echo '->    used like this:  systemctl --user start psd.service'
-	echo '-> 3. Users wanting to use overlayfs mode MUST have sudo access with nopasswd to'
+	echo '-> 3. Users wanting to use overlayfs mode MUST have sudo or doas access with nopasswd to'
 	echo '->    /usr/bin/psd-overlay-helper. See the man page for an example configured with visudo.'
 fi
 
 for i in $(users); do
 	su $i -s /bin/bash -c 'XDG_RUNTIME_DIR=/run/user/$UID systemctl --user daemon-reload'
 	return 0
 done
-

common/profile-sync-daemon.in

@@ -37,6 +37,13 @@ PSDCONFDIR="$XDG_CONFIG_HOME/psd"
 PSDCONF="$PSDCONFDIR/psd.conf"
 SHAREDIR="/usr/share/psd"
 
+# Use `doas` if available, assume `sudo` otherwise.
+if type doas &>/dev/null; then
+  SUDO=(doas -n)
+else
+  SUDO=(sudo -kn)
+fi
+
 if [[ ! -d "$SHAREDIR" ]]; then
   echo -e " ${RED}ERROR:${NRM}${BLD} Missing ${BLU}$SHAREDIR${NRM}${BLD} - reinstall the package to use profile-sync-daemon.${NRM}"
   exit 1
@@ -254,18 +261,19 @@ dep_check() {
 
 config_check() {
   if [[ $OLFS -eq 1 ]]; then
-    # user must have sudo rights to call /usr/bin/mount
+    # user must have sudo or doas rights to call /usr/bin/mount
     # and /usr/bin/umount to use overlay mode
 
-    if ! sudo -kn psd-overlay-helper &>/dev/null; then
-      FAILCODE=1
-    fi
-
-    if [[ $FAILCODE -ne 0 ]]; then
-      echo -e "${BLD}${RED} ERROR!${NRM}${BLD} To use overlayfs mode, $user needs sudo access to ${BLU}/usr/bin/psd-overlay-helper${NRM}${BLD}${NRM}"
+    if ! "${SUDO[@]}" /usr/bin/psd-overlay-helper &>/dev/null; then
+      echo -e "${BLD}${RED} ERROR!${NRM}${BLD} To use overlayfs mode, $user needs $SUDO access to ${BLU}psd-overlay-helper${NRM}"
       echo
-      echo -e " ${BLD}Add the following line to the end of ${BLU}/etc/sudoers${NRM}${BLD} to enable this functionality:${NRM}"
-      echo -e "  ${BLD}$user ALL=(ALL) NOPASSWD: /usr/bin/psd-overlay-helper${NRM}"
+      if [[ "${SUDO[0]##*/}" = *doas* ]]; then
+        echo -e " ${BLD}Add the following line to the end of ${BLU}/etc/sudoers${NRM}${BLD} to enable this functionality:${NRM}"
+        echo -e "  ${BLD}permit nopass $user as root cmd /usr/bin/psd-overlay-helper${NRM}"
+      else
+        echo -e " ${BLD}Add the following line to the end of ${BLU}/etc/doas.conf${NRM}${BLD} to enable this functionality:${NRM}"
+        echo -e "  ${BLD}$user ALL=(ALL) NOPASSWD: /usr/bin/psd-overlay-helper${NRM}"
+      fi
       exit 1
     fi
   fi
@@ -527,7 +535,7 @@ do_sync_for() {
         # initial sync
         REPORT="sync"
         if [[ $OLFS -eq 1 ]]; then
-          if ! sudo psd-overlay-helper -v "$OLFSVER" -l "$BACKUP" -u "$UPPER" -w "$WORK" -d "$TMP" mountup; then
+          if ! "${SUDO[@]}" /usr/bin/psd-overlay-helper -v "$OLFSVER" -l "$BACKUP" -u "$UPPER" -w "$WORK" -d "$TMP" mountup; then
             echo -e "Error in trying to mount $TMP - this should not happen!"
             exit 1
           fi
@@ -627,7 +635,7 @@ do_unsync() {
         [[ -d "$BACKUP" ]] && mv --no-target-directory "$BACKUP" "$DIR"
         if [[ $OLFS -eq 1 ]] && mountpoint -q "$TMP"; then
           rsync -aX --delete-after --inplace --no-whole-file --exclude .flagged "$BACK_OVFS/" "$DIR/"
-          sudo psd-overlay-helper -d "$TMP" -w "$WORK" mountdown && rm -rf "$TMP" "$UPPER"
+          "${SUDO[@]}" /usr/bin/psd-overlay-helper -d "$TMP" -w "$WORK" mountdown && rm -rf "$TMP" "$UPPER"
         fi
         [[ -d "$TMP" ]] && rm -rf "$TMP"
         echo -e "${BLD}$browser unsync successful${NRM}"

common/psd-overlay-helper

@@ -32,13 +32,13 @@ case "$1" in
   mountup)
     # write access to upper/workdir is required or do not overlay lowerdirs
     user=$(stat -c %U "$TMP")
-    if ! sudo -u "$user" test -w "$BACKUP"; then
+    if ! runuser -u "$user" -- test -w "$BACKUP"; then
       echo "User $user has no write permissions for $BACKUP. Aborting..." >&2
       exit 1
     fi
 
     user=$(stat -c %U "$UPPER")
-    if ! sudo -u "$user" test -w "$BACKUP"; then
+    if ! runuser -u "$user" -- test -w "$BACKUP"; then
       echo "User $user has no write permissions for $BACKUP. Aborting..." >&2
       exit 1
     fi

common/psd.conf

@@ -12,8 +12,17 @@
 # the memory costs and to improve sync/unsync operations. Note that your kernel
 # MUST have this module available in order to use this mode.
 #
+# This requires some additional privileges, obtained through sudo or another
+# command, as configured below.
+#
 #USE_OVERLAYFS="no"
 
+# Use a specific command for privilege escalation. It is expected to accept
+# similar arguments as `sudo`. The default is to use `doas` if available, and
+# `sudo` otherwise.
+#
+#SUDO=(sudo -kn)
+
 # Uncomment and set to "yes" to resync on suspend to reduce potential data loss.
 # Note that your system MUST have gdbus from glib2 installed to use this mode.
 #

doc/psd.1

@@ -25,7 +25,7 @@ $XDG_CONFIG_HOME/psd/psd.conf (referred to hereafter as "the config file") conta
 NOTE: edits made to the config file while psd is active will be applied only after the service has been restarted.
 .RS
 .IP \(bu 3
-Optionally enable the use of overlayfs to improve sync speed and to use a smaller memory footprint. Do this in the USE_OVERLAYFS variable. The user will require no password sudo rights to /usr/bin/psd-overlay-helper to use this option and the kernel must support overlayfs version 22 or higher. See the FAQ below for additional details.
+Optionally enable the use of overlayfs to improve sync speed and to use a smaller memory footprint. Do this in the USE_OVERLAYFS variable. The user will require no-password sudo or doas rights to /usr/bin/psd-overlay-helper to use this option and the kernel must support overlayfs version 22 or higher. See the FAQ below for additional details.
 .IP \(bu 3
 Optionally have psd resync to the filesystem prior to a sleep call. This can help in the event that the system does not properly wake up. Do this in the USE_SUSPSYNC variable.
 .IP \(bu 3
@@ -199,12 +199,21 @@ Q2: How do I enable overlayfs mode?
 .PP
 A2: First, be sure psd is not active or else any changes to the config file will be ignored until it is restarted. Overlayfs mode is enabled with the USE_OVERLAYFS= variable which should be set to "yes" in the config file. Psd will automatically detect the overlayfs version available to the kernel if it is configured to use one of them. It is recommended to run psd in preview mode to verify that the system can in fact use overlayfs.
 .PP
-Users wanting to use overlayfs mode MUST have sudo rights without password prompt to /usr/bin/psd-overlay-helper or global sudo rights without password prompt. If the user does not have global rights, add the following line to /etc/sudoers after any other lines defining sudo access. It is recommended to use /usr/bin/visudo as root to set this up:
+Users wanting to use overlayfs mode MUST have sudo or doas rights without password prompt to /usr/bin/psd-overlay-helper, or global sudo/doas rights without password prompt. If the user does not have global rights, add the following line to /etc/sudoers after any other lines defining sudo access. It is recommended to use /usr/bin/visudo as root to set this up:
 .PP
 .nf
 .fam C
  foo ALL=(ALL) NOPASSWD: /usr/bin/psd-overlay-helper
 
+.fam T
+.fi
+.PP
+By default, doas will be used instead of sudo if it is installed; if so, you should add the following line to /etc/doas.conf:
+.PP
+.nf
+.fam C
+ permit nopass foo as root cmd /usr/bin/psd-overlay-helper
+
 .fam T
 .fi
 Q3: Why do I have another browser profile directory "foo-back-ovfs" when I enable overlayfs?