Expand description
Privilege escalation abstraction for sudo/doas support.
§doas capability spike (Phase 0)
Target package: opendoas (Arch: extra/opendoas)
Minimum supported behavior: OpenDoas as packaged in Arch Linux repos.
§Supported patterns
| Pattern | sudo | doas |
|---|---|---|
| Non-interactive check | sudo -n true | doas -n true |
| Direct command execution | sudo <cmd> | doas <cmd> |
| Passwordless execution | sudoers NOPASSWD | permit nopass in /etc/doas.conf |
| Password via stdin | sudo -S reads stdin | NOT supported |
| Credential refresh | sudo -v | NOT supported |
| Credential invalidation | sudo -k | NOT supported |
| Askpass env var | SUDO_ASKPASS | NOT supported |
§Implications for Pacsea
- When doas requires a password, it prompts via its own terminal interaction.
- The in-app password modal cannot be used with doas (no stdin pipe support).
- Pacsea skips the password modal for doas and lets the spawned terminal handle prompting.
- Credential warm-up (
sudo -S -v) is unavailable for doas. doas -n trueworks identically tosudo -n truefor passwordless detection.
Structs§
- Privilege
Capabilities - What: Capability flags describing which features a privilege tool supports.
Enums§
- Auth
Mode - What: Authentication strategy for privilege escalation.
- Privilege
Mode - What: User-configured privilege tool selection mode parsed from
settings.conf. - Privilege
Tool - What: Privilege escalation tool supported by Pacsea.
Functions§
- active_
tool - What: Resolve the privilege tool using the cached application settings.
- build_
credential_ invalidation - What: Build a credential invalidation command.
- build_
credential_ warmup - What: Build a credential warm-up command that caches the password.
- build_
password_ pipe - What: Build a command that pipes a password to the privilege tool via stdin.
- build_
privilege_ command - What: Build a privilege-escalated command string.
- detect_
fprintd_ enrolled - What: Check whether a fingerprint reader is enrolled via
fprintd-list. - detect_
pam_ fingerprint - What: Detect whether the active privilege tool’s PAM configuration includes
pam_fprintd. - is_
fingerprint_ available - What: Check whether fingerprint authentication appears to be available.
- is_
integration_ test - What: Public wrapper for [
is_integration_test_context]. - resolve_
privilege_ tool - What: Resolve which privilege tool to use based on the configured mode.
- run_
interactive_ auth - What: Run the privilege tool interactively to let the user authenticate.
- validate_
password - What: Validate a password against the privilege tool.