The size of the code base and therefore attack surface.
The sudo source code is approximately 160,000 lines of C.
Doas was written for OpenBSD (after the OpenBSD project decided sudo was too large to ship in the system base) with a source code of roughly 500 lines of C.
Obviously those extra lines of code bring features to sudo that doas doesn’t have.
The list of functional differences is too long to write here. I’m sure you can ask some llm to do the google search for you and it will shit out an ungodly amount of differences.
But I’d say roughly they are about:
how you configure it (sudo has a much more complex and expressive syntax, doas needs many more lines for the same result)
how it preserves env variables (sudo has more options for that, it excludes some by default while keeping others and can spawn subshells differently with -l -i)
how it does persisting authorization over some period of time :
doas on OpenBSD caches via a kernel API.
The slicer69 portable doas port has no persist on Linux/FreeBSD - you re-enter your password every invocation.
OpenDoas implements persist via timestamp files, similar to sudo but with fewer tuning options.
For an LLM comparison, this is what I get from haiku
sudo is older, more complex, and feature-rich, while doas is newer, simpler, and security-focused.
Core distinctions:
Code size & complexity: doas has roughly 700 lines of code versus sudo’s 100,000+ lines, making doas easier to audit and maintain.
Configuration: sudo uses the complex sudoers file with intricate syntax; doas uses a simpler doas.conf file that’s more straightforward to read and write.
Security philosophy: doas was designed with security-first principles, minimizing potential attack surface. sudo accumulated features over decades, increasing complexity and potential vulnerabilities.
Feature set: sudo has advanced features like session recording, plugins, authentication caching, and detailed logging. doas is minimalist—it handles the essential privilege escalation task without extras.
Adoption: sudo is ubiquitous across Linux and Unix systems. doas is less common but gaining traction, particularly on OpenBSD (where it originated) and among security-conscious users.
Performance: doas is faster and lighter, while sudo carries more overhead.
In practice, doas works well for straightforward privilege escalation needs, while sudo is better if you need advanced features or broader compatibility.
More code means there’s more room for bugs and security flaws that can be exploited, and it’s more difficult to reason about the code to find those flaws.
The general security jargon for that concept is ‘attack surface’.
The size of the code base and therefore attack surface.
The sudo source code is approximately 160,000 lines of C.
Doas was written for OpenBSD (after the OpenBSD project decided sudo was too large to ship in the system base) with a source code of roughly 500 lines of C.
Obviously those extra lines of code bring features to sudo that doas doesn’t have.
The list of functional differences is too long to write here. I’m sure you can ask some llm to do the google search for you and it will shit out an ungodly amount of differences.
But I’d say roughly they are about:
doas on OpenBSD caches via a kernel API.
The slicer69 portable doas port has no persist on Linux/FreeBSD - you re-enter your password every invocation.
OpenDoas implements persist via timestamp files, similar to sudo but with fewer tuning options.
For an LLM comparison, this is what I get from haiku
sudois older, more complex, and feature-rich, whiledoasis newer, simpler, and security-focused.Core distinctions:
Code size & complexity:
doashas roughly 700 lines of code versussudo’s 100,000+ lines, makingdoaseasier to audit and maintain.Configuration:
sudouses the complexsudoersfile with intricate syntax;doasuses a simplerdoas.conffile that’s more straightforward to read and write.Security philosophy:
doaswas designed with security-first principles, minimizing potential attack surface.sudoaccumulated features over decades, increasing complexity and potential vulnerabilities.Feature set:
sudohas advanced features like session recording, plugins, authentication caching, and detailed logging.doasis minimalist—it handles the essential privilege escalation task without extras.Adoption:
sudois ubiquitous across Linux and Unix systems.doasis less common but gaining traction, particularly on OpenBSD (where it originated) and among security-conscious users.Performance:
doasis faster and lighter, whilesudocarries more overhead.In practice,
doasworks well for straightforward privilege escalation needs, whilesudois better if you need advanced features or broader compatibility.Plus
doasdoes not have insults (?)You explained very well, this being an intensely technical subject. And you’re absolutely correct about LLMs.
Now, which one do you think would be better, considering the fact that l wish to challenge my learning curve ???
“better” always depends on the usecase
I use sudo cause it’s less hassle and I just want to use my pc without the OS being in the way.
If you want security: ofc. doas.
But if your goal is tinkering, then you can switch anytime anyway, so try all the options.
Attack surface means ?
More code means there’s more room for bugs and security flaws that can be exploited, and it’s more difficult to reason about the code to find those flaws.
The general security jargon for that concept is ‘attack surface’.