NAME
doas.conf
—
doas configuration file
DESCRIPTION
The doas(1) utility executes commands as other users according to
the rules in the doas.conf
configuration file.
The rules have the following format:
permit
|deny
[options] identity
[as
target]
[cmd
command
[args ...
]]Rules consist of the following parts:
permit
|deny
- The action to be taken if this rule matches.
- options
- Options are:
nopass
- The user is not required to enter a password.
keepenv
- The user's environment is maintained. The default is to reset the
environment, except for the variables
DISPLAY
,HOME
,LOGNAME
,MAIL
,PATH
,TERM
,USER
andUSERNAME
. keepenv {
[variable ...]}
- In addition to the variables mentioned above, keep the space-separated specified variables.
- identity
- The username to match. Groups may be specified by prepending a colon (‘:’). Numeric IDs are also accepted.
as
target- The target user the running user is allowed to run the command as. The default is all users.
cmd
command- The command the user is allowed or denied to run. The default is all commands. Be advised that it's best to specify absolute paths.
args ...
- Arguments to command. If specified, the command arguments provided by the
user need to match for the command to be successful. Specifying
args
alone means that command should be run without any arguments.
The last matching rule determines the action taken.
Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line.
The following quoting rules apply:
- The text between a pair of double quotes (‘"’) is taken as is.
- The backslash character (‘\’) escapes the next character, including new line characters, outside comments; as a result, comments may not be extended over multiple lines.
- If quotes or backslashes are used in a word, it isn't considered a keyword.
EXAMPLES
The following example permits users in group wsrc to build ports,
wheel to execute commands as any user while keeping the environment
variables ENV
, PS1
, and
SSH_AUTH_SOCK
, and additionally permits tedu to run
procmap as root without a password.
# Non-exhaustive list of variables needed to # build release(8) and ports(7) permit nopass keepenv { \ FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \ DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \ MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \ PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \ SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel permit nopass tedu as root cmd /usr/sbin/procmap
SEE ALSO
HISTORY
The doas.conf
configuration file first
appeared in OpenBSD 5.8.
AUTHORS
Ted Unangst <tedu@openbsd.org>