NAME
doas.conf —
doas configuration file
SYNOPSIS
/etc/doas.conf |
DESCRIPTION
The doas(1) utility executes commands as other users according to
the rules in the doas.conf configuration file.
The rules have the following format:
permit|deny
[options] identity
[as target]
[cmd command
[args ...]]Rules consist of the following parts:
permit|deny- The action to be taken if this rule matches.
- options
- Options are:
nopass- The user is not required to enter a password.
persist- After the user successfully authenticates, do not ask for a password again for some time.
keepenv- The user's environment is maintained. The default is to reset the
environment, except for the variables
DISPLAY,HOME,LOGNAME,MAIL,PATH,TERM,USERandUSERNAME. setenv {[variable ...] [variable=value ...]}- In addition to the variables mentioned above, keep the space-separated
specified variables. Variables may also be removed with a leading
‘-’ or set using the latter syntax. If the first
character of value is a
‘
$’ then the value to be set is taken from the existing environment variable of the same name.
- identity
- The username to match. Groups may be specified by prepending a colon (‘:’). Numeric IDs are also accepted.
astarget- The target user the running user is allowed to run the command as. The default is all users.
cmdcommand- The command the user is allowed or denied to run. The default is all
commands. Be advised that it is best to specify absolute paths. If a
relative path is specified, only a restricted
PATHwill be searched. args[argument ...]- Arguments to command. The command arguments provided by the user need to
match those specified. The keyword
argsalone means that command must be run without any arguments.
The last matching rule determines the action taken. If no rule matches, the action is denied.
Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line.
The following quoting rules apply:
- The text between a pair of double quotes (‘"’) is taken as is.
- The backslash character (‘\’) escapes the next character, including new line characters, outside comments; as a result, comments may not be extended over multiple lines.
- If quotes or backslashes are used in a word, it is not considered a keyword.
EXAMPLES
The following example permits user aja to install packages from a
preferred mirror; group wheel to execute commands as any user while keeping
the environment variables PS1 and
SSH_AUTH_SOCK and unsetting
ENV; permits tedu to run procmap as root without a
password; and additionally permits root to run unrestricted commands as
itself.
permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add
permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
permit nopass tedu as root cmd /usr/sbin/procmap
permit nopass keepenv root as root
SEE ALSO
HISTORY
The doas.conf configuration file first
appeared in OpenBSD 5.8.
AUTHORS
Ted Unangst <tedu@openbsd.org>