OpenBSD manual page server

Manual Page Search Parameters

DOAS(1) General Commands Manual DOAS(1)

doasexecute commands as another user

doas [-Lns] [-a style] [-C config] [-u user] command [arg ...]

The doas utility executes the given command as another user. The command argument is mandatory unless -C, -L, or -s is specified.

The user will be required to authenticate by entering their password, unless configured otherwise.

By default, a new environment is created. The variables HOME, LOGNAME, PATH, SHELL, and USER and the umask(2) are set to values appropriate for the target user. DOAS_USER is set to the name of the user executing doas. The variables DISPLAY and TERM are inherited from the current environment. This behavior may be modified by the config file. The working directory is not changed.

The options are as follows:

Use the specified authentication style when validating the user, as allowed by /etc/login.conf. A list of doas-specific authentication methods may be configured by adding an ‘auth-doas’ entry in login.conf(5).
Parse and check the configuration file config, then exit. If command is supplied, doas will also perform command matching. In the latter case either ‘permit’, ‘permit nopass’ or ‘deny’ will be printed on standard output, depending on command matching results. No command is executed.
Clear any persisted authentications from previous invocations, then immediately exit. No command is executed.
Non interactive mode, fail if the matching rule doesn't have the nopass option.
Execute the shell from SHELL or /etc/passwd.
Execute the command as user. The default is root.

The doas utility exits 0 on success, and >0 if an error occurs. It may fail for one of the following reasons:

su(1), doas.conf(5)

The doas command first appeared in OpenBSD 5.8.

Ted Unangst <>

December 22, 2022 OpenBSD-7.3