Doas
Page content
doas, an alternative to sudo
Everybody knows sudo … right ? the bsd guys just hacked an alternative tool calleed doas …
simple, secure and clever
example follow later, here a good and quick tutorial.
An introduction on Vultr, the Source Code on Github and the Man Page
Installation OpenBSD
On OpenBSD, it’s already in the Base System and no need to install anything.
Installation Linux
On Linux, for Example, you have to add the Package
sudo apt install doas
Quick and Dirty, Full Permission for group wheel
run as root
if [ -f /etc/doas.conf ]; then
echo "permit nopass keepenv :wheel" >> /etc/doas.conf
else
echo "permit nopass keepenv :wheel" > /etc/doas.conf
chmod 600 /etc/doas.conf
fi
Install Full Permission for User ‘stoege’
if you’re on Linux, there is no wheel group. So, you can add a user (stoege) or group (:stoege) for giving full permission like this:
if [ -f /etc/doas.conf ]; then
echo "permit nopass keepenv stoege" >> /etc/doas.conf
else
echo "permit nopass keepenv stoege" > /etc/doas.conf
chmod 600 /etc/doas.conf
fi
Allow User Joe to Switch to another User
cat << 'EOF' >> /etc/doas.conf
# give user joe right to switch to user webmaster -> "/usr/bin/su - webmaster"
permit nopass joe cmd /usr/bin/su args - webmaster
EOF
doas.conf Example
# Group Wheel and User Webmaster get Root Permission
permit nopass keepenv :wheel
permit nopass keepenv webmaster
# User Webmaster is allowed to Restart Nginx
permit nopass webmaster cmd rcctl args check nginx
permit nopass webmaster cmd rcctl args restart nginx
permit nopass webmaster cmd rcctl args start nginx
permit nopass webmaster cmd rcctl args stop nginx
# User Monitoring allows certain Commands
permit nopass monitoring cmd smtpctl args show queue
permit nopass monitoring cmd pfctl args -si
permit nopass monitoring cmd tcpdump args -ne -r /var/log/pflog
permit nopass monitoring cmd cat args /var/log/maillog
sha256: bfce3e35786e8739c192d14a286c3ccb13dc76e5010796b7a04f1ca5ec617c46