Doas

OpenBSD
Page content

doas, an alternative to sudo

Everybody knows sudo … right ? the bsd guys just hacked an alternative tool calleed doas …

simple, secure and clever

example follow later, here a good and quick tutorial.

An introduction on Vultr, the Source Code on Github and the Man Page

Installation OpenBSD

On OpenBSD, it’s already in the Base System and no need to install anything.

Installation Linux

On Linux, for Example, you have to add the Package

sudo apt install doas

Quick and Dirty, Full Permission for group wheel

run as root

if [ -f /etc/doas.conf ]; then
  echo "permit nopass keepenv :wheel" >> /etc/doas.conf
else
  echo "permit nopass keepenv :wheel" > /etc/doas.conf
  chmod 600 /etc/doas.conf
fi

Install Full Permission for User ‘stoege’

if you’re on Linux, there is no wheel group. So, you can add a user (stoege) or group (:stoege) for giving full permission like this:

if [ -f /etc/doas.conf ]; then
  echo "permit nopass keepenv stoege" >> /etc/doas.conf
else
  echo "permit nopass keepenv stoege" > /etc/doas.conf
  chmod 600 /etc/doas.conf
fi

Allow User Joe to Switch to another User

cat << 'EOF' >> /etc/doas.conf
# give user joe right to switch to user webmaster -> "/usr/bin/su - webmaster"
permit nopass joe cmd /usr/bin/su args - webmaster
EOF

doas.conf Example

# Group Wheel and User Webmaster get Root Permission
permit nopass keepenv :wheel
permit nopass keepenv webmaster

# User Webmaster is allowed to Restart Nginx
permit nopass webmaster cmd rcctl args check nginx
permit nopass webmaster cmd rcctl args restart nginx
permit nopass webmaster cmd rcctl args start nginx
permit nopass webmaster cmd rcctl args stop nginx

# User Monitoring allows certain Commands
permit nopass monitoring cmd smtpctl args show queue
permit nopass monitoring cmd pfctl args -si
permit nopass monitoring cmd tcpdump args -ne -r /var/log/pflog
permit nopass monitoring cmd cat args /var/log/maillog

sha256: bfce3e35786e8739c192d14a286c3ccb13dc76e5010796b7a04f1ca5ec617c46