Ubuntu Manpage: doas.conf — doas configuration file

NAME

       doas.conf — doas configuration file

DESCRIPTION

The doas(1) utility executes commands as other users according to the rules in the doas.conf
configuration file.

The rules have the following format:

permit|deny [options] identity [as target] [cmd command [args ...]]

Rules consist of the following parts:

permit|deny The action to be taken if this rule matches.

options Options are:

nopass The user is not required to enter a password.

nolog Do not log successful command execution to syslogd(8).

persist After the user successfully authenticates, do not ask for a password again for some
time.

keepenv Environment variables other than those listed in doas(1) are retained when creating
the environment for the new process.

setenv { [variable ...] [variable=value ...] }
Keep or set the space-separated specified variables. Variables may also be removed
with a leading ‘-’ or set using the latter syntax. If the first character of value
is a ‘$’ then the value to be set is taken from the existing environment variable
of the indicated name. This option is processed after the default environment has
been created.

identity The username to match. Groups may be specified by prepending a colon (‘:’). Numeric IDs
are also accepted.

as target The target user the running user is allowed to run the command as. The default is all
users.

cmd command The command the user is allowed or denied to run. The default is all commands. Be advised
that it is best to specify absolute paths. If a relative path is specified, only a
restricted PATH will be searched.

args [argument ...]
Arguments to command. The command arguments provided by the user need to match those
specified. The keyword args alone means that command must be run without any arguments.

The last matching rule determines the action taken. If no rule matches, the action is denied.

Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current
line.

The following quoting rules apply:

- The text between a pair of double quotes (‘"’) is taken as is.

- The backslash character (‘\’) escapes the next character, including new line characters, outside
comments; as a result, comments may not be extended over multiple lines.

- If quotes or backslashes are used in a word, it is not considered a keyword.

FILES

       /etc/doas.conf                              doas(1) configuration file.
       /usr/share/doc/opendoas/examples/doas.conf  Example configuration file.

EXAMPLES

       The  following  example  permits  user  aja  to  install packages from a preferred mirror; group wheel to
       execute commands as any user while keeping the environment variables PS1 and SSH_AUTH_SOCK and  unsetting
       ENV;  permits  tedu  to  run  procmap  as  root  without a password; and additionally permits root to run
       unrestricted commands as itself while retaining the original PATH.

             permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add
             permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
             permit nopass tedu as root cmd /usr/sbin/procmap
             permit nopass keepenv setenv { PATH } root as root

HISTORY

       The doas.conf configuration file first appeared in OpenBSD 5.8.

AUTHORS