Introduction to doas on OpenBSD
Background
OpenBSD's alternative to sudo
is doas
, although it does not work the same way as sudo and requires some configuration. It is an acronym for "dedicated openbsd application subexecutor". OpenBSD 5.8, released in 2015, was the first to includedoas
. It was created by Ted Unangst after he was dissatisfied with the complexity of sudo and had issues with the default sudo configuration.
The doas
command is simple by design and does not contain advanced features required for elaborate sysadmin infrastructures. For most people, it is more than enough. Please see Create a Sudo User on OpenBSD if you prefer to use sudo
instead of doas
.
Installation
OpenBSD version 5.8 and later has doas
preinstalled.
Configuration
To give users in the wheel group access to doas
, add the following to /etc/doas.conf
. You will need root access to edit this file.
permit :wheel
This will give all users in the wheel group permission to execute commands as any user.
If you would like users to be able to enter their password once, then not have to enter it for a while, use the persist
option. Here is an example that gives permissions only to the wheel group:
permit persist :wheel
You may instead use the nopass
option if you would like them never to have to enter their password:
permit nopass :wheel
If you would like the user "mynewuser" to have admin rights, you may either add them to the wheel group by running usermod -G wheel mynewuser
as root or add a line to your /etc/doas.conf
so it looks somewhat like the following:
permit nopass :wheel
permit nopass mynewuser
This example assumes that you do not need your users to enter a password when using doas
.
If you would like to set it so that mynewuser is only permitted to execute commands as the www user, the configuration would be as follows:
permit nopass :wheel
permit nopass mynewuser as www
If you would like mynewuser to be able to use only the "vim" command with doas, use the following configuration:
permit nopass :wheel
permit nopass mynewuser as www cmd vim
There are other configuration options, but the ones covered here are the most common. If you would like to read more, you can use the command man doas.conf
to read the doas.conf(5) manpage.
Testing Configuration Files
To test a configuration file, use the doas -C /etc/doas.conf
command. If you supply a command afterward, e.g. doas -C /etc/doas.conf vim
, it will tell you whether you have permission to run a command or not without trying to execute the command.
Usage
A user may run the command echo "test"
as root by using the command:
doas echo "test"
A user that has permissions to use doas to elevate themselves to the user "www" may run the command vim /var/www/http/index.html
as the user "www" by using the command:
doas -u www vim index.html
This is useful for someone that manages the webserver but does not have full superuser permissions.
Best Practices
It is highly recommended that you use permit instead of deny where possible. If you deny a user from using a specific command, they may be able to get away with using an alternate path or name of that command if it exists. They also can copy the command's executable to their home directory and then run that executable, thereby defeating your permissions system.
Generally speaking, it is a better idea to use doas than to use su because no one has to share the root password. There is no chance of someone changing it, forgetting it, and locking everyone out of the system if everyone uses their own password for root access. Logs are kept in /var/log/secure
.
Tips and Tricks
You can keep all your environment variables with keepenv, which is useful if you have your editor set to something and don't want it to change when you become another user. Here is an example with mynewuser:
permit nopass keepenv mynewuser
Sometimes, there are situations where overwriting every environment variable can break things, but with setenv, you can pick and choose which ones to carry over. Here is an example that will keep your editor set to whatever you want for use with git and some other things.
permit nopass setenv { VISUAL EDITOR } mynewuser
You can also use setenv to remove environment variables (by putting a dash before each one you want to remove) or set them to specific things with an equals sign. For example, if you wanted it to remove the environment variable VISUAL and set EDITOR to vim, you would use this configuration line:
permit nopass setenv { -VISUAL EDITOR=vim } mynewuser
If doas
has remembered your password, you can do doas -L
to make it forget the password.