Introduction to doas on OpenBSD

Updated on November 21, 2023
Introduction to doas on OpenBSD header image

Background

OpenBSD's alternative to sudo is doas, although it does not work the same way as sudo and requires some configuration. It is an acronym for "dedicated openbsd application subexecutor". OpenBSD 5.8, released in 2015, was the first to includedoas. It was created by Ted Unangst after he was dissatisfied with the complexity of sudo and had issues with the default sudo configuration.

The doas command is simple by design and does not contain advanced features required for elaborate sysadmin infrastructures. For most people, it is more than enough. Please see Create a Sudo User on OpenBSD if you prefer to use sudo instead of doas.

Installation

OpenBSD version 5.8 and later has doas preinstalled.

Configuration

To give users in the wheel group access to doas, add the following to /etc/doas.conf. You will need root access to edit this file.

permit :wheel

This will give all users in the wheel group permission to execute commands as any user.

If you would like users to be able to enter their password once, then not have to enter it for a while, use the persist option. Here is an example that gives permissions only to the wheel group:

permit persist :wheel

You may instead use the nopass option if you would like them never to have to enter their password:

permit nopass :wheel

If you would like the user "mynewuser" to have admin rights, you may either add them to the wheel group by running usermod -G wheel mynewuser as root or add a line to your /etc/doas.conf so it looks somewhat like the following:

permit nopass :wheel
permit nopass mynewuser

This example assumes that you do not need your users to enter a password when using doas. If you would like to set it so that mynewuser is only permitted to execute commands as the www user, the configuration would be as follows:

permit nopass :wheel
permit nopass mynewuser as www

If you would like mynewuser to be able to use only the "vim" command with doas, use the following configuration:

permit nopass :wheel
permit nopass mynewuser as www cmd vim

There are other configuration options, but the ones covered here are the most common. If you would like to read more, you can use the command man doas.conf to read the doas.conf(5) manpage.

Testing Configuration Files

To test a configuration file, use the doas -C /etc/doas.conf command. If you supply a command afterward, e.g. doas -C /etc/doas.conf vim, it will tell you whether you have permission to run a command or not without trying to execute the command.

Usage

A user may run the command echo "test" as root by using the command: doas echo "test"

A user that has permissions to use doas to elevate themselves to the user "www" may run the command vim /var/www/http/index.html as the user "www" by using the command: doas -u www vim index.html This is useful for someone that manages the webserver but does not have full superuser permissions.

Best Practices

It is highly recommended that you use permit instead of deny where possible. If you deny a user from using a specific command, they may be able to get away with using an alternate path or name of that command if it exists. They also can copy the command's executable to their home directory and then run that executable, thereby defeating your permissions system.

Generally speaking, it is a better idea to use doas than to use su because no one has to share the root password. There is no chance of someone changing it, forgetting it, and locking everyone out of the system if everyone uses their own password for root access. Logs are kept in /var/log/secure.

Tips and Tricks

You can keep all your environment variables with keepenv, which is useful if you have your editor set to something and don't want it to change when you become another user. Here is an example with mynewuser:

permit nopass keepenv mynewuser

Sometimes, there are situations where overwriting every environment variable can break things, but with setenv, you can pick and choose which ones to carry over. Here is an example that will keep your editor set to whatever you want for use with git and some other things.

permit nopass setenv { VISUAL EDITOR } mynewuser

You can also use setenv to remove environment variables (by putting a dash before each one you want to remove) or set them to specific things with an equals sign. For example, if you wanted it to remove the environment variable VISUAL and set EDITOR to vim, you would use this configuration line:

permit nopass setenv { -VISUAL EDITOR=vim } mynewuser

If doas has remembered your password, you can do doas -L to make it forget the password.