Translation(s): none


Doas is a utility that allows a user account to run a command as another user account. Or in other words, do it as someone else (hence "doas").

Doas is intended as a minimalist replacement for the more popular sudo, providing "95% of the features of sudo with a fraction of the codebase", potentially improving security. It is a port of the OpenBSD command by the same name. It also has a much simpler configuration format, simplifying setup.


Installation

Doas 6.8.1 is available in Debian 11 "Bullseye". Install the doas package.


Configuration

Basic

Doas is useless out-of-the-box. Attempting to use it in any scenario will error out with:

doas: doas is not enabled, /etc/doas.conf: No such file or directory

As it prompts, you can create and edit /etc/doas.conf as root, and start adding rules for it. Each rule occupies a new line. The priority list for conflicting rules is bottom-to-top. The last matching rule determines the action taken.

A very simple line in /etc/doas.conf would look like:

permit johnsmith as root

In short, this would enable the user, johnsmith, to run commands as root after entering his own password. Hence, johnsmith is indirectly given root privileges.

More broadly, this command can be broken down into three components. permit is the action. This can instead be deny to explicitly deny permissions to someone. Hence "deny johnsmith as root" would mean that, if that rule is on the bottom of the list, johnsmith can never act as root, regardless of any other rules which may imply otherwise. This is useful for, e.g., permitting all members of a group except one.

johnsmith is the identity. This can be a username, group (when prefixed with a colon), or numeric user ID.

as root is the target. In this context, you can similarly replace "root" with any username, group, or numeric user ID. This field is also optional, with the default being all users. If the full line was simply "permit johnsmith" then that user could run any command as any other user.

Comments are signified with hashmarks (#). See doas.conf for detailed rules.

Advanced

There are a number of optional arguments that can provide additional flexibility. The full command format for doas is:

permit|deny [options] identity [as target] [cmd command [args ...]]

For full details, see doas.conf, but we'll briefly cover some of the main ones here as well.

Options

One of the available options is nopass, which disables the prompt for a user's password when using doas. For instance:

permit nopass johnsmith as root

This will allow the user to run any command as root instantly, with no need for johnsmith to provide his own password.

Two other available options are keepenv and setenv. keepenv ensures that environment variables are retained when creating the environment for the new process. setenv is for preserving or setting variables that will be passed to the command. Your list of variables is wrapped in curly brackets, with each one space-separated. Use an equals (=) sign to set a variable, or just list the variable name alone to preserve it. Prefix your variable with a minus (-) sign to unset it. Use a dollar sign ($) to refer to an environment variable.

Restricting commands and arguments

The "cmd" section, as noted in the format, allows restricting the rule to only allow execution of a certain command, potentially only with certain arguments or subcommands. See:

permit johnsmith as root cmd apt args update

The main command is prefixed with "cmd" and any arguments or subcommands are prefixed with "args". If the line ends with "args" and nothing else, it will disallow all arguments. As-is, this example would allow user johnsmith to only run apt update as root. Any additional subcommand, any additional arguments, or any lack of either, would error out with "Operation not permitted".

Example

This example line demonstrates a number of these advanced options at once:

permit nopass setenv { -http_proxy APT_CONFIG=/etc/apt/apt.conf.d/50appstream } :updaters cmd apt args update

This permits any member of the group "updaters" to execute "apt update" without needing a password, while unsetting the http-proxy variable and setting the APT_CONFIG variable to the path of one of Apt's configuration files.

PAM

A basic PAM configuration file is shipped with the package, at /etc/pam.d/doas.


Usage

Outside of what's documented in the configuration section, there's also some standard functionality built into the doas command.

By default, all usage of doas will assume your target is root. The -u flag allows you to explicitly specify a different user to run a command as. for instance:

doas -u juliasmith whoami

If the "juliasmith" user exists, and if your account has permission to act as her, this would print her username, i.e. "juliasmith"

The -s flag can be used to launch a shell as a user. For instance:

doas -s

This would open a root shell, as root is the default target. Or:

doas -u juliasmith -s

This would open a shell as juliasmith by specifying her as the target.

The -n flag enables non-interactive mode. If a password would be required (i.e. if the "nopass" option isn't set for the matching rule), the command fails.


See also


CategoryRoot | CategorySystemSecurity | CategorySystemAdministration