Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
DOAS.CONF(5)		  FreeBSD File Formats Manual		  DOAS.CONF(5)

NAME
     doas.conf -- doas configuration file

SYNOPSIS
     /usr/local/etc/doas.conf

DESCRIPTION
     The doas(1) utility executes commands as other users according to the
     rules in the doas.conf configuration file.

     The rules have the	following format:

	   permit|deny [options] identity [as target] [cmd command [args ...]]

     Rules consist of the following parts:

     permit|deny  The action to	be taken if this rule matches.

     options	  Options are:

		  nopass   The user is not required to enter a password.

		  persist  After the user successfully authenticates, do not
			   ask for a password again for	some time. Works on
			   OpenBSD only, persist is not	available on Linux or
			   FreeBSD.

		  keepenv  The user's environment is maintained.  The default
			   is to reset the environment,	except for the vari-
			   ables DISPLAY, HOME,	LOGNAME, MAIL, PATH, TERM,
			   USER	and USERNAME.

		  setenv { [variable ...] [variable=value ...] }
			   In addition to the variables	mentioned above, keep
			   the space-separated specified variables.  Variables
			   may also be removed with a leading `-' or set using
			   the latter syntax.  If the first character of value
			   is a	`$' then the value to be set is	taken from the
			   existing environment	variable of the	same name.

     identity	  The username to match.  Groups may be	specified by prepend-
		  ing a	colon (`:').  Numeric IDs are also accepted.

     as	target	  The target user the running user is allowed to run the com-
		  mand as.  The	default	is all users.

     cmd command  The command the user is allowed or denied to run.  The
		  default is all commands.  Be advised that it is best to
		  specify absolute paths.  If a	relative path is specified,
		  only a restricted PATH will be searched.

     args [argument ...]
		  Arguments to command.	 The command arguments provided	by the
		  user need to match those specified.  The keyword args	alone
		  means	that command must be run without any arguments.

     The last matching rule determines the action taken.  If no	rule matches,
     the action	is denied.

     Comments can be put anywhere in the file using a hash mark	(`#'), and
     extend to the end of the current line.

     The following quoting rules apply:

     -	 The text between a pair of double quotes (`"')	is taken as is.

     -	 The backslash character (`\') escapes the next	character, including
	 new line characters, outside comments;	as a result, comments may not
	 be extended over multiple lines.

     -	 If quotes or backslashes are used in a	word, it is not	considered a
	 keyword.

EXAMPLES
     The following example permits users in group wsrc to build	ports; wheel
     to	execute	commands as any	user while keeping the environment variables
     PS1 and SSH_AUTH_SOCK and unsetting ENV; permits tedu to run procmap as
     root without a password; and additionally permits root to run unre-
     stricted commands as itself.

	   # Non-exhaustive list of variables needed to
	   # build release(8) and ports(7)
	   permit nopass setenv	{ \
		   FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \
		   DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF	\
		   MULTI_PACKAGES NOMAN	OKAY_FILES OWNER PKG_DBDIR \
		   PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \
		   SUBPACKAGE WRKOBJDIR	SUDO_PORT_V1 } :wsrc
	   permit setenv { -ENV	PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
	   permit nopass tedu as root cmd /usr/sbin/procmap
	   permit nopass keepenv root as root

SEE ALSO
     doas(1)

HISTORY
     The doas.conf configuration file first appeared in	OpenBSD	5.8.

AUTHORS
     Ted Unangst <tedu@openbsd.org>

FreeBSD	11.2			 July 17, 2018			  FreeBSD 11.2

NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | SEE ALSO | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=doas.conf&sektion=5&manpath=FreeBSD+11.2-RELEASE+and+Ports>

home | help