FreeBSD Manual Pages
DOAS.CONF(5) FreeBSD File Formats Manual DOAS.CONF(5) NAME doas.conf -- doas configuration file SYNOPSIS /usr/local/etc/doas.conf DESCRIPTION The doas(1) utility executes commands as other users according to the rules in the doas.conf configuration file. The rules have the following format: permit|deny [options] identity [as target] [cmd command [args ...]] Rules consist of the following parts: permit|deny The action to be taken if this rule matches. options Options are: nopass The user is not required to enter a password. persist After the user successfully authenticates, do not ask for a password again for some time. Works on OpenBSD only, persist is not available on Linux or FreeBSD. keepenv The user's environment is maintained. The default is to reset the environment, except for the vari- ables DISPLAY, HOME, LOGNAME, MAIL, PATH, TERM, USER and USERNAME. setenv { [variable ...] [variable=value ...] } In addition to the variables mentioned above, keep the space-separated specified variables. Variables may also be removed with a leading `-' or set using the latter syntax. If the first character of value is a `$' then the value to be set is taken from the existing environment variable of the same name. identity The username to match. Groups may be specified by prepend- ing a colon (`:'). Numeric IDs are also accepted. as target The target user the running user is allowed to run the com- mand as. The default is all users. cmd command The command the user is allowed or denied to run. The default is all commands. Be advised that it is best to specify absolute paths. If a relative path is specified, only a restricted PATH will be searched. args [argument ...] Arguments to command. The command arguments provided by the user need to match those specified. The keyword args alone means that command must be run without any arguments. The last matching rule determines the action taken. If no rule matches, the action is denied. Comments can be put anywhere in the file using a hash mark (`#'), and extend to the end of the current line. The following quoting rules apply: - The text between a pair of double quotes (`"') is taken as is. - The backslash character (`\') escapes the next character, including new line characters, outside comments; as a result, comments may not be extended over multiple lines. - If quotes or backslashes are used in a word, it is not considered a keyword. EXAMPLES The following example permits users in group wsrc to build ports; wheel to execute commands as any user while keeping the environment variables PS1 and SSH_AUTH_SOCK and unsetting ENV; permits tedu to run procmap as root without a password; and additionally permits root to run unre- stricted commands as itself. # Non-exhaustive list of variables needed to # build release(8) and ports(7) permit nopass setenv { \ FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \ DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \ MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \ PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \ SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel permit nopass tedu as root cmd /usr/sbin/procmap permit nopass keepenv root as root SEE ALSO doas(1) HISTORY The doas.conf configuration file first appeared in OpenBSD 5.8. AUTHORS Ted Unangst <tedu@openbsd.org> FreeBSD 11.2 November 19, 2018 FreeBSD 11.2
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | SEE ALSO | HISTORY | AUTHORS
Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=doas.conf&sektion=5&manpath=FreeBSD+11.2-RELEASE+and+Ports>