Manpages - doas.conf.5


utility executes commands as other users according to the rules in the

configuration file.

The rules have the following format:

Rules consist of the following parts:

The action to be taken if this rule matches.

Options are:

The user is not required to enter a password.

Do not log successful command execution to

After the user successfully authenticates, do not ask for a password again for some time.

Environment variables other than those listed in

are retained when creating the environment for the new process.

Keep or set the space-separated specified variables. Variables may also be removed with a leading

or set using the latter syntax. If the first character of

is a

then the value to be set is taken from the existing environment variable of the indicated name. This option is processed after the default environment has been created.

The username to match. Groups may be specified by prepending a colon

Numeric IDs are also accepted.

The target user the running user is allowed to run the command as. The default is all users.

The command the user is allowed or denied to run. The default is all commands. Be advised that it is best to specify absolute paths. If a relative path is specified, only a restricted

will be searched.

Arguments to command. The command arguments provided by the user need to match those specified. The keyword

alone means that command must be run without any arguments.

The last matching rule determines the action taken. If no rule matches, the action is denied.

Comments can be put anywhere in the file using a hash mark

and extend to the end of the current line.

The following quoting rules apply:

The text between a pair of double quotes

is taken as is.

The backslash character

escapes the next character, including new line characters, outside comments; as a result, comments may not be extended over multiple lines.

If quotes or backslashes are used in a word, it is not considered a keyword.

configuration file.

Example configuration file.

The following example permits user aja to install packages from a preferred mirror; group wheel to execute commands as any user while keeping the environment variables


and unsetting

permits tedu to run procmap as root without a password; and additionally permits root to run unrestricted commands as itself while retaining the original PATH.

permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel permit nopass tedu as root cmd /usr/sbin/procmap permit nopass keepenv setenv { PATH } root as root


configuration file first appeared in

Author: dt

Created: 2022-02-20 Sun 09:31