doas

From ArchWiki
Jump to navigation Jump to search

OpenDoas is a portable version of OpenBSD's doas command, known for being substantially smaller in size compared to sudo. Like sudo, doas is used to assume the identity of another user on the system.

Installation

Install the opendoas package.

Usage

To begin using doas as a non-privileged user, it must be properly configured. See #Configuration.

To use doas, simply prefix a command and its arguments with doas and a space:

$ doas cmd

For example, to use pacman:

$ doas pacman -Syu

To get to an interactive shell with root prompt:

$ doas -s

For more information, see doas(1).

Configuration

A PAM module is installed, but no default configuration or examples are included.

To allow members of group wheel to run commands as other users, create a configuration file with the following content:

/etc/doas.conf
permit :wheel 

The owner and group for /etc/doas.conf should both be 0, file permissions should be set to 0400:

# chown -c root:root /etc/doas.conf
# chmod -c 0400 /etc/doas.conf

To check /etc/doas.conf for syntax errors, run:

# doas -C /etc/doas.conf && echo "config ok" || echo "config error" 
Warning: It is imperative that /etc/doas.conf is free of syntax errors!

To allow members of the plugdev group to run smartctl without password as root user:

/etc/doas.conf
permit nopass :plugdev as root cmd /usr/bin/smartctl

The general syntax form of /etc/doas.conf is

permit|deny [options] identity [as target] [cmd command [args ...]]

For more details read doas.conf(5).

Consider setting up tab completion for the doas command.

Tips and tricks

doas persist feature

doas provides a persist feature: after the user successfully authenticates, do not ask for a password again for some time. It is disabled by default, enable it with the persist option:

/etc/doas.conf
permit persist :wheel
Note: The persist feature is disabled by default and because it is new and potentially dangerous. In the original doas, a kernel API is used to set and clear timeouts. This API is OpenBSD specific and no similar API is available on other operating systems. As a workaround, the persist feature is implemented using timestamp files similar to sudo.

Smooth transition sudo to doas

For a smooth transition from sudo to doas and to stay downward compatible, you could add to your environment:

alias sudo='doas'
alias sudoedit='doas rnano'

Or alternatively, symlink doas to where sudo would normally be (does not provide sudoedit(8)):

# ln -s $(which doas) /usr/bin/sudo

opendoas-sudoAUR provides this symlink as well.