Doas: Difference between revisions
Ash Ketchum (talk | contribs) (→Smooth transition sudo to doas: Better presentation) |
(→Configuration: add sentence about ordering, re Talk:Doas#order of rules?) |
||
(8 intermediate revisions by 5 users not shown) | |||
Line 29: | Line 29: | ||
$ doas pacman -Syu | $ doas pacman -Syu | ||
To get to an interactive shell | To get to an interactive shell as an other user (omitting {{ic|-u ''user''}} will default to root): | ||
$ doas - | $ doas -su ''user'' | ||
Logging in as an other user is needed for some commands, see [[Sudo#Login shell]]. | |||
For more information, see {{man|1|doas}}. | For more information, see {{man|1|doas}}. | ||
Line 37: | Line 39: | ||
== Configuration == | == Configuration == | ||
After installing OpenDoas, it will be attached with [[PAM]], but no default configuration or examples are included. | |||
To allow members of group [[wheel]] to run commands as other users, create a configuration file with the following content: | To allow members of group [[wheel]] to run commands as other users, create a configuration file with the following content: | ||
{{hc|/etc/doas.conf| | {{hc|/etc/doas.conf| | ||
permit :wheel | permit setenv {PATH{{=}}/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :wheel | ||
}} | |||
{{Note| | |||
* The configuration file must end with a newline. | |||
* The {{ic|setenv}} option works around an [https://github.com/Duncaen/OpenDoas/issues/117 issue] arising from OpenDoas's BSD origin where additional system packages are stored under {{ic|/usr/local/bin}}. In Linux {{ic|/usr/local/bin}} is generally used to override executables so it comes before {{ic|/usr/bin}} which contains executables from packages. | |||
}} | }} | ||
The owner and group for {{ic|/etc/doas.conf}} should both be {{ic|0}}, file permissions should be set to {{ic|0400}}: | The owner and group for {{ic|/etc/doas.conf}} should both be {{ic|0}}, file permissions should be set to {{ic|0400}}: | ||
Line 67: | Line 73: | ||
permit|deny [options] identity [as target] [cmd command [args ...]] | permit|deny [options] identity [as target] [cmd command [args ...]] | ||
The last matching rule determines the action taken, so rules must be ordered accordingly. | |||
For more details please read {{man|5|doas.conf}}. | For more details please read {{man|5|doas.conf}}. | ||
Line 74: | Line 82: | ||
=== doas persist feature === | === doas persist feature === | ||
''doas'' provides a persist feature: after the user successfully authenticates, | ''doas'' provides a persist feature: after the user successfully authenticates, they will not be prompted for a password again for some time. It is disabled by default, enable it with the {{ic|persist}} option: | ||
{{hc|/etc/doas.conf| | {{hc|/etc/doas.conf| | ||
Line 92: | Line 100: | ||
# ln -s $(which doas) /usr/bin/sudo | # ln -s $(which doas) /usr/bin/sudo | ||
{{Note|By default ''sudo'' preserves some environment variables while ''doas'' does not, most notably XAUTHORITY, LANG and LC_ALL. This means you will not be able to start graphical applications under X nor to access the user's locale without further configuration. For instance, to allow members of the ''wheel'' group to run graphical applications and to access the user's locale using the setenv option: | {{Note|By default ''sudo'' preserves some environment variables while ''doas'' does not, most notably XAUTHORITY, LANG and LC_ALL. This means you will not be able to start graphical applications under X nor to access the user's locale without further configuration. For instance, to allow members of the ''wheel'' group to run graphical applications and to access the user's locale using the setenv option: | ||
Line 108: | Line 114: | ||
{{hc|~/.bashrc| | {{hc|~/.bashrc| | ||
complete -cf doas | complete -cf doas | ||
}} | |||
If {{Pkg|bash-completion}} is installed, the following can be used instead to allow for additional completion of the target command: | |||
{{hc|~/.bashrc| | |||
complete -F _command doas | |||
}} | }} |
Latest revision as of 20:36, 26 March 2024
OpenDoas is a portable version of OpenBSD's doas command, known for being substantially smaller in size compared to sudo. Like sudo, doas is used to assume the identity of another user on the system.
Installation
Install the opendoas package.
Usage
To begin using doas as a non-privileged user, it must be properly configured. See #Configuration.
To use doas, simply prefix a command and its arguments with doas
and a space:
$ doas cmd
For example, to use pacman:
$ doas pacman -Syu
To get to an interactive shell as an other user (omitting -u user
will default to root):
$ doas -su user
Logging in as an other user is needed for some commands, see Sudo#Login shell.
For more information, see doas(1).
Configuration
After installing OpenDoas, it will be attached with PAM, but no default configuration or examples are included.
To allow members of group wheel to run commands as other users, create a configuration file with the following content:
/etc/doas.conf
permit setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :wheel
- The configuration file must end with a newline.
- The
setenv
option works around an issue arising from OpenDoas's BSD origin where additional system packages are stored under/usr/local/bin
. In Linux/usr/local/bin
is generally used to override executables so it comes before/usr/bin
which contains executables from packages.
The owner and group for /etc/doas.conf
should both be 0
, file permissions should be set to 0400
:
# chown -c root:root /etc/doas.conf # chmod -c 0400 /etc/doas.conf
To check /etc/doas.conf
for syntax errors, run:
# doas -C /etc/doas.conf && echo "config ok" || echo "config error"
/etc/doas.conf
is free of syntax errors!To allow members of the plugdev
group to run smartctl without password as Root user:
/etc/doas.conf
permit nopass :plugdev as root cmd /usr/bin/smartctl
The general syntax form of /etc/doas.conf
is:
permit|deny [options] identity [as target] [cmd command [args ...]]
The last matching rule determines the action taken, so rules must be ordered accordingly.
For more details please read doas.conf(5).
Tips and tricks
doas persist feature
doas provides a persist feature: after the user successfully authenticates, they will not be prompted for a password again for some time. It is disabled by default, enable it with the persist
option:
/etc/doas.conf
permit persist :wheel
Smooth transition sudo to doas
For a smooth transition from sudo to doas and to stay downward compatible, you could add to your environment:
alias sudo='doas' alias sudoedit='doas rnano'
Or alternatively, symlink doas to where sudo would normally be (but it does not provide sudoedit
command):
# ln -s $(which doas) /usr/bin/sudo
/etc/doas.conf
permit setenv { XAUTHORITY LANG LC_ALL } :wheel
Bash tab completion
By default Bash will only tab complete files and directories within the current or referenced directory. To tell Bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users .bashrc
, or the global /etc/bash.bashrc
:
~/.bashrc
complete -cf doas
If bash-completion is installed, the following can be used instead to allow for additional completion of the target command:
~/.bashrc
complete -F _command doas