Doas

The doas command Article description::provides a way to perform commands as another user. It aims to be a a simplified and lightweight replacement for. The tool was originally written for OpenBSD by Ted Unangst. OpenDoas is a port of for Linux, which is available as the  package.

Configuration
The tool is configured by the ruleset specified in. By using an empty configuration file the default ruleset will be applied which denies all actions.

Basic configuration
A simple skeleton configuration could be to specify a rule which allows all users in the group to perform any action as root.

It's also possible to deny certain actions to specified users. The ruleset is evaluated in a hierarchical manner, thus adding a new rule can override the previous one:

The user is part of the  group and therefore may perform actions available to root, but the second rule denies this user access to the  command.

Authentication
The keyword provides the ability to perform actions without having to enter a password:

With the keyword  can remember an authenticated user and will not require confirmation by password for five minutes:

Commands
The tool allows the creation of rules which only apply to certain commands.

A rule can be specified to allow a certain user to use a command only available to root:

This allows the user to execute the  command without having to enter a password. This may allow users to use restricted commands without providing complete root access.

Testing
A configuration file can be tested as follows:

Specifying a command will show you whether you have permissions to perform this command:

This test will output if you do not have the permissions to execute.

You can also check permissions for a specified user:

If the user has permissions to access  it may output.

Targets
The can not only be used to perform actions with root privileges, it also allows to target certain users and groups. The syntax to distinguish between groups (like ) and users (like ) is a leading colon.

By adding this rule, the user is allowed to perform actions as the  user without having to enter a password.

Bash Tab Completion
By default will only tab complete files and directories within the current or referenced directory. To tell bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users, or the global.

Usage
The command can be used like :

See doas(1) for more information.

External resources

 * doas configuration file man page