Doas

From Gentoo Wiki
Jump to: navigation, search

Doas provides a way to perform commands as another user. It aims to be a a simplified and lightweight replacement for Sudo. Doas was originally written for OpenBSD by Ted Unangst. OpenDoas is a port of Doas for Linux, which is available as the app-admin/doas package.

Installation

USE flags

USE flags for app-admin/doas Run commands as super user or another user, alternative to sudo from OpenBSD

pam Add support for PAM (Pluggable Authentication Modules)DANGEROUS to arbitrarily flip
timestamp Adds support for "persist" feature (experimental)

Emerge

root #emerge --ask app-admin/doas

Configuration

Doas is configured by the ruleset specified in /etc/doas.conf. By using an empty configuration file the default ruleset will be applied which denies all actions.

Basic configuration

A simple skeleton configuration could be to specify a rule which allows all users in the wheel group to perform any action as root.

CODE Allow all users in the wheel group to execute any command as root
permit :wheel

It's also possible to deny certain actions to specified users. The ruleset is evaluated in a hierarchical manner, thus adding a new rule can override the previous one:

CODE Deny a user to execute a command
permit :wheel
deny toromino cmd fdisk

The user toromino is part of the wheel group and therefore may perform actions available to root, but the second rule denies this user access to the fdisk command.

Authentication

The nopass keyword provides the ability to perform actions without having to enter a password:

CODE Allow all users in the wheel group to perform actions as root without authentication
permit nopass :wheel
Note
Due to OpenBSD-specific kernel API required by doas to set and clear timeouts, the persist feature is disabled by default in the OpenDoas port.

With the persist keyword Doas can remember an authenticated user and will not require confirmation by password for five minutes:

CODE Do not require passwords for five minutes for all users in the wheel group
permit persist :wheel

Commands

Doas allows the creation of rules which only apply to certain commands.

A rule can be specified to allow a certain user to use a command only available to root:

CODE Allow a user to use the reboot command without a password
permit nopass toromino cmd reboot

This allows the user toromino to execute the reboot command without having to enter a password. This may allow users to use restricted commands without providing complete root access.

Testing

A configuration file can be testes as follows:

user $doas -C /etc/doas.conf

Specifying a command will show you whether you have permissions to perform this command:

user $doas -C /etc/doas.conf cat

This test will output deny if you do not have the permissions to execute cat.

You can also check permissions for a specified user:

user $doas -C /etc/doas.conf cat -u tedu

If the user tedu has permissions to access cat it may output permit.

Targets

Doas can not only be used to perform actions with root privileges, it also allows to target certain users and groups. The syntax to distinguish between groups (like :wheel) and users (like toromino) is a leading colon.

CODE Allow a user to perform actions as another user
permit nopass toromino as postgres

By adding this rule, the user toromino is allowed to perform actions as the postgres user without having to enter a password.

Usage

The doas command can be used like sudo:

user $doas emerge -uDN world

See doas(1) for more information.

See also