The doas command provides a way to perform commands as another user. It aims to be a a simplified and lightweight replacement for sudo. The doas tool was originally written for OpenBSD by Ted Unangst. OpenDoas is a port of doas for Linux, which is available as the app-admin/doas package.
USE flags for app-admin/doas Run commands as super/another user (alt sudo) (unofficial port from OpenBSD)
emerge --ask app-admin/doas
The doas tool is configured by the ruleset specified in /etc/doas.conf. By using an empty configuration file the default ruleset will be applied which denies all actions.
A simple skeleton configuration could be to specify a rule which allows all users in the wheel group to perform any action as root.
It's also possible to deny certain actions to specified users. The ruleset is evaluated in a hierarchical manner, thus adding a new rule can override the previous one:
permit :wheel deny larry cmd fdisk
The user larry is part of the wheel group and therefore may perform actions available to root, but the second rule denies this user access to the fdisk command.
The nopass keyword provides the ability to perform actions without having to enter a password:
permit nopass :wheel
Due to OpenBSD-specific kernel API required by doas to set and clear timeouts, the persist feature is disabled by default in the OpenDoas port.
With the persist keyword doas can remember an authenticated user and will not require confirmation by password for five minutes:
permit persist :wheel
The doas tool allows the creation of rules which only apply to certain commands.
A rule can be specified to allow a certain user to use a command only available to root:
permit nopass larry cmd reboot
This allows the user larry to execute the reboot command without having to enter a password. This may allow users to use restricted commands without providing complete root access.
A configuration file can be tested as follows:
doas -C /etc/doas.conf
Specifying a command will show you whether you have permissions to perform this command:
doas -C /etc/doas.conf cat
This test will output deny if you do not have the permissions to execute cat.
You can also check permissions for a specified user:
doas -C /etc/doas.conf cat -u larry
If the user larry has permissions to access cat it may output permit.
The doas can not only be used to perform actions with root privileges, it also allows to target certain users and groups. The syntax to distinguish between groups (like :wheel) and users (like larry) is a leading colon.
permit nopass larry as postgres
By adding this rule, the user larry is allowed to perform actions as the postgres user without having to enter a password.
Bash tab completion
By default bash will only tab complete files and directories within the current or referenced directory. To tell bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users .bashrc, or the global /etc/bashrc.
# Configure completion for doas # -c : Complete arguments as if they were commands # (eg: `doas emer<tab>` -> `doas emerge`) # (eg: `doas dd status=p<tab>` -> `doas dd status=progress`) # -f : Complete arguments as if they were directory names (default behaviour) # (eg: `doas /bi<tab>` -> `doas /bin/`) complete -cf doas
The doas command can be used like sudo:
doas emerge -uDN world
See doas(1) for more information.