doas tips - sudo alternative

[NapoleonWils0n]

Some tips on using doas the sudo alternative ported from Openbsd

install doas

# pkg install doas

Create the doas config file

# vi /usr/local/etc/doas.conf

The username and groups follow the chown syntax,
ther username or group is preceded by the : colon character

eg

:username
:groupname

Replace username with your username in the follow example

In the first example we allow our user to run commands as root but require a password
In the second example we use the nopass option to allow username2 to execute commands as root without prompting for a password

We allow username to execute some commands as root but without entering a password,
for example to mount drives, start the musicpd service and run the pkg update command

To run a service as root without a password we specify the service after cmd and then args followed by the arguments,
in this example to start the musicpd service

# allow user but require password
permit keepenv :username

# allow user and dont require a password to execute commands as root
permit nopass keepenv :username2

# mount drives
permit nopass :username cmd mount
permit nopass :username cmd umount

# musicpd service start and stop
permit nopass :username cmd service args musicpd onestart
permit nopass :username cmd service args musicpd onestop

# pkg update
permit nopass :username cmd pkg args update

# run personal scripts as root without prompting for a password,
# requires entering the full path when running with doas
permit nopass :username cmd /home/username/bin/somescript

# root as root
permit nopass keepenv root as root

You can also run your own personal scripts as root without a password,
but you have to enter the full path to the script in the doas.conf file and when the script is run in the terminal

for example to run the somescript script as shown in the doas.conf file we have to specify the full path to the script in the terminal

doas /home/username/bin/somescript

This is because doas only searches in the system path and not your users path

 

[Mayhem30]

Thanks for the examples!

Just an FYI that you don't use a colon for <username>, as they are for :<group> only.

This is what I've added to my config to help prevent any accidental catastrophes :

# rm -rf / root dir protection
deny <username> as root cmd rm args .*\s+/$

# chown -R / root dir protection
deny <username> as root cmd chown args .*\s+/$

 

[rafael_grether]

NapoleonWils0n,​

Good examples!
But "keepenv"directive does not work in DOAS portable version for linux/freebsd.

 

[Deleted member 70435]

on OpenBSD, these doas settings are more efficient. but on FreeBSD I'm not used to using sudo or doas. some will call me ignorant, others an idiot. but I'm a guy I'm used to dealing with, with security issues, among others.

doas

 

[mer]

on OpenBSD, these doas settings are more efficient. but on FreeBSD I'm not used to using sudo or doas. some will call me ignorant, others an idiot. but I'm a guy I'm used to dealing with, with security issues, among others.

doas

Ignorant? Nope. You just know your environment.
Anyway, I typically don't use sudo or doas either. Basically my system home system only has me using it so a term window that I su-d in works fine. But I will occasionally do a command as sudo just to remind my fingers about it.

 

[Phishfry]

usr/local/etc/doas.conf for net-mgmt/networkmgr

permit nopass keepenv root
permit :wheel
permit nopass keepenv :wheel cmd netcardmgr
permit nopass keepenv :wheel cmd ifconfig
permit nopass keepenv :wheel cmd service