"doas" usage vs "sudo"

Tracker · Jun 5, 2024

I am trying to convert the following into `doas` instead of sudo - I can get the permit to work with the command but struggling to update the conf file with the required arguments

1. sudo acpiconf -s 3 I could only get this to translate to
permit nopass myusername as root cmd acpiconf

How can I make it more refined to include the "-s 3" argument?

2. sudo service netif restart I could only get this to translate to
permit nopass myusername as root cmd service

How can I make it more refined to include "netif restart" argument?

kjeacle · Jun 6, 2024

permit nopass myusername as root cmd service args netif restart

Erichans · Jun 6, 2024

Besides doas(1) & doas.conf(5)*, there is the neat and short doas mastery by the doas author Ted Unangst.

* there you'll find the "man" explanation of args [argument ... ]

Tracker · Jun 6, 2024

kjeacle said:
permit nopass myusername as root cmd service args netif restart

Ah interesting thanks, I got the impression that "args" was to be replaced by the actual arguments and was leading to errors.

Erichans said:
Besides doas(1) & doas.conf(5)*, there is the neat and short doas mastery by the doas author Ted Unangst.

* there you'll find the "man" explanation of args [argument ... ]

Yes, that tutorial makes me more comfortable.

Just getting used to doas.

Makes me wonder how to edit a file as doas - should I just? ? (maybe without the nopass)
permit nopass myusername as root cmd vim

Erichans · Jun 6, 2024

Tracker said:
I got the impression that "args" was to be replaced by the actual arguments and was leading to errors.

That would be the case when using just args (nothing following) and expecting doas to accept, for example doas acpiconf -s 3. For catching syntax errors (contrasting visudo(8)), use doas -C ... as a standard practice. (doas being a nice, compact, but less fully fledged version alternative for sudo(8))

If you need to manage doas.conf as precisely as visudo(8), you'll have to find a way to use or mimic its inner workings:

Copies policy file to temp file
You edit temp file
Parses edited file
Installs or rejects file

Tracker · Jun 17, 2024

Noticing some unexpected behaviour

When I have the following I get asked for password

Code:

permit nopass username as root cmd service args netif

However this doesn't ask me for password (that's how I want it to work but with arguments)

Code:

permit nopass username as root cmd service #args netif

Is there something specific about applying arguments? Seems like whenever I'm applying arguments in the doas.conf file I get asked for the password

NapoleonWils0n · Jun 17, 2024

you dont need as root with cmd service

Code:

# permit user
permit keepenv :djwilcox

# mount drives
permit nopass :djwilcox cmd mount
permit nopass :djwilcox cmd umount

# restart networking
permit nopass :djwilcox cmd service args netif start
permit nopass :djwilcox cmd service args netif stop
permit nopass :djwilcox cmd service args netif restart

# ifconfig wlan0
permit nopass :djwilcox cmd ifconfig args wlan0 up
permit nopass :djwilcox cmd ifconfig args wlan0 down

# ifconfig ue0 - usb ethenet
permit nopass :djwilcox cmd ifconfig args ue0 up
permit nopass :djwilcox cmd ifconfig args ue0 down

# ifconfig scan and wpa_supplicant
permit nopass :djwilcox cmd ifconfig args wlan0 list scan
permit nopass :djwilcox cmd wpa_supplicant args -B -i wlan0 -c /etc/wpa_supplicant.conf

# pkg update
permit nopass :djwilcox cmd pkg args update

# pkg upgrade
permit nopass :djwilcox cmd pkg args upgrade

# dmesg
permit nopass :djwilcox cmd dmesg

# sysctl
permit nopass :djwilcox cmd sysctl

# chroot
permit nopass :djwilcox cmd chroot

# jail
permit nopass :djwilcox cmd jexec
permit nopass :djwilcox cmd service

# root as root
permit nopass keepenv root as root

kimminss0 · Jan 9, 2025

Erichans said:
For catching syntax errors (contrasting visudo(8)), use doas -C ... as a standard practice. (doas being a nice, compact, but less fully fledged version alternative for sudo(8))

There is vidoas(1) on FreeBSD. Also you may find doasedit(1) useful, too.

But I couldn't find those on OpenBSD and Linux(Debian).

P.S.
It's weird that I can see man pages on my FreeBSD 14.2 machine with doas-6.3p12 installed, but they're not appearing at man.freebsd.org.

Kai Burghardt · Jan 9, 2025

kimminss0 said:
There is vidoas(1) on FreeBSD. Also you may find doasedit(1) useful, too. […]
[…] they're not appearing at man.freebsd.org.

Congratulations! You have found a bug. The titles vidoas(1) and doasedit(1) are misleading. They are sorted into the maintenance section: vidoas(8) and doasedit(8).

kimminss0 · Jan 9, 2025

The man pages for vidoas and doasedit were located at /usr/local/share/man/man8/vidoas.8.gz and /usr/local/share/man/man8/doasedit.8.gz, though they are displaying as VIDOAS(1) and DOASEDIT(1). It's the bug inherited from the upstream repo slicer/doas at GitHub.

NapoleonWils0n · Jan 9, 2025

posted something by mistake in the wrong thread
so deleted it