10.4 - Introducing doas(1) -- or -- What happened to sudo?
10.4.1 - What is doas(1)?
doas(1)allows a user to temporarily run commands as the root (or other) user.For example, if appropriately configured,
allows you to run the command
fdisk(
as if you were root.Key words there are "appropriately configured", of course.You don't want average users to be able to get root privileges for anycommand they wish to run!Typically, though certainly not required, users in the "wheel" groupare given permission to run commands with doas.
10.4.2 - Why doas(1)?
One common challenge when professionally administering computers isthe contradictory requirements of multiple people being able to manageevery machine and that account passwords should not shared.
doas(1)solves this problem by permitting a certain subset of your users (forexample, members of the "wheel" group) to run predetermined commands(often, all commands) as another user (often root).Now, anyone can run administrative commands, only needing to authenticateas themselves, they do not need to use the root account or know theroot password.
An added advantage of "doas" is all activity is logged.It is possible to find out who ran an application.
Using a properly configured doas(1) on OpenBSD, one can completelydisable the root account, eliminating all root password managementissues.
It is also considered good practice by many to use doas when absolutelynecessary to run a command as root, rather than sitting at a rootconsole prompt. This way, an erroneously typed command is less likelyto have catastrophic results.However, this is subject to some debate.It is possible to cause as much chaos and havoc with a "finger-memory"(or just incorrect command) invocation of doas as it is when logged in asroot.For this reason, we do not blindly side with those that chant "alwaysuse 'doas', never use 'root'!" or spend hours making things happenwithout root.Notably, if you set doas to not require a the confirmation of yourpassword, any script or application running as you can invoke doas(1)to make any changes to your system as root.For this reason, for personal systems, it is probably better to eitherjust use
su(1)to elevate one's self to root status, or use doas(1) with the passwordoption.
10.4.3 - "Sounds like sudo!"
Yes, doas(1) was inspired by
sudo.doas(1) is OpenBSD's replacement for the sudo command.
The complexity of sudo has prevented the importing of the mostcurrent versions, and the complexity of the sudoers config filehas discouraged many users from doing anything other than uncomment oneline in the conf file.In short, sudo's code is too complicated for the way most users use it,and its configuration is too difficult for more advanced uses.
doas(1) is intended to have a simpler, and thus hopefully more securecode base and a simpler configuration file.From a user standpoint, the two are very similar.
For those needing the functionality of sudo, it's available as a
package
10.4.4 - Using doas(1) -- basic doas.conf(5)
A very basic
doas.confmight look like this:
permit keepenv { PKG_PATH ENV PS1 SSH_AUTH_SOCK } :wheel
This file gives users in the wheel group no password root-level accessto all commands, with the environment variables PKG_PATH, ENV, PS1, andSSH_AUTH_SOCK passed through to the program you are invoking.The user will be asked to verify their password before the command isrun.
A more sophisticated doas.conf(5) file which would permit you to buildOpenBSD from source using doas(1) without entering your password everytime might be:
permit nopass keepenv { PKG_PATH ENV PS1 SSH_AUTH_SOCK } :wheel
permit nopass keepenv { \
FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \
DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \
MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \
PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \
SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
While the "nopass" option makes using "doas" very easy, it can also beinvoked by any script or program, without the user's knowledge orpermission.For this reason, systems used as general purpose workstations shouldprobably not use the "nopass" option, if using doas(1) at all.The alternative is using
su(1) and the rootpassword to use the root account.
If you don't like the idea of any script or program you run being ableto silently invoke doas(1) to run something as root, but you find typingyour password over and over annoying, you may want to create a userfor administrative tasks, such as "admin", and have a doas.conffile like this:
permit :wheel as admin
permit nopass admin
Now, anyone who is in the wheel group can become "admin" with just oneentry of their password, and then admin can run the commands they wishwithout a password until they drop back to their normal user.
