| doas | |
|---|---|
| Original author | Ted Unangst |
| Developer | OpenBSD Project1 |
| Release | 18 October 2015 (2015-10-18)1 |
| Stable release | |
| Written in | C |
| Type | Security software |
| License | ISC license |
| Website | man |
| Repository | |
doas (“dedicated openbsd application subexecutor”)3 is a program to execute commands as another user. The system administrator can configure it to give specified users privileges to execute specified commands. It is free and open-source under the ISC license4 and available in Unix and Unix-like operating systems.
doas was developed by Ted Unangst5 for OpenBSD as a simpler and safer sudo replacement.67 Unangst himself had issues with the default sudo config, which was his motivation to develop doas.3 doas was released with OpenBSD 5.8 in October 2015 replacing sudo.1 However, OpenBSD still provides sudo as a package.1
Configuration
Definition of privileges should be written in the configuration file, /etc/doas.conf.8 The syntax used in the configuration file is inspired by the packet filter configuration file.3
Examples
Allow user1 to execute procmap as root without password:
permit nopass user1 as root cmd /usr/sbin/procmap
Allow members of the wheel group to run any command as root:
permit :wheel as root
Simpler version (only works if default user is root, which it is after install):
permit :wheel
To allow members of wheel group to run any command (default as root) and remember that they entered the password:
permit persist :wheel
Ports and availability
Jesse Smith's9 port of doas is packaged for DragonFlyBSD,10 FreeBSD,11 and NetBSD.12 According to the author, it also works on illumos and macOS.13
OpenDoas, a Linux port, is packaged for Debian, Alpine, Arch, CRUX, Fedora, Gentoo, GNU Guix, Hyperbola, Manjaro, Parabola, NixOS, Ubuntu, and Void Linux.14 Starting with Alpine Linux v3.16 release, OpenDoas became the suggested replacement for sudo, which got its security maintenance time reduced within the distribution.15
References
References
- "OpenBSD 5.8". www.openbsd.org. Archived from the original on 2021-05-17. Retrieved 2020-05-06.
- "src/usr.bin/doas/doas.c - view - 1.98". 2022-12-22. Retrieved 2023-07-22.
- "doas - dedicated openbsd application subexecutor". flak.tedunangst.com. Retrieved 2022-01-01.
- "Archived copy". Archived from the original on 2021-03-03. Retrieved 2021-09-29.
{{cite web}}: CS1 maint: archived copy as title (link) - – OpenBSD General Commands Manual
- Yegulalp, Serdar (2016-07-25). "OpenBSD 6.0 tightens security by losing Linux compatibility". InfoWorld. Archived from the original on 2021-07-25. Retrieved 2020-05-06.
- Millman, Rene (18 October 2019). "Linux Sudo bug could allow hackers root access". SC Media UK. Archived from the original on 2021-09-29. Retrieved 2020-05-06.
- "Privileges | OpenBSD Handbook". www.openbsdhandbook.com. Archived from the original on 2021-03-03. Retrieved 2020-05-06.
- "Slicer69 (Jesse Smith) · GitHub". GitHub. Archived from the original on 2021-08-31. Retrieved 2020-05-06.
- "DPorts/Security/Doas at master · DragonFlyBSD/DPorts · GitHub". GitHub. Archived from the original on 2021-03-03. Retrieved 2020-08-24.
- "[ports] Log of /Head/Security/Doas/PKG-descr". Archived from the original on 2021-09-29. Retrieved 2020-08-24.
- "The NetBSD Packages Collection: security/doas". ftp.netbsd.org. Archived from the original on 2021-09-29. Retrieved 2020-05-06.
- Smith, Jesse. "doas". GitHub. Archived from the original on 2021-04-27. Retrieved 2020-08-24.
- "opendoas". repology.org. Archived from the original on 2021-03-03. Retrieved 2020-08-24.
- "Alpine 3.16.0 released". alpinelinux.org. Retrieved 2023-06-10.