Doas Explained

doas
doas
Author:Ted Unangst
Developer:OpenBSD Project[1]
Latest Release Version:[2]
Programming Language:C
Genre:Security software
License:ISC license
Website:https://man.openbsd.org/doas

doas (“dedicated openbsd application subexecutor”)[3] is a program to execute commands as another user. The system administrator can configure it to give specified users privileges to execute specified commands. It is free and open-source under the ISC license[4] and available in Unix and Unix-like operating systems.

doas was developed by Ted Unangst for OpenBSD as a simpler and safer sudo replacement.[5] [6] Unangst himself had issues with the default sudo config, which was his motivation to develop doas. doas was released with OpenBSD 5.8 in October 2015 replacing sudo. However, OpenBSD still provides sudo as a package.

Configuration

Definition of privileges should be written in the configuration file, /etc/doas.conf.[7] The syntax used in the configuration file is inspired by the packet filter configuration file.

Examples

Allow user1 to execute procmap as root without password: permit nopass user1 as root cmd /usr/sbin/procmapAllow members of the wheel group to run any command as root: permit :wheel as rootSimpler version (only works if default user is root, which it is after install): permit :wheelTo allow members of wheel group to run any command (default as root) and remember that they entered the password: permit persist :wheel

Ports and availability

Jesse Smith’s[8] port of doas is packaged for DragonFlyBSD,[9] FreeBSD,[10] and NetBSD.[11] According to the author, it also works on illumos and macOS.[12]

OpenDoas, a Linux port, is packaged for Debian, Alpine, Arch, CRUX, Fedora, Gentoo, GNU Guix, Hyperbola, Manjaro, Parabola, NixOS, Ubuntu, and Void Linux.[13] Starting with Alpine Linux v3.16 release, OpenDoas became the suggested replacement for sudo, which got its security maintenance time reduced within the distribution.[14]

See also

Notes and References

  1. Web site: OpenBSD 5.8. www.openbsd.org. 2020-05-06. 2021-05-17. https://web.archive.org/web/20210517090822/http://www.openbsd.org/58.html. live.
  2. Web site: src/usr.bin/doas/doas.c - view - 1.98. 2022-12-22. 2023-07-22.
  3. Web site: doas - dedicated openbsd application subexecutor. 2022-01-01. flak.tedunangst.com.
  4. Web site: Archived copy . 2021-09-29 . 2021-03-03 . https://web.archive.org/web/20210303224700/https://cvsweb.openbsd.org/src/usr.bin/doas/doas.c?rev=1.82 . live .
  5. Web site: OpenBSD 6.0 tightens security by losing Linux compatibility. Yegulalp. Serdar. 2016-07-25. InfoWorld. en. 2020-05-06. 2021-07-25. https://web.archive.org/web/20210725010953/https://www.infoworld.com/article/3099038/openbsd-60-tightens-security-by-losing-linux-compatibility.html. live.
  6. Web site: Linux Sudo bug could allow hackers root access. Millman. Rene. 18 October 2019. SC Media UK. live. https://web.archive.org/web/20210929013544/https://insight.scmagazineuk.com/. 2021-09-29. 2020-05-06.
  7. Web site: Privileges OpenBSD Handbook. 2020-05-06. www.openbsdhandbook.com. 2021-03-03. https://web.archive.org/web/20210303224642/https://www.openbsdhandbook.com/system_management/privileges/. live.
  8. Web site: Slicer69 (Jesse Smith) · GitHub . . 2020-05-06 . 2021-08-31 . https://web.archive.org/web/20210831120849/https://github.com/slicer69 . live .
  9. Web site: DPorts/Security/Doas at master · DragonFlyBSD/DPorts · GitHub . . 2020-08-24 . 2021-03-03 . https://web.archive.org/web/20210303224641/https://github.com/DragonFlyBSD/DPorts/tree/master/security/doas . live .
  10. Web site: [ports] Log of /Head/Security/Doas/PKG-descr . 2020-08-24 . 2021-09-29 . https://web.archive.org/web/20210929013539/https://svnweb.freebsd.org/ports/head/security/doas/pkg-descr . live .
  11. Web site: The NetBSD Packages Collection: security/doas. ftp.netbsd.org. 2020-05-06. 2021-09-29. https://web.archive.org/web/20210929013538/http://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/security/doas/README.html. live.
  12. Web site: doas. 2020-08-24. GitHub. Smith. Jesse. 2021-04-27. https://web.archive.org/web/20210427124214/https://github.com/slicer69/doas. live.
  13. Web site: opendoas. repology.org. 2020-08-24. 2021-03-03. https://web.archive.org/web/20210303224639/https://repology.org/project/opendoas/information. live.
  14. Web site: Alpine 3.16.0 released. 2023-06-10 . alpinelinux.org.