Doas
Page content
doas, an alternative to sudo
Everybody knows sudo … right ? but the openbsd guys hacked a small and secure replacement called doas …
simple, secure and clever
here a good and quick tutorial
An introduction on Vultr, the Source Code on Github and the Man Page
Installation OpenBSD
On OpenBSD, it’s already in the Base System and no need to install anything.
Installation Linux
On Linux, for Example, you have to add the Package
sudo apt install doas
Install MacOS
cd ~
git clone https://github.com/Duncaen/opendoas
cd opendoas
./configure
sudo make install
sudo cp /etc/pam.d/sudo /etc/pam.d/doas
echo "permit nopass stoege" |sudo tee -a /etc/doas.conf
sudo chmod 600 /etc/doas.conf
Quick and Dirty, Full Permission for group wheel
run as root
echo "permit nopass keepenv :wheel" >> /etc/doas.conf
chmod 600 /etc/doas.conf
Install Full Permission for User ‘stoege’
if you’re on Linux, there is no wheel group. So, you can add a user (stoege) or group (:stoege) for giving full permission like this:
echo "permit nopass keepenv stoege" > /etc/doas.conf
chmod 600 /etc/doas.conf
Allow User Joe to Switch to another User
cat << 'EOF' >> /etc/doas.conf
# give user joe right to switch to user webmaster -> "/usr/bin/su - webmaster"
permit nopass joe cmd /usr/bin/su args - webmaster
EOF
doas.conf Example
# Group Wheel and User Webmaster get Root Permission
permit nopass keepenv :wheel
permit nopass keepenv webmaster
# User Webmaster is allowed to Restart Nginx
permit nopass webmaster cmd rcctl args check nginx
permit nopass webmaster cmd rcctl args restart nginx
permit nopass webmaster cmd rcctl args start nginx
permit nopass webmaster cmd rcctl args stop nginx
# User Monitoring allows certain Commands
permit nopass monitoring cmd smtpctl args show queue
permit nopass monitoring cmd pfctl args -si
permit nopass monitoring cmd tcpdump args -ne -r /var/log/pflog
permit nopass monitoring cmd cat args /var/log/maillog
Any Comments ?
sha256: bfce3e35786e8739c192d14a286c3ccb13dc76e5010796b7a04f1ca5ec617c46