xref: /openbsd-src/usr.bin/doas/doas.conf.5 (revision f2da64fbbbf1b03f09f390ab01267c93dfd77c4c) 
1.\" $OpenBSD: doas.conf.5,v 1.30 2016/09/02 18:12:30 tedu Exp $
2.\"
3.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4.\"
5.\"Permission to use, copy, modify, and distribute this software for any
6.\"purpose with or without fee is hereby granted, provided that the above
7.\"copyright notice and this permission notice appear in all copies.
8.\"
9.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.Dd $Mdocdate: September 2 2016 $
17.Dt DOAS.CONF 5
18.Os
19.Sh NAME
20.Nm doas.conf
21.Nd doas configuration file
22.Sh SYNOPSIS
23.Nm /etc/doas.conf
24.Sh DESCRIPTION
25The
26.Xr doas 1
27utility executes commands as other users according to the rules
28in the
29.Nm
30configuration file.
31.Pp
32The rules have the following format:
33.Bd -ragged -offset indent
34.Ic permit Ns | Ns Ic deny
35.Op Ar options
36.Ar identity
37.Op Ic as Ar target
38.Op Ic cmd Ar command Op Ic args ...
39.Ed
40.Pp
41Rules consist of the following parts:
42.Bl -tag -width 11n
43.It Ic permit Ns | Ns Ic deny
44The action to be taken if this rule matches.
45.It Ar options
46Options are:
47.Bl -tag -width keepenv
48.It Ic nopass
49The user is not required to enter a password.
50.It Ic persist
51After the user successfully authenticates, do not ask for a password
52again for some time.
53.It Ic keepenv
54The user's environment is maintained.
55The default is to reset the environment, except for the variables
56.Ev DISPLAY ,
57.Ev HOME ,
58.Ev LOGNAME ,
59.Ev MAIL ,
60.Ev PATH ,
61.Ev TERM ,
62.Ev USER
63and
64.Ev USERNAME .
65.It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic }
66In addition to the variables mentioned above, keep the space-separated
67specified variables.
68Variables may also be removed with a leading
69.Sq -
70or set using the latter syntax.
71If the first character of
72.Ar value
73is a
74.Ql $
75then the value to be set is taken from the existing environment
76variable of the same name.
77.El
78.It Ar identity
79The username to match.
80Groups may be specified by prepending a colon
81.Pq Sq \&: .
82Numeric IDs are also accepted.
83.It Ic as Ar target
84The target user the running user is allowed to run the command as.
85The default is all users.
86.It Ic cmd Ar command
87The command the user is allowed or denied to run.
88The default is all commands.
89Be advised that it is best to specify absolute paths.
90If a relative path is specified, only a restricted
91.Ev PATH
92will be searched.
93.It Ic args ...
94Arguments to command.
95The command arguments provided by the user need to match those specified.
96The keyword
97.Ic args
98alone means that command must be run without any arguments.
99.El
100.Pp
101The last matching rule determines the action taken.
102If no rule matches, the action is denied.
103.Pp
104Comments can be put anywhere in the file using a hash mark
105.Pq Sq # ,
106and extend to the end of the current line.
107.Pp
108The following quoting rules apply:
109.Bl -dash
110.It
111The text between a pair of double quotes
112.Pq Sq \&"
113is taken as is.
114.It
115The backslash character
116.Pq Sq \e
117escapes the next character, including new line characters, outside comments;
118as a result, comments may not be extended over multiple lines.
119.It
120If quotes or backslashes are used in a word,
121it is not considered a keyword.
122.El
123.Sh EXAMPLES
124The following example permits users in group wsrc to build ports;
125wheel to execute commands as any user while keeping the environment
126variables
127.Ev PS1
128and
129.Ev SSH_AUTH_SOCK
130and
131unsetting
132.Ev ENV ;
133permits tedu to run procmap as root without a password;
134and additionally permits root to run unrestricted commands as itself.
135.Bd -literal -offset indent
136# Non-exhaustive list of variables needed to
137# build release(8) and ports(7)
138permit nopass setenv { \e
139        FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
140        DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
141        MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \e
142        PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \e
143        SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
144permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
145permit nopass tedu as root cmd /usr/sbin/procmap
146permit nopass keepenv root as root
147.Ed
148.Sh SEE ALSO
149.Xr doas 1
150.Sh HISTORY
151The
152.Nm
153configuration file first appeared in
154.Ox 5.8 .
155.Sh AUTHORS
156.An Ted Unangst Aq Mt tedu@openbsd.org
157