1.\" $OpenBSD: doas.1,v 1.25 2021/01/16 09:18:41 martijn Exp $ 2.\" 3.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> 4.\" 5.\"Permission to use, copy, modify, and distribute this software for any 6.\"purpose with or without fee is hereby granted, provided that the above 7.\"copyright notice and this permission notice appear in all copies. 8.\" 9.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.Dd $Mdocdate: January 16 2021 $ 17.Dt DOAS 1 18.Os 19.Sh NAME 20.Nm doas 21.Nd execute commands as another user 22.Sh SYNOPSIS 23.Nm doas 24.Op Fl Lns 25.Op Fl a Ar style 26.Op Fl C Ar config 27.Op Fl u Ar user 28.Ar command 29.Op Ar args 30.Sh DESCRIPTION 31The 32.Nm 33utility executes the given command as another user. 34The 35.Ar command 36argument is mandatory unless 37.Fl C , 38.Fl L , 39or 40.Fl s 41is specified. 42.Pp 43The user will be required to authenticate by entering their password, 44unless configured otherwise. 45.Pp 46By default, a new environment is created. 47The variables 48.Ev HOME , 49.Ev LOGNAME , 50.Ev PATH , 51.Ev SHELL , 52and 53.Ev USER 54and the 55.Xr umask 2 56are set to values appropriate for the target user. 57.Ev DOAS_USER 58is set to the name of the user executing 59.Nm . 60The variables 61.Ev DISPLAY 62and 63.Ev TERM 64are inherited from the current environment. 65This behavior may be modified by the config file. 66The working directory is not changed. 67.Pp 68The options are as follows: 69.Bl -tag -width tenletters 70.It Fl a Ar style 71Use the specified authentication style when validating the user, 72as allowed by 73.Pa /etc/login.conf . 74A list of doas-specific authentication methods may be configured by adding an 75.Sq auth-doas 76entry in 77.Xr login.conf 5 . 78.It Fl C Ar config 79Parse and check the configuration file 80.Ar config , 81then exit. 82If 83.Ar command 84is supplied, 85.Nm 86will also perform command matching. 87In the latter case 88either 89.Sq permit , 90.Sq permit nopass 91or 92.Sq deny 93will be printed on standard output, depending on command 94matching results. 95No command is executed. 96.It Fl L 97Clear any persisted authentications from previous invocations, 98then immediately exit. 99No command is executed. 100.It Fl n 101Non interactive mode, fail if the matching rule doesn't have the 102.Ic nopass 103option. 104.It Fl s 105Execute the shell from 106.Ev SHELL 107or 108.Pa /etc/passwd . 109.It Fl u Ar user 110Execute the command as 111.Ar user . 112The default is root. 113.El 114.Sh EXIT STATUS 115.Ex -std doas 116It may fail for one of the following reasons: 117.Pp 118.Bl -bullet -compact 119.It 120The config file 121.Pa /etc/doas.conf 122could not be parsed. 123.It 124The user attempted to run a command which is not permitted. 125.It 126The password was incorrect. 127.It 128The specified command was not found or is not executable. 129.El 130.Sh SEE ALSO 131.Xr su 1 , 132.Xr doas.conf 5 133.Sh HISTORY 134The 135.Nm 136command first appeared in 137.Ox 5.8 . 138.Sh AUTHORS 139.An Ted Unangst Aq Mt tedu@openbsd.org 140