xref: /openbsd/usr.bin/doas/doas.conf.5 (revision 274d7c50) 
1.\" $OpenBSD: doas.conf.5,v 1.41 2019/07/07 19:21:28 tedu Exp $
2.\"
3.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4.\"
5.\"Permission to use, copy, modify, and distribute this software for any
6.\"purpose with or without fee is hereby granted, provided that the above
7.\"copyright notice and this permission notice appear in all copies.
8.\"
9.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.Dd $Mdocdate: July 7 2019 $
17.Dt DOAS.CONF 5
18.Os
19.Sh NAME
20.Nm doas.conf
21.Nd doas configuration file
22.Sh DESCRIPTION
23The
24.Xr doas 1
25utility executes commands as other users according to the rules
26in the
27.Nm
28configuration file.
29.Pp
30The rules have the following format:
31.Bd -ragged -offset indent
32.Ic permit Ns | Ns Ic deny
33.Op Ar options
34.Ar identity
35.Op Ic as Ar target
36.Op Ic cmd Ar command Op Ic args No ...
37.Ed
38.Pp
39Rules consist of the following parts:
40.Bl -tag -width 11n
41.It Ic permit Ns | Ns Ic deny
42The action to be taken if this rule matches.
43.It Ar options
44Options are:
45.Bl -tag -width keepenv
46.It Ic nopass
47The user is not required to enter a password.
48.It Ic persist
49After the user successfully authenticates, do not ask for a password
50again for some time.
51.It Ic keepenv
52Environment variables other than those listed in
53.Xr doas 1
54are retained when creating the environment for the new process.
55.It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic }
56Keep or set the space-separated specified variables.
57Variables may also be removed with a leading
58.Sq -
59or set using the latter syntax.
60If the first character of
61.Ar value
62is a
63.Ql $
64then the value to be set is taken from the existing environment
65variable of the indicated name.
66This option is processed after the default environment has been created.
67.El
68.It Ar identity
69The username to match.
70Groups may be specified by prepending a colon
71.Pq Sq \&: .
72Numeric IDs are also accepted.
73.It Ic as Ar target
74The target user the running user is allowed to run the command as.
75The default is all users.
76.It Ic cmd Ar command
77The command the user is allowed or denied to run.
78The default is all commands.
79Be advised that it is best to specify absolute paths.
80If a relative path is specified, only a restricted
81.Ev PATH
82will be searched.
83.It Ic args Op Ar argument ...
84Arguments to command.
85The command arguments provided by the user need to match those specified.
86The keyword
87.Ic args
88alone means that command must be run without any arguments.
89.El
90.Pp
91The last matching rule determines the action taken.
92If no rule matches, the action is denied.
93.Pp
94Comments can be put anywhere in the file using a hash mark
95.Pq Sq # ,
96and extend to the end of the current line.
97.Pp
98The following quoting rules apply:
99.Bl -dash
100.It
101The text between a pair of double quotes
102.Pq Sq \&"
103is taken as is.
104.It
105The backslash character
106.Pq Sq \e
107escapes the next character, including new line characters, outside comments;
108as a result, comments may not be extended over multiple lines.
109.It
110If quotes or backslashes are used in a word,
111it is not considered a keyword.
112.El
113.Sh FILES
114.Bl -tag -width "/etc/doas.conf"
115.It Pa /etc/doas.conf
116doas configuration file.
117.El
118.Sh EXAMPLES
119The following example permits user aja to install packages
120from a preferred mirror;
121group wheel to execute commands as any user while keeping the environment
122variables
123.Ev PS1
124and
125.Ev SSH_AUTH_SOCK
126and
127unsetting
128.Ev ENV ;
129permits tedu to run procmap as root without a password;
130and additionally permits root to run unrestricted commands as itself
131while retaining the original PATH.
132.Bd -literal -offset indent
133permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add
134permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
135permit nopass tedu as root cmd /usr/sbin/procmap
136permit nopass keepenv setenv { PATH } root as root
137.Ed
138.Sh SEE ALSO
139.Xr doas 1
140.Sh HISTORY
141The
142.Nm
143configuration file first appeared in
144.Ox 5.8 .
145.Sh AUTHORS
146.An Ted Unangst Aq Mt tedu@openbsd.org
147