Doas
Page content
doas, an alternative to sudo
Everybody knows sudo … right ? the bsd guys just hacked an alternative tool calleed doas …
simple, secure and clever
example follow later, here a good and quick tutorial.
An introduction on Vultr, the Source Code on Github and the Man Page
Quick and Dirty, Full Permission for group wheel
run as root
if [ -f /etc/doas.conf ]; then
echo "permit nopass keepenv :wheel" >> /etc/doas.conf
else
echo "permit nopass keepenv :wheel" > /etc/doas.conf
chmod 600 /etc/doas.conf
fi
Allow User Joe to Switch to another User
cat << 'EOF' >> /etc/doas.conf
# give user joe right to switch to user webmaster -> "/usr/bin/su - webmaster"
permit nopass joe cmd /usr/bin/su args - webmaster
EOF
doas.conf Example
# Group Wheel and User Webmaster get Root Permission
permit nopass keepenv :wheel
permit nopass keepenv webmaster
# User Webmaster is allowed to Restart Nginx
permit nopass webmaster cmd rcctl args check nginx
permit nopass webmaster cmd rcctl args restart nginx
permit nopass webmaster cmd rcctl args start nginx
permit nopass webmaster cmd rcctl args stop nginx
# User Monitoring allows certain Commands
permit nopass monitoring cmd smtpctl args show queue
permit nopass monitoring cmd pfctl args -si
permit nopass monitoring cmd tcpdump args -ne -r /var/log/pflog
permit nopass monitoring cmd cat args /var/log/maillog
sha256: bfce3e35786e8739c192d14a286c3ccb13dc76e5010796b7a04f1ca5ec617c46