Page content

doas, an alternative to sudo

Everybody knows sudo … right ? but the openbsd guys hacked a small and secure replacement called doas …

simple, secure and clever

here a good and quick tutorial

An introduction on Vultr, the Source Code on Github and the Man Page

Installation OpenBSD

On OpenBSD, it’s already in the Base System and no need to install anything.

Installation Linux

On Linux, for Example, you have to add the Package

sudo apt install doas

Install MacOS

cd ~
git clone
cd opendoas
sudo make install
sudo cp /etc/pam.d/sudo /etc/pam.d/doas
echo "permit nopass stoege" |sudo tee -a /etc/doas.conf
sudo chmod 600 /etc/doas.conf

Quick and Dirty, Full Permission for group wheel

run as root

echo "permit nopass keepenv :wheel" >> /etc/doas.conf
chmod 600 /etc/doas.conf

Install Full Permission for User ‘stoege’

if you’re on Linux, there is no wheel group. So, you can add a user (stoege) or group (:stoege) for giving full permission like this:

echo "permit nopass keepenv stoege" > /etc/doas.conf
chmod 600 /etc/doas.conf

Allow User Joe to Switch to another User

cat << 'EOF' >> /etc/doas.conf
# give user joe right to switch to user webmaster -> "/usr/bin/su - webmaster"
permit nopass joe cmd /usr/bin/su args - webmaster

doas.conf Example

# Group Wheel and User Webmaster get Root Permission
permit nopass keepenv :wheel
permit nopass keepenv webmaster

# User Webmaster is allowed to Restart Nginx
permit nopass webmaster cmd rcctl args check nginx
permit nopass webmaster cmd rcctl args restart nginx
permit nopass webmaster cmd rcctl args start nginx
permit nopass webmaster cmd rcctl args stop nginx

# User Monitoring allows certain Commands
permit nopass monitoring cmd smtpctl args show queue
permit nopass monitoring cmd pfctl args -si
permit nopass monitoring cmd tcpdump args -ne -r /var/log/pflog
permit nopass monitoring cmd cat args /var/log/maillog

Any Comments ?

sha256: bfce3e35786e8739c192d14a286c3ccb13dc76e5010796b7a04f1ca5ec617c46