mirror of
https://github.com/slicer69/doas
synced 2024-10-15 04:02:35 +00:00
ce871f82bc
the persist keyword does not currently work on Linux or FreeBSD.
157 lines
4.6 KiB
Groff
157 lines
4.6 KiB
Groff
.\" $OpenBSD: doas.conf.5,v 1.31 2016/12/05 10:58:07 schwarze Exp $
|
|
.\"
|
|
.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
|
|
.\"
|
|
.\"Permission to use, copy, modify, and distribute this software for any
|
|
.\"purpose with or without fee is hereby granted, provided that the above
|
|
.\"copyright notice and this permission notice appear in all copies.
|
|
.\"
|
|
.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
.Dd $Mdocdate: December 5 2016 $
|
|
.Dt DOAS.CONF 5
|
|
.Os
|
|
.Sh NAME
|
|
.Nm doas.conf
|
|
.Nd doas configuration file
|
|
.Sh SYNOPSIS
|
|
.Nm /usr/local/etc/doas.conf
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Xr doas 1
|
|
utility executes commands as other users according to the rules
|
|
in the
|
|
.Nm
|
|
configuration file.
|
|
.Pp
|
|
The rules have the following format:
|
|
.Bd -ragged -offset indent
|
|
.Ic permit Ns | Ns Ic deny
|
|
.Op Ar options
|
|
.Ar identity
|
|
.Op Ic as Ar target
|
|
.Op Ic cmd Ar command Op Ic args No ...
|
|
.Ed
|
|
.Pp
|
|
Rules consist of the following parts:
|
|
.Bl -tag -width 11n
|
|
.It Ic permit Ns | Ns Ic deny
|
|
The action to be taken if this rule matches.
|
|
.It Ar options
|
|
Options are:
|
|
.Bl -tag -width keepenv
|
|
.It Ic nopass
|
|
The user is not required to enter a password.
|
|
.It Ic persist
|
|
After the user successfully authenticates, do not ask for a password
|
|
again for some time. Works on OpenBSD only, persist is not available on Linux or FreeBSD.
|
|
.It Ic keepenv
|
|
The user's environment is maintained.
|
|
The default is to reset the environment, except for the variables
|
|
.Ev DISPLAY ,
|
|
.Ev HOME ,
|
|
.Ev LOGNAME ,
|
|
.Ev MAIL ,
|
|
.Ev PATH ,
|
|
.Ev TERM ,
|
|
.Ev USER
|
|
and
|
|
.Ev USERNAME .
|
|
.It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic }
|
|
In addition to the variables mentioned above, keep the space-separated
|
|
specified variables.
|
|
Variables may also be removed with a leading
|
|
.Sq -
|
|
or set using the latter syntax.
|
|
If the first character of
|
|
.Ar value
|
|
is a
|
|
.Ql $
|
|
then the value to be set is taken from the existing environment
|
|
variable of the same name.
|
|
.El
|
|
.It Ar identity
|
|
The username to match.
|
|
Groups may be specified by prepending a colon
|
|
.Pq Sq \&: .
|
|
Numeric IDs are also accepted.
|
|
.It Ic as Ar target
|
|
The target user the running user is allowed to run the command as.
|
|
The default is all users.
|
|
.It Ic cmd Ar command
|
|
The command the user is allowed or denied to run.
|
|
The default is all commands.
|
|
Be advised that it is best to specify absolute paths.
|
|
If a relative path is specified, only a restricted
|
|
.Ev PATH
|
|
will be searched.
|
|
.It Ic args Op Ar argument ...
|
|
Arguments to command.
|
|
The command arguments provided by the user need to match those specified.
|
|
The keyword
|
|
.Ic args
|
|
alone means that command must be run without any arguments.
|
|
.El
|
|
.Pp
|
|
The last matching rule determines the action taken.
|
|
If no rule matches, the action is denied.
|
|
.Pp
|
|
Comments can be put anywhere in the file using a hash mark
|
|
.Pq Sq # ,
|
|
and extend to the end of the current line.
|
|
.Pp
|
|
The following quoting rules apply:
|
|
.Bl -dash
|
|
.It
|
|
The text between a pair of double quotes
|
|
.Pq Sq \&"
|
|
is taken as is.
|
|
.It
|
|
The backslash character
|
|
.Pq Sq \e
|
|
escapes the next character, including new line characters, outside comments;
|
|
as a result, comments may not be extended over multiple lines.
|
|
.It
|
|
If quotes or backslashes are used in a word,
|
|
it is not considered a keyword.
|
|
.El
|
|
.Sh EXAMPLES
|
|
The following example permits users in group wsrc to build ports;
|
|
wheel to execute commands as any user while keeping the environment
|
|
variables
|
|
.Ev PS1
|
|
and
|
|
.Ev SSH_AUTH_SOCK
|
|
and
|
|
unsetting
|
|
.Ev ENV ;
|
|
permits tedu to run procmap as root without a password;
|
|
and additionally permits root to run unrestricted commands as itself.
|
|
.Bd -literal -offset indent
|
|
# Non-exhaustive list of variables needed to
|
|
# build release(8) and ports(7)
|
|
permit nopass setenv { \e
|
|
FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
|
|
DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
|
|
MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \e
|
|
PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \e
|
|
SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
|
|
permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
|
|
permit nopass tedu as root cmd /usr/sbin/procmap
|
|
permit nopass keepenv root as root
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr doas 1
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
configuration file first appeared in
|
|
.Ox 5.8 .
|
|
.Sh AUTHORS
|
|
.An Ted Unangst Aq Mt tedu@openbsd.org
|