doas

From ArchWiki

OpenDoas is a portable version of OpenBSD's doas command, known for being substantially smaller in size compared to sudo. Like sudo, doas is used to assume the identity of another user on the system.

Installation

Install the opendoas package.

Usage

To begin using doas as a non-privileged user, it must be properly configured. See #Configuration.

To use doas, simply prefix a command and its arguments with doas and a space:

$ doas cmd

For example, to use pacman:

$ doas pacman -Syu

To get to an interactive shell as an other user (omitting -u user will default to root):

$ doas -su user

Logging in as an other user is needed for some commands, see Sudo#Login shell.

For more information, see doas(1).

Configuration

After installing OpenDoas, it will be attached with PAM, but no default configuration or examples are included.

To allow members of group wheel to run commands as other users, create a configuration file with the following content:

/etc/doas.conf
permit setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :wheel

Note:
  • The configuration file must end with a newline.
  • The setenv option works around an issue arising from OpenDoas's BSD origin where additional system packages are stored under /usr/local/bin. In Linux /usr/local/bin is generally used to override executables so it comes before /usr/bin which contains executables from packages.

The owner and group for /etc/doas.conf should both be 0, file permissions should be set to 0400:

# chown -c root:root /etc/doas.conf
# chmod -c 0400 /etc/doas.conf

To check /etc/doas.conf for syntax errors, run:

# if doas -C /etc/doas.conf; then echo "config ok"; else echo "config error"; fi
Warning: It is imperative that /etc/doas.conf is free of syntax errors!

To allow members of the plugdev group to run smartctl without password as Root user:

/etc/doas.conf
permit nopass :plugdev as root cmd /usr/bin/smartctl

The general syntax form of /etc/doas.conf is:

permit|deny [options] identity [as target] [cmd command [args ...]]

The last matching rule determines the action taken, so rules must be ordered accordingly.

For more details please read doas.conf(5).

Tips and tricks

doas persist feature

doas provides a persist feature: after the user successfully authenticates, they will not be prompted for a password again for 5 minutes. It is disabled by default, enable it with the persist option:

/etc/doas.conf
permit persist setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :wheel

Executing doas -L clears a persisted authentication prior to its automatic timeout.

Note: The persist feature is disabled by default, because it is potentially dangerous. In the original doas, a kernel API is used to set and clear timeouts. This API is OpenBSD specific and no similar API is available on other operating systems. As a workaround, the persist feature is implemented using timestamp files similar to sudo.

Smooth transition sudo to doas

For a smooth transition from sudo to doas and to stay downward compatible, you could add to your environment:

alias sudo='doas'
alias sudoedit='doas rnano'

Or alternatively, symlink doas to where sudo would normally be (but it does not provide sudoedit command):

# ln -s $(which doas) /usr/bin/sudo

Another way is to install doas-sudo-shimAUR, which emulates a couple of sudo's options.

Note: By default sudo preserves some environment variables while doas does not, most notably XAUTHORITY, LANG and LC_ALL. This means you will not be able to start graphical applications under X nor to access the user's locale without further configuration. For instance, to allow members of the wheel group to run graphical applications and to access the user's locale using the setenv option:
/etc/doas.conf
permit setenv { XAUTHORITY LANG LC_ALL } :wheel

Bash tab completion

By default Bash will only tab complete files and directories within the current or referenced directory. To tell Bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users .bashrc, or the global /etc/bash.bashrc:

~/.bashrc
complete -cf doas

If bash-completion is installed, the following can be used instead to allow for additional completion of the target command:

~/.bashrc
complete -F _command doas