Using doas as an Alternative to sudo on OpenBSD
On OpenBSD systems, doas serves as a substitute for sudo. While it doesn’t mirror sudo‘s behavior exactly, it requires a bit of configuration. The name stands for “dedicated openbsd application subexecutor“. Introduced with OpenBSD 5.8 in 2015, doas was authored by Ted Unangst due to his frustration with sudo’s complexity and default settings.
Designed for simplicity, doas lacks complex functionalities often used in extensive system administration setups. Still, it sufficiently meets the needs of most users. If you still prefer sudo, refer to the guide titled Create a Sudo User on OpenBSD.
Installation Details
Systems running OpenBSD 5.8 or later come with doas already installed, requiring no additional setup steps.
Basic Configuration
To enable members of the wheel group to use doas, modify the /etc/doas.conf file. Root privileges are necessary to edit this file.
permit :wheel
This setting allows all users in the wheel group to execute commands as any user.
If you’d like these users to authenticate once and retain access for a session, include the persist directive as shown:
permit persist :wheel
Alternatively, to allow access without any password prompt, replace with the nopass directive:
permit nopass :wheel
Granting Privileges to a Specific User
To assign administrative privileges to a user named mynewuser, you can either add them to the wheel group using the following command:
usermod -G wheel mynewuser
Or directly modify /etc/doas.conf as follows:
permit nopass :wheel
permit nopass mynewuser
This configuration ensures that no password is required. To limit mynewuser so they can only execute commands as www user, update the configuration accordingly:
permit nopass :wheel
permit nopass mynewuser as www
To restrict mynewuser to running only the vim command using doas, use this configuration:
permit nopass :wheel
permit nopass mynewuser as www cmd vim
Additional configuration options exist, but those outlined above are among the most frequently used. For further details, you can consult the manual page by running the following command:
man doas.conf
Validating doas Configuration Files
To ensure your configuration file is correct, run the command doas -C /etc/doas.conf. By appending a command, such as doas -C /etc/doas.conf vim, you can check whether you’re authorized to execute that command—without actually running it.
Practical Usage Examples
A typical user can execute the command echo "test" as root using the following:
doas echo "test"
If a user has privileges to elevate themselves to the www user, they can run vim /var/www/http/index.html as www like so:
doas -u www vim index.html
This is particularly helpful for users managing web content without needing full superuser rights.
Recommended Security Practices
Whenever feasible, opt for the permit directive instead of deny. If you block access to a command, users might still be able to use it by calling an alternate binary or copying it into their home directory. This would effectively bypass your restrictions.
In most scenarios, doas is a safer alternative to su, as it doesn’t involve sharing the root password. It prevents situations where someone changes or forgets the root password, potentially locking everyone out. Each user uses their own credentials, and all activity is logged in /var/log/secure.
Helpful Tips and Techniques
If you prefer to retain your current environment variables—such as your editor—while using doas, you can utilize the keepenv option. Here is an example configuration for mynewuser:
permit nopass keepenv mynewuser
In some cases, replacing all environment variables could cause issues. You can selectively retain variables using setenv. Below is an example that retains VISUAL and EDITOR variables:
permit nopass setenv { VISUAL EDITOR } mynewuser
You can also use setenv to delete variables or assign specific values. To remove VISUAL and set EDITOR to vim, apply this configuration:
permit nopass setenv { -VISUAL EDITOR=vim } mynewuser
If doas has cached your password and you want to clear that state, simply run:
doas -L
Conclusion
doas provides a minimalistic yet effective way to perform privileged tasks on OpenBSD without the complexities of traditional tools like sudo. It emphasizes security, simplicity, and flexibility through configurable permissions. With proper use of directives like permit, keepenv, and setenv, system administrators can craft tailored access rules that maintain system integrity and reduce risk. Its streamlined design and logging capabilities make it a practical choice for most administrative tasks on OpenBSD.
