Annotation of src/usr.bin/doas/doas.conf.5, Revision 1.1
1.1 ! tedu 1: .\" $OpenBSD$
! 2: .\"
! 3: .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
! 4: .\"
! 5: .\"Permission to use, copy, modify, and distribute this software for any
! 6: .\"purpose with or without fee is hereby granted, provided that the above
! 7: .\"copyright notice and this permission notice appear in all copies.
! 8: .\"
! 9: .\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 10: .\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 11: .\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 12: .\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 13: .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 14: .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 15: .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 16: .Dd $Mdocdate$
! 17: .Dt DOAS.CONF 5
! 18: .Os
! 19: .Sh NAME
! 20: .Nm doas.conf
! 21: .Nd doas configuration file
! 22: .Sh DESCRIPTION
! 23: The
! 24: .Xr doas 1
! 25: utility executes commands as other users according to the rules
! 26: in the
! 27: .Nm
! 28: configuration file.
! 29: .Pp
! 30: The rules have the following format:
! 31: .Bd -literal -offset indent
! 32: permit|deny [options] [identity] [as target] [cmd command]
! 33: .Ed
! 34: .Pp
! 35: Rules consist of the following parts:
! 36: .Bl -tag -width tenletters
! 37: .It permit|deny
! 38: The action to be taken if this rule matches.
! 39: .It options
! 40: Options are:
! 41: .Bl -tag -width tenletters
! 42: .It nopass
! 43: The user is not required to enter a password.
! 44: .It keepenv
! 45: The user's environment is maintained.
! 46: The default is to reset the environment.
! 47: .It keepenv { [variable names] }
! 48: Reset the environment, but keep the specified variables.
! 49: .El
! 50: .It identity
! 51: The username to match.
! 52: Groups may be specified by prepending a colon (:).
! 53: Numeric IDs are also accepted.
! 54: .It as target
! 55: The target user the running user is allowed to run the command as.
! 56: The default is root.
! 57: .It cmd command
! 58: The command the user is allowed or denied to run.
! 59: The default is all commands.
! 60: Be advised that it's best to specify absolute paths.
! 61: .El
! 62: .Pp
! 63: The last matching rule determines the action taken.
! 64: .Sh EXAMPLES
! 65: The following example permits users in group wheel to exeucte commands as root,
! 66: and additionally permits tedu to run procmap as root without a password.
! 67: .Bd -literal -offset indent
! 68: permit :wheel
! 69: permit nopass tedu cmd /usr/sbin/procmap
! 70: .Ed