Annotation of src/usr.bin/doas/doas.conf.5, Revision 1.2
1.2 ! nicm 1: .\" $OpenBSD: doas.conf.5,v 1.1 2015/07/16 20:44:21 tedu Exp $
1.1 tedu 2: .\"
3: .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4: .\"
5: .\"Permission to use, copy, modify, and distribute this software for any
6: .\"purpose with or without fee is hereby granted, provided that the above
7: .\"copyright notice and this permission notice appear in all copies.
8: .\"
9: .\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.2 ! nicm 16: .Dd $Mdocdate: July 16 2015 $
1.1 tedu 17: .Dt DOAS.CONF 5
18: .Os
19: .Sh NAME
20: .Nm doas.conf
21: .Nd doas configuration file
22: .Sh DESCRIPTION
23: The
24: .Xr doas 1
25: utility executes commands as other users according to the rules
26: in the
27: .Nm
28: configuration file.
29: .Pp
30: The rules have the following format:
31: .Bd -literal -offset indent
32: permit|deny [options] [identity] [as target] [cmd command]
33: .Ed
34: .Pp
35: Rules consist of the following parts:
36: .Bl -tag -width tenletters
37: .It permit|deny
38: The action to be taken if this rule matches.
39: .It options
40: Options are:
41: .Bl -tag -width tenletters
42: .It nopass
43: The user is not required to enter a password.
44: .It keepenv
45: The user's environment is maintained.
46: The default is to reset the environment.
47: .It keepenv { [variable names] }
48: Reset the environment, but keep the specified variables.
49: .El
50: .It identity
51: The username to match.
52: Groups may be specified by prepending a colon (:).
53: Numeric IDs are also accepted.
54: .It as target
55: The target user the running user is allowed to run the command as.
56: The default is root.
57: .It cmd command
58: The command the user is allowed or denied to run.
59: The default is all commands.
60: Be advised that it's best to specify absolute paths.
61: .El
62: .Pp
63: The last matching rule determines the action taken.
64: .Sh EXAMPLES
1.2 ! nicm 65: The following example permits users in group wheel to execute commands as root,
1.1 tedu 66: and additionally permits tedu to run procmap as root without a password.
67: .Bd -literal -offset indent
68: permit :wheel
69: permit nopass tedu cmd /usr/sbin/procmap
70: .Ed