Annotation of src/usr.bin/doas/doas.conf.5, Revision 1.29
1.29 ! jmc 1: .\" $OpenBSD: doas.conf.5,v 1.28 2016/06/27 15:47:38 tedu Exp $
1.1 tedu 2: .\"
3: .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4: .\"
5: .\"Permission to use, copy, modify, and distribute this software for any
6: .\"purpose with or without fee is hereby granted, provided that the above
7: .\"copyright notice and this permission notice appear in all copies.
8: .\"
9: .\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.28 tedu 16: .Dd $Mdocdate: June 27 2016 $
1.1 tedu 17: .Dt DOAS.CONF 5
18: .Os
19: .Sh NAME
20: .Nm doas.conf
21: .Nd doas configuration file
1.17 tedu 22: .Sh SYNOPSIS
23: .Nm /etc/doas.conf
1.1 tedu 24: .Sh DESCRIPTION
25: The
26: .Xr doas 1
27: utility executes commands as other users according to the rules
1.18 jmc 28: in the
29: .Nm
1.1 tedu 30: configuration file.
31: .Pp
32: The rules have the following format:
1.3 schwarze 33: .Bd -ragged -offset indent
34: .Ic permit Ns | Ns Ic deny
35: .Op Ar options
1.4 bentley 36: .Ar identity
1.3 schwarze 37: .Op Ic as Ar target
1.9 jmc 38: .Op Ic cmd Ar command Op Ic args ...
1.1 tedu 39: .Ed
40: .Pp
41: Rules consist of the following parts:
1.3 schwarze 42: .Bl -tag -width 11n
43: .It Ic permit Ns | Ns Ic deny
1.1 tedu 44: The action to be taken if this rule matches.
1.3 schwarze 45: .It Ar options
1.1 tedu 46: Options are:
1.3 schwarze 47: .Bl -tag -width keepenv
48: .It Ic nopass
1.1 tedu 49: The user is not required to enter a password.
1.3 schwarze 50: .It Ic keepenv
1.1 tedu 51: The user's environment is maintained.
1.5 benno 52: The default is to reset the environment, except for the variables
53: .Ev DISPLAY ,
54: .Ev HOME ,
55: .Ev LOGNAME ,
56: .Ev MAIL ,
57: .Ev PATH ,
58: .Ev TERM ,
59: .Ev USER
60: and
61: .Ev USERNAME .
1.29 ! jmc 62: .It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic }
1.12 jmc 63: In addition to the variables mentioned above, keep the space-separated
64: specified variables.
1.29 ! jmc 65: Variables may also be removed with a leading
! 66: .Sq -
! 67: or set using the latter syntax.
1.27 tedu 68: If the first character of
69: .Ar value
70: is a
71: .Ql $
72: then the value to be set is taken from the existing environment
73: variable of the same name.
1.1 tedu 74: .El
1.3 schwarze 75: .It Ar identity
1.1 tedu 76: The username to match.
1.12 jmc 77: Groups may be specified by prepending a colon
78: .Pq Sq \&: .
1.1 tedu 79: Numeric IDs are also accepted.
1.3 schwarze 80: .It Ic as Ar target
1.1 tedu 81: The target user the running user is allowed to run the command as.
1.13 tedu 82: The default is all users.
1.3 schwarze 83: .It Ic cmd Ar command
1.1 tedu 84: The command the user is allowed or denied to run.
85: The default is all commands.
1.23 tedu 86: Be advised that it is best to specify absolute paths.
1.25 tedu 87: If a relative path is specified, only a restricted
1.16 tedu 88: .Ev PATH
89: will be searched.
1.9 jmc 90: .It Ic args ...
1.8 zhuk 91: Arguments to command.
1.26 tedu 92: The command arguments provided by the user need to match those specified.
1.25 tedu 93: The keyword
1.8 zhuk 94: .Ic args
1.25 tedu 95: alone means that command must be run without any arguments.
1.1 tedu 96: .El
97: .Pp
98: The last matching rule determines the action taken.
1.24 tedu 99: If no rule matches, the action is denied.
1.5 benno 100: .Pp
101: Comments can be put anywhere in the file using a hash mark
102: .Pq Sq # ,
103: and extend to the end of the current line.
1.10 zhuk 104: .Pp
105: The following quoting rules apply:
106: .Bl -dash
107: .It
108: The text between a pair of double quotes
109: .Pq Sq \&"
110: is taken as is.
111: .It
1.11 jmc 112: The backslash character
1.10 zhuk 113: .Pq Sq \e
1.11 jmc 114: escapes the next character, including new line characters, outside comments;
1.10 zhuk 115: as a result, comments may not be extended over multiple lines.
116: .It
1.11 jmc 117: If quotes or backslashes are used in a word,
1.23 tedu 118: it is not considered a keyword.
1.10 zhuk 119: .El
1.1 tedu 120: .Sh EXAMPLES
1.29 ! jmc 121: The following example permits users in group wsrc to build ports;
1.14 zhuk 122: wheel to execute commands as any user while keeping the environment
1.5 benno 123: variables
1.27 tedu 124: .Ev PS1
125: and
126: .Ev SSH_AUTH_SOCK
127: and
128: unsetting
1.29 ! jmc 129: .Ev ENV ;
! 130: permits tedu to run procmap as root without a password;
1.15 reyk 131: and additionally permits root to run unrestricted commands as itself.
1.1 tedu 132: .Bd -literal -offset indent
1.6 jmc 133: # Non-exhaustive list of variables needed to
1.5 benno 134: # build release(8) and ports(7)
1.27 tedu 135: permit nopass setenv { \e
1.5 benno 136: FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
137: DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
138: MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \e
139: PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \e
140: SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
1.28 tedu 141: permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
1.14 zhuk 142: permit nopass tedu as root cmd /usr/sbin/procmap
1.15 reyk 143: permit nopass keepenv root as root
1.1 tedu 144: .Ed
1.3 schwarze 145: .Sh SEE ALSO
146: .Xr doas 1
147: .Sh HISTORY
148: The
149: .Nm
150: configuration file first appeared in
151: .Ox 5.8 .
152: .Sh AUTHORS
153: .An Ted Unangst Aq Mt tedu@openbsd.org
![[BACK]](/icons/back.gif){kind=icon}
Return to doas.conf.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / doas