Annotation of src/usr.bin/doas/doas.conf.5, Revision 1.43
1.43 ! jmc 1: .\" $OpenBSD: doas.conf.5,v 1.42 2020/02/10 13:18:20 schwarze Exp $
1.1 tedu 2: .\"
3: .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4: .\"
5: .\"Permission to use, copy, modify, and distribute this software for any
6: .\"purpose with or without fee is hereby granted, provided that the above
7: .\"copyright notice and this permission notice appear in all copies.
8: .\"
9: .\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.43 ! jmc 16: .Dd $Mdocdate: February 10 2020 $
1.1 tedu 17: .Dt DOAS.CONF 5
18: .Os
19: .Sh NAME
20: .Nm doas.conf
21: .Nd doas configuration file
22: .Sh DESCRIPTION
23: The
24: .Xr doas 1
25: utility executes commands as other users according to the rules
1.18 jmc 26: in the
27: .Nm
1.1 tedu 28: configuration file.
29: .Pp
30: The rules have the following format:
1.3 schwarze 31: .Bd -ragged -offset indent
32: .Ic permit Ns | Ns Ic deny
33: .Op Ar options
1.4 bentley 34: .Ar identity
1.3 schwarze 35: .Op Ic as Ar target
1.31 schwarze 36: .Op Ic cmd Ar command Op Ic args No ...
1.1 tedu 37: .Ed
38: .Pp
39: Rules consist of the following parts:
1.3 schwarze 40: .Bl -tag -width 11n
41: .It Ic permit Ns | Ns Ic deny
1.1 tedu 42: The action to be taken if this rule matches.
1.3 schwarze 43: .It Ar options
1.1 tedu 44: Options are:
1.3 schwarze 45: .Bl -tag -width keepenv
46: .It Ic nopass
1.1 tedu 47: The user is not required to enter a password.
1.30 tedu 48: .It Ic persist
49: After the user successfully authenticates, do not ask for a password
50: again for some time.
1.3 schwarze 51: .It Ic keepenv
1.39 tedu 52: Environment variables other than those listed in
53: .Xr doas 1
54: are retained when creating the environment for the new process.
1.29 jmc 55: .It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic }
1.39 tedu 56: Keep or set the space-separated specified variables.
1.29 jmc 57: Variables may also be removed with a leading
58: .Sq -
59: or set using the latter syntax.
1.27 tedu 60: If the first character of
61: .Ar value
62: is a
63: .Ql $
64: then the value to be set is taken from the existing environment
1.34 tedu 65: variable of the indicated name.
1.39 tedu 66: This option is processed after the default environment has been created.
1.1 tedu 67: .El
1.3 schwarze 68: .It Ar identity
1.1 tedu 69: The username to match.
1.12 jmc 70: Groups may be specified by prepending a colon
71: .Pq Sq \&: .
1.1 tedu 72: Numeric IDs are also accepted.
1.3 schwarze 73: .It Ic as Ar target
1.1 tedu 74: The target user the running user is allowed to run the command as.
1.13 tedu 75: The default is all users.
1.3 schwarze 76: .It Ic cmd Ar command
1.1 tedu 77: The command the user is allowed or denied to run.
78: The default is all commands.
1.23 tedu 79: Be advised that it is best to specify absolute paths.
1.25 tedu 80: If a relative path is specified, only a restricted
1.16 tedu 81: .Ev PATH
82: will be searched.
1.31 schwarze 83: .It Ic args Op Ar argument ...
1.8 zhuk 84: Arguments to command.
1.26 tedu 85: The command arguments provided by the user need to match those specified.
1.25 tedu 86: The keyword
1.8 zhuk 87: .Ic args
1.25 tedu 88: alone means that command must be run without any arguments.
1.1 tedu 89: .El
90: .Pp
91: The last matching rule determines the action taken.
1.24 tedu 92: If no rule matches, the action is denied.
1.5 benno 93: .Pp
94: Comments can be put anywhere in the file using a hash mark
95: .Pq Sq # ,
96: and extend to the end of the current line.
1.10 zhuk 97: .Pp
98: The following quoting rules apply:
99: .Bl -dash
100: .It
101: The text between a pair of double quotes
102: .Pq Sq \&"
103: is taken as is.
104: .It
1.11 jmc 105: The backslash character
1.10 zhuk 106: .Pq Sq \e
1.11 jmc 107: escapes the next character, including new line characters, outside comments;
1.10 zhuk 108: as a result, comments may not be extended over multiple lines.
109: .It
1.11 jmc 110: If quotes or backslashes are used in a word,
1.23 tedu 111: it is not considered a keyword.
1.33 jmc 112: .El
113: .Sh FILES
1.42 schwarze 114: .Bl -tag -width /etc/examples/doas.conf -compact
1.33 jmc 115: .It Pa /etc/doas.conf
1.42 schwarze 116: .Xr doas 1
1.43 ! jmc 117: configuration file.
1.42 schwarze 118: .It Pa /etc/examples/doas.conf
1.43 ! jmc 119: Example configuration file.
1.10 zhuk 120: .El
1.1 tedu 121: .Sh EXAMPLES
1.32 tedu 122: The following example permits user aja to install packages
123: from a preferred mirror;
124: group wheel to execute commands as any user while keeping the environment
1.5 benno 125: variables
1.27 tedu 126: .Ev PS1
127: and
128: .Ev SSH_AUTH_SOCK
129: and
130: unsetting
1.29 jmc 131: .Ev ENV ;
132: permits tedu to run procmap as root without a password;
1.40 tedu 133: and additionally permits root to run unrestricted commands as itself
134: while retaining the original PATH.
1.1 tedu 135: .Bd -literal -offset indent
1.32 tedu 136: permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add
1.28 tedu 137: permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
1.14 zhuk 138: permit nopass tedu as root cmd /usr/sbin/procmap
1.41 tedu 139: permit nopass keepenv setenv { PATH } root as root
1.1 tedu 140: .Ed
1.3 schwarze 141: .Sh SEE ALSO
142: .Xr doas 1
143: .Sh HISTORY
144: The
145: .Nm
146: configuration file first appeared in
147: .Ox 5.8 .
148: .Sh AUTHORS
149: .An Ted Unangst Aq Mt tedu@openbsd.org