Annotation of src/usr.bin/doas/doas.conf.5, Revision 1.9
1.9 ! jmc 1: .\" $OpenBSD: doas.conf.5,v 1.8 2015/07/21 11:04:06 zhuk Exp $
1.1 tedu 2: .\"
3: .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4: .\"
5: .\"Permission to use, copy, modify, and distribute this software for any
6: .\"purpose with or without fee is hereby granted, provided that the above
7: .\"copyright notice and this permission notice appear in all copies.
8: .\"
9: .\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: .\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: .\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: .\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.9 ! jmc 16: .Dd $Mdocdate: July 21 2015 $
1.1 tedu 17: .Dt DOAS.CONF 5
18: .Os
19: .Sh NAME
20: .Nm doas.conf
21: .Nd doas configuration file
22: .Sh DESCRIPTION
23: The
24: .Xr doas 1
25: utility executes commands as other users according to the rules
26: in the
27: .Nm
28: configuration file.
29: .Pp
30: The rules have the following format:
1.3 schwarze 31: .Bd -ragged -offset indent
32: .Ic permit Ns | Ns Ic deny
33: .Op Ar options
1.4 bentley 34: .Ar identity
1.3 schwarze 35: .Op Ic as Ar target
1.9 ! jmc 36: .Op Ic cmd Ar command Op Ic args ...
1.1 tedu 37: .Ed
38: .Pp
39: Rules consist of the following parts:
1.3 schwarze 40: .Bl -tag -width 11n
41: .It Ic permit Ns | Ns Ic deny
1.1 tedu 42: The action to be taken if this rule matches.
1.3 schwarze 43: .It Ar options
1.1 tedu 44: Options are:
1.3 schwarze 45: .Bl -tag -width keepenv
46: .It Ic nopass
1.1 tedu 47: The user is not required to enter a password.
1.3 schwarze 48: .It Ic keepenv
1.1 tedu 49: The user's environment is maintained.
1.5 benno 50: The default is to reset the environment, except for the variables
51: .Ev DISPLAY ,
52: .Ev HOME ,
53: .Ev LOGNAME ,
54: .Ev MAIL ,
55: .Ev PATH ,
56: .Ev TERM ,
57: .Ev USER
58: and
59: .Ev USERNAME .
1.3 schwarze 60: .It Ic keepenv { Oo variable names Oc Ic }
1.5 benno 61: Reset the environment, but keep the space-separated specified variables.
1.1 tedu 62: .El
1.3 schwarze 63: .It Ar identity
1.1 tedu 64: The username to match.
65: Groups may be specified by prepending a colon (:).
66: Numeric IDs are also accepted.
1.3 schwarze 67: .It Ic as Ar target
1.1 tedu 68: The target user the running user is allowed to run the command as.
69: The default is root.
1.3 schwarze 70: .It Ic cmd Ar command
1.1 tedu 71: The command the user is allowed or denied to run.
72: The default is all commands.
73: Be advised that it's best to specify absolute paths.
1.9 ! jmc 74: .It Ic args ...
1.8 zhuk 75: Arguments to command.
1.9 ! jmc 76: If specified, the command arguments provided by the user
! 77: need to match for the command to be successful.
1.8 zhuk 78: Specifying
79: .Ic args
80: alone means that command should be run without any arguments.
1.1 tedu 81: .El
82: .Pp
83: The last matching rule determines the action taken.
1.5 benno 84: .Pp
85: The current line can be extended over multiple lines using a backslash
86: .Pq Sq \e .
87: Comments can be put anywhere in the file using a hash mark
88: .Pq Sq # ,
89: and extend to the end of the current line.
1.1 tedu 90: .Sh EXAMPLES
1.5 benno 91: The following example permits users in group wsrc to build ports,
92: wheel to execute commands as root while keeping the environment
93: variables
94: .Ev ENV ,
95: .Ev PS1 ,
96: and
97: .Ev SSH_AUTH_SOCK ,
1.1 tedu 98: and additionally permits tedu to run procmap as root without a password.
99: .Bd -literal -offset indent
1.6 jmc 100: # Non-exhaustive list of variables needed to
1.5 benno 101: # build release(8) and ports(7)
102: permit nopass keepenv { \e
103: FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
104: DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
105: MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \e
106: PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \e
107: SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
108: permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
1.1 tedu 109: permit nopass tedu cmd /usr/sbin/procmap
110: .Ed
1.3 schwarze 111: .Sh SEE ALSO
112: .Xr doas 1
113: .Sh HISTORY
114: The
115: .Nm
116: configuration file first appeared in
117: .Ox 5.8 .
118: .Sh AUTHORS
119: .An Ted Unangst Aq Mt tedu@openbsd.org