File: [local] / src / usr.bin / doas / doas.conf.5 (download)
Revision 1.2, Thu Jul 16 21:24:07 2015 UTC (8 years, 10 months ago) by nicm
Branch: MAIN
Changes since 1.1: +3 -3 lines
Typo: exeucte -> execute
|
.\" $OpenBSD: doas.conf.5,v 1.2 2015/07/16 21:24:07 nicm Exp $
.\"
.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
.\"
.\"Permission to use, copy, modify, and distribute this software for any
.\"purpose with or without fee is hereby granted, provided that the above
.\"copyright notice and this permission notice appear in all copies.
.\"
.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.Dd $Mdocdate: July 16 2015 $
.Dt DOAS.CONF 5
.Os
.Sh NAME
.Nm doas.conf
.Nd doas configuration file
.Sh DESCRIPTION
The
.Xr doas 1
utility executes commands as other users according to the rules
in the
.Nm
configuration file.
.Pp
The rules have the following format:
.Bd -literal -offset indent
permit|deny [options] [identity] [as target] [cmd command]
.Ed
.Pp
Rules consist of the following parts:
.Bl -tag -width tenletters
.It permit|deny
The action to be taken if this rule matches.
.It options
Options are:
.Bl -tag -width tenletters
.It nopass
The user is not required to enter a password.
.It keepenv
The user's environment is maintained.
The default is to reset the environment.
.It keepenv { [variable names] }
Reset the environment, but keep the specified variables.
.El
.It identity
The username to match.
Groups may be specified by prepending a colon (:).
Numeric IDs are also accepted.
.It as target
The target user the running user is allowed to run the command as.
The default is root.
.It cmd command
The command the user is allowed or denied to run.
The default is all commands.
Be advised that it's best to specify absolute paths.
.El
.Pp
The last matching rule determines the action taken.
.Sh EXAMPLES
The following example permits users in group wheel to execute commands as root,
and additionally permits tedu to run procmap as root without a password.
.Bd -literal -offset indent
permit :wheel
permit nopass tedu cmd /usr/sbin/procmap
.Ed
![[BACK]](/icons/back.gif){kind=icon}
Return to doas.conf.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / doas