-.\" $OpenBSD: doas.conf.5,v 1.12 2015/07/27 17:57:06 jmc Exp $
+.\" $OpenBSD: doas.conf.5,v 1.13 2015/07/27 21:44:11 tedu Exp $
.\"
.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
.\"
.It Ic cmd Ar command
The command the user is allowed or denied to run.
The default is all commands.
-Be advised that it's best to specify absolute paths.
+Be advised that it is best to specify absolute paths.
+If a relative path is specified, only a restricted
+.Ev PATH
+will be searched.
.It Ic args ...
Arguments to command.
-If specified, the command arguments provided by the user
-need to match for the command to be successful.
-Specifying
+The command arguments provided by the user need to match those specified.
+The keyword
.Ic args
-alone means that command should be run without any arguments.
+alone means that command must be run without any arguments.
.El
.Pp
The last matching rule determines the action taken.
+If no rule matches, the action is denied.
.Pp
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
.El
.Sh EXAMPLES
The following example permits users in group wsrc to build ports,
-wheel to execute commands as root while keeping the environment
+wheel to execute commands as any user while keeping the environment
variables
.Ev ENV ,
.Ev PS1 ,
PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \e
SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
-permit nopass tedu cmd /usr/sbin/procmap
+permit nopass tedu as root cmd /usr/sbin/procmap
.Ed
.Sh SEE ALSO
.Xr doas 1