X-Git-Url: https://git.armaanb.net/?a=blobdiff_plain;f=doas.conf.5;h=d4fb35506a38d38d50059fd1715ddb7ab96bc70e;hb=025db698803cbd722444ba2745ead9a5c51efcb4;hp=515598bc58317f9588109d99cef70fd2176d16a7;hpb=e8c995662696d6038d05dde43bf348d4549e36c0;p=opendoas.git diff --git a/doas.conf.5 b/doas.conf.5 index 515598b..d4fb355 100644 --- a/doas.conf.5 +++ b/doas.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: doas.conf.5,v 1.12 2015/07/27 17:57:06 jmc Exp $ +.\" $OpenBSD: doas.conf.5,v 1.13 2015/07/27 21:44:11 tedu Exp $ .\" .\"Copyright (c) 2015 Ted Unangst .\" @@ -33,7 +33,7 @@ The rules have the following format: .Op Ar options .Ar identity .Op Ic as Ar target -.Op Ic cmd Ar command Op Ic args ... +.Op Ic cmd Ar command Op Ic args No ... .Ed .Pp Rules consist of the following parts: @@ -45,21 +45,35 @@ Options are: .Bl -tag -width keepenv .It Ic nopass The user is not required to enter a password. +.It Ic persist +After the user successfully authenticates, do not ask for a password +again for some time. .It Ic keepenv The user's environment is maintained. -The default is to reset the environment, except for the variables -.Ev DISPLAY , +The default is to retain the variables +.Ev DISPLAY +and +.Ev TERM +from the invoking process, reset .Ev HOME , .Ev LOGNAME , -.Ev MAIL , .Ev PATH , -.Ev TERM , -.Ev USER +.Ev SHELL , and -.Ev USERNAME . -.It Ic keepenv { Oo Ar variable ... Oc Ic } +.Ev USER +as appropriate for the target user, and discard the rest of the environment. +.It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic } In addition to the variables mentioned above, keep the space-separated specified variables. +Variables may also be removed with a leading +.Sq - +or set using the latter syntax. +If the first character of +.Ar value +is a +.Ql $ +then the value to be set is taken from the existing environment +variable of the indicated name. .El .It Ar identity The username to match. @@ -72,17 +86,20 @@ The default is all users. .It Ic cmd Ar command The command the user is allowed or denied to run. The default is all commands. -Be advised that it's best to specify absolute paths. -.It Ic args ... +Be advised that it is best to specify absolute paths. +If a relative path is specified, only a restricted +.Ev PATH +will be searched. +.It Ic args Op Ar argument ... Arguments to command. -If specified, the command arguments provided by the user -need to match for the command to be successful. -Specifying +The command arguments provided by the user need to match those specified. +The keyword .Ic args -alone means that command should be run without any arguments. +alone means that command must be run without any arguments. .El .Pp The last matching rule determines the action taken. +If no rule matches, the action is denied. .Pp Comments can be put anywhere in the file using a hash mark .Pq Sq # , @@ -103,26 +120,28 @@ as a result, comments may not be extended over multiple lines. If quotes or backslashes are used in a word, it isn't considered a keyword. .El +.Sh FILES +.Bl -tag -width "/etc/doas.conf" +.It Pa /etc/doas.conf +doas configuration file. +.El .Sh EXAMPLES -The following example permits users in group wsrc to build ports, -wheel to execute commands as root while keeping the environment +The following example permits user aja to install packages +from a preferred mirror; +group wheel to execute commands as any user while keeping the environment variables -.Ev ENV , -.Ev PS1 , +.Ev PS1 +and +.Ev SSH_AUTH_SOCK and -.Ev SSH_AUTH_SOCK , -and additionally permits tedu to run procmap as root without a password. +unsetting +.Ev ENV ; +permits tedu to run procmap as root without a password; +and additionally permits root to run unrestricted commands as itself. .Bd -literal -offset indent -# Non-exhaustive list of variables needed to -# build release(8) and ports(7) -permit nopass keepenv { \e - FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e - DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e - MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \e - PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \e - SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc -permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel -permit nopass tedu cmd /usr/sbin/procmap +permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add +permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel +permit nopass tedu as root cmd /usr/sbin/procmap .Ed .Sh SEE ALSO .Xr doas 1