-.\" $OpenBSD$
+.\" $OpenBSD: doas.conf.5,v 1.45 2020/10/09 10:24:33 jmc Exp $
.\"
.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
.\"
.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate$
+.Dd $Mdocdate: October 9 2020 $
.Dt DOAS.CONF 5
.Os
.Sh NAME
configuration file.
.Pp
The rules have the following format:
-.Bd -literal -offset indent
-permit|deny [options] [identity] [as target] [cmd command]
+.Bd -ragged -offset indent
+.Ic permit Ns | Ns Ic deny
+.Op Ar options
+.Ar identity
+.Op Ic as Ar target
+.Op Ic cmd Ar command Op Ic args No ...
.Ed
.Pp
Rules consist of the following parts:
-.Bl -tag -width tenletters
-.It permit|deny
+.Bl -tag -width 11n
+.It Ic permit Ns | Ns Ic deny
The action to be taken if this rule matches.
-.It options
+.It Ar options
Options are:
-.Bl -tag -width tenletters
-.It nopass
+.Bl -tag -width keepenv
+.It Ic nopass
The user is not required to enter a password.
-.It keepenv
-The user's environment is maintained.
-The default is to reset the environment.
-.It keepenv { [variable names] }
-Reset the environment, but keep the specified variables.
+.It Ic nolog
+Do not log successful command execution to
+.Xr syslogd 8 .
+.It Ic persist
+After the user successfully authenticates, do not ask for a password
+again for some time.
+.It Ic keepenv
+Environment variables other than those listed in
+.Xr doas 1
+are retained when creating the environment for the new process.
+.It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic }
+Keep or set the space-separated specified variables.
+Variables may also be removed with a leading
+.Sq -
+or set using the latter syntax.
+If the first character of
+.Ar value
+is a
+.Ql $
+then the value to be set is taken from the existing environment
+variable of the indicated name.
+This option is processed after the default environment has been created.
+.It Ic insult
+Insult the user when they get their password wrong.
.El
-.It identity
+.It Ar identity
The username to match.
-Groups may be specified by prepending a colon (:).
+Groups may be specified by prepending a colon
+.Pq Sq \&: .
Numeric IDs are also accepted.
-.It as target
+.It Ic as Ar target
The target user the running user is allowed to run the command as.
-The default is root.
-.It cmd command
+The default is all users.
+.It Ic cmd Ar command
The command the user is allowed or denied to run.
The default is all commands.
-Be advised that it's best to specify absolute paths.
+Be advised that it is best to specify absolute paths.
+If a relative path is specified, only a restricted
+.Ev PATH
+will be searched.
+.It Ic args Op Ar argument ...
+Arguments to command.
+The command arguments provided by the user need to match those specified.
+The keyword
+.Ic args
+alone means that command must be run without any arguments.
.El
.Pp
The last matching rule determines the action taken.
+If no rule matches, the action is denied.
+.Pp
+Comments can be put anywhere in the file using a hash mark
+.Pq Sq # ,
+and extend to the end of the current line.
+.Pp
+The following quoting rules apply:
+.Bl -dash
+.It
+The text between a pair of double quotes
+.Pq Sq \&"
+is taken as is.
+.It
+The backslash character
+.Pq Sq \e
+escapes the next character, including new line characters, outside comments;
+as a result, comments may not be extended over multiple lines.
+.It
+If quotes or backslashes are used in a word,
+it is not considered a keyword.
+.El
+.Sh FILES
+.Bl -tag -width /etc/examples/doas.conf -compact
+.It Pa /etc/doas.conf
+.Xr doas 1
+configuration file.
+.It Pa /etc/examples/doas.conf
+Example configuration file.
+.El
.Sh EXAMPLES
-The following example permits users in group wheel to exeucte commands as root,
-and additionally permits tedu to run procmap as root without a password.
+The following example permits user aja to install packages
+from a preferred mirror;
+group wheel to execute commands as any user while keeping the environment
+variables
+.Ev PS1
+and
+.Ev SSH_AUTH_SOCK
+and
+unsetting
+.Ev ENV ;
+permits tedu to run procmap as root without a password;
+and additionally permits root to run unrestricted commands as itself
+while retaining the original PATH.
.Bd -literal -offset indent
-permit :wheel
-permit nopass tedu cmd /usr/sbin/procmap
+permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add
+permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
+permit nopass tedu as root cmd /usr/sbin/procmap
+permit nopass keepenv setenv { PATH } root as root
.Ed
+.Sh SEE ALSO
+.Xr doas 1 ,
+.Xr syslogd 8
+.Sh HISTORY
+The
+.Nm
+configuration file first appeared in
+.Ox 5.8 .
+.Sh AUTHORS
+.An Ted Unangst Aq Mt tedu@openbsd.org
projects / opendoas.git / blobdiff