-.\" $OpenBSD: doas.conf.5,v 1.9 2015/07/22 06:30:12 jmc Exp $
+.\" $OpenBSD: doas.conf.5,v 1.45 2020/10/09 10:24:33 jmc Exp $
.\"
.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
.\"
.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: July 22 2015 $
+.Dd $Mdocdate: October 9 2020 $
.Dt DOAS.CONF 5
.Os
.Sh NAME
.Op Ar options
.Ar identity
.Op Ic as Ar target
-.Op Ic cmd Ar command Op Ic args ...
+.Op Ic cmd Ar command Op Ic args No ...
.Ed
.Pp
Rules consist of the following parts:
.Bl -tag -width keepenv
.It Ic nopass
The user is not required to enter a password.
+.It Ic nolog
+Do not log successful command execution to
+.Xr syslogd 8 .
+.It Ic persist
+After the user successfully authenticates, do not ask for a password
+again for some time.
.It Ic keepenv
-The user's environment is maintained.
-The default is to reset the environment, except for the variables
-.Ev DISPLAY ,
-.Ev HOME ,
-.Ev LOGNAME ,
-.Ev MAIL ,
-.Ev PATH ,
-.Ev TERM ,
-.Ev USER
-and
-.Ev USERNAME .
-.It Ic keepenv { Oo variable names Oc Ic }
-Reset the environment, but keep the space-separated specified variables.
+Environment variables other than those listed in
+.Xr doas 1
+are retained when creating the environment for the new process.
+.It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic }
+Keep or set the space-separated specified variables.
+Variables may also be removed with a leading
+.Sq -
+or set using the latter syntax.
+If the first character of
+.Ar value
+is a
+.Ql $
+then the value to be set is taken from the existing environment
+variable of the indicated name.
+This option is processed after the default environment has been created.
+.It Ic insult
+Insult the user when they get their password wrong.
.El
.It Ar identity
The username to match.
-Groups may be specified by prepending a colon (:).
+Groups may be specified by prepending a colon
+.Pq Sq \&: .
Numeric IDs are also accepted.
.It Ic as Ar target
The target user the running user is allowed to run the command as.
-The default is root.
+The default is all users.
.It Ic cmd Ar command
The command the user is allowed or denied to run.
The default is all commands.
-Be advised that it's best to specify absolute paths.
-.It Ic args ...
+Be advised that it is best to specify absolute paths.
+If a relative path is specified, only a restricted
+.Ev PATH
+will be searched.
+.It Ic args Op Ar argument ...
Arguments to command.
-If specified, the command arguments provided by the user
-need to match for the command to be successful.
-Specifying
+The command arguments provided by the user need to match those specified.
+The keyword
.Ic args
-alone means that command should be run without any arguments.
+alone means that command must be run without any arguments.
.El
.Pp
The last matching rule determines the action taken.
+If no rule matches, the action is denied.
.Pp
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
.Pq Sq \&"
is taken as is.
.It
-The backslash
+The backslash character
.Pq Sq \e
-escapes next character, including new line character, outside comment;
+escapes the next character, including new line characters, outside comments;
as a result, comments may not be extended over multiple lines.
.It
-If quotes or backslash are used in the word, this word won't be
-considered a keyword.
+If quotes or backslashes are used in a word,
+it is not considered a keyword.
+.El
+.Sh FILES
+.Bl -tag -width /etc/examples/doas.conf -compact
+.It Pa /etc/doas.conf
+.Xr doas 1
+configuration file.
+.It Pa /etc/examples/doas.conf
+Example configuration file.
.El
.Sh EXAMPLES
-The following example permits users in group wsrc to build ports,
-wheel to execute commands as root while keeping the environment
+The following example permits user aja to install packages
+from a preferred mirror;
+group wheel to execute commands as any user while keeping the environment
variables
-.Ev ENV ,
-.Ev PS1 ,
+.Ev PS1
+and
+.Ev SSH_AUTH_SOCK
and
-.Ev SSH_AUTH_SOCK ,
-and additionally permits tedu to run procmap as root without a password.
+unsetting
+.Ev ENV ;
+permits tedu to run procmap as root without a password;
+and additionally permits root to run unrestricted commands as itself
+while retaining the original PATH.
.Bd -literal -offset indent
-# Non-exhaustive list of variables needed to
-# build release(8) and ports(7)
-permit nopass keepenv { \e
- FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
- DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
- MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \e
- PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \e
- SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
-permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
-permit nopass tedu cmd /usr/sbin/procmap
+permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add
+permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
+permit nopass tedu as root cmd /usr/sbin/procmap
+permit nopass keepenv setenv { PATH } root as root
.Ed
.Sh SEE ALSO
-.Xr doas 1
+.Xr doas 1 ,
+.Xr syslogd 8
.Sh HISTORY
The
.Nm
projects / opendoas.git / blobdiff