-.\" $OpenBSD: doas.conf.5,v 1.12 2015/07/27 17:57:06 jmc Exp $
+.\" $OpenBSD: doas.conf.5,v 1.13 2015/07/27 21:44:11 tedu Exp $
.\"
.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
.\"
.Op Ar options
.Ar identity
.Op Ic as Ar target
-.Op Ic cmd Ar command Op Ic args ...
+.Op Ic cmd Ar command Op Ic args No ...
.Ed
.Pp
Rules consist of the following parts:
.Bl -tag -width keepenv
.It Ic nopass
The user is not required to enter a password.
+.It Ic nolog
+Do not log successful command execution to
+.Xr syslogd 8 .
+.It Ic persist
+After the user successfully authenticates, do not ask for a password
+again for some time.
.It Ic keepenv
-The user's environment is maintained.
-The default is to reset the environment, except for the variables
-.Ev DISPLAY ,
-.Ev HOME ,
-.Ev LOGNAME ,
-.Ev MAIL ,
-.Ev PATH ,
-.Ev TERM ,
-.Ev USER
-and
-.Ev USERNAME .
-.It Ic keepenv { Oo Ar variable ... Oc Ic }
-In addition to the variables mentioned above, keep the space-separated
-specified variables.
+Environment variables other than those listed in
+.Xr doas 1
+are retained when creating the environment for the new process.
+.It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic }
+Keep or set the space-separated specified variables.
+Variables may also be removed with a leading
+.Sq -
+or set using the latter syntax.
+If the first character of
+.Ar value
+is a
+.Ql $
+then the value to be set is taken from the existing environment
+variable of the indicated name.
+This option is processed after the default environment has been created.
.El
.It Ar identity
The username to match.
.It Ic cmd Ar command
The command the user is allowed or denied to run.
The default is all commands.
-Be advised that it's best to specify absolute paths.
-.It Ic args ...
+Be advised that it is best to specify absolute paths.
+If a relative path is specified, only a restricted
+.Ev PATH
+will be searched.
+.It Ic args Op Ar argument ...
Arguments to command.
-If specified, the command arguments provided by the user
-need to match for the command to be successful.
-Specifying
+The command arguments provided by the user need to match those specified.
+The keyword
.Ic args
-alone means that command should be run without any arguments.
+alone means that command must be run without any arguments.
.El
.Pp
The last matching rule determines the action taken.
+If no rule matches, the action is denied.
.Pp
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
If quotes or backslashes are used in a word,
it isn't considered a keyword.
.El
+.Sh FILES
+.Bl -tag -width /etc/examples/doas.conf -compact
+.It Pa /etc/doas.conf
+.Xr doas 1
+configuration file.
+.It Pa /etc/examples/doas.conf
+Example configuration file.
+.El
.Sh EXAMPLES
-The following example permits users in group wsrc to build ports,
-wheel to execute commands as root while keeping the environment
+The following example permits user aja to install packages
+from a preferred mirror;
+group wheel to execute commands as any user while keeping the environment
variables
-.Ev ENV ,
-.Ev PS1 ,
+.Ev PS1
+and
+.Ev SSH_AUTH_SOCK
and
-.Ev SSH_AUTH_SOCK ,
-and additionally permits tedu to run procmap as root without a password.
+unsetting
+.Ev ENV ;
+permits tedu to run procmap as root without a password;
+and additionally permits root to run unrestricted commands as itself
+while retaining the original PATH.
.Bd -literal -offset indent
-# Non-exhaustive list of variables needed to
-# build release(8) and ports(7)
-permit nopass keepenv { \e
- FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
- DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
- MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \e
- PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \e
- SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
-permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
-permit nopass tedu cmd /usr/sbin/procmap
+permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add
+permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
+permit nopass tedu as root cmd /usr/sbin/procmap
+permit nopass keepenv setenv { PATH } root as root
.Ed
.Sh SEE ALSO
-.Xr doas 1
+.Xr doas 1 ,
+.Xr syslogd 8
.Sh HISTORY
The
.Nm
projects / opendoas.git / blobdiff