OpenBSD doas

Материал из OpenBSD-Wiki
Версия от 06:04, 3 сентября 2015; Ssh (обсуждение | вклад) (Новая страница: «http://www.badbug.id.au/doas-or-how-i-use-sudo-on-openbsd-5-8/ There is a new sudo replacement in town and it's called doas which I use on OpenBSD 5.8 (snapshot)…»)
(разн.) ← Предыдущая | Текущая версия (разн.) | Следующая → (разн.)
Перейти к навигации Перейти к поиску

http://www.badbug.id.au/doas-or-how-i-use-sudo-on-openbsd-5-8/

There is a new sudo replacement in town and it's called doas which I use on OpenBSD 5.8 (snapshot). Ted Unangst (tedu) developed it as a simple replacement to sudo (without all bells and whistles) to support the use case for a simple, small sudo-like replacement for OpenBSD. Long live sudo, no more sudo1.

Starting OpenBSD 5.8, doas comes pre-installed as part of base cd set. To use it is super simple; Create a configuration file /etc/doas.conf with the following configuration:

Super liberal OpenBSD system (ohai! happy sysadmin day):

permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel

Permit users in the wheel group to execute commands as root user (defaults to root user if not specified), allow to run everything without requiring password and preserve the environment variables ENV, PS1 and SSH_AUTH_SOCK

Same as above but do prompt the user for a valid password (implicitly, ask user for a password because it doesn't have nopass):

permit keepenv {ENV PS1 SSH_AUTH_SOCK} :wheel

Allow bob to run /bin/sh as fred

permit bob as fred cmd /bin/sh

Disallow users in wheel group to do anything:

deny :wheel

The rules in doas.conf are read top-down. So, if you have a deny :wheel followed by permit nopass :wheel on the next line, then the permit rule will take precedence and be in effect. doas.conf also requires a new line at the end of the file.