doas: a lightweight alternative to sudo
doas has almost all features of sudo with a fraction of the codebase. It’s from OpenBSD but it’s available in most distros under the OpenDoas project.
Table of Contents
In Debian / Ubuntu, you can install
doas. In Arch Linux, the package name is
- Create a file called
/etc(as root). This is an example of the content of
/etc/doas.confto allow users from ‘mygroup’ to run commands as other users.
- For security reasons, when you have finished editing the file, give read only permissions for the owner (root).
chmod 400 /etc/doas.conf
Obviously, there are more options to tune permissions:
permit|deny: the action to be taken, permit or deny. This always goes at the beginning of every line.
nopass: user is not required to type a password.
persist: After authentication, do not ask for password again for some time.
<username>: specify the username to match.
:<group>: specify a group to match.
as <username>: user/group can run commands as specified username.
cmd <command> [args <arguments>]: you can specify a command and even arguments to that command. It’s recommended to use full paths.
These are some examples:
johncan run commands as root without typing his password.
permit nopass john
ricardocan update programs but he cannot install or remove packages (if you run
doas apt upgrade -y, it will not work unless you add another line with the
permit ricardo cmd apt args update permit ricardo cmd apt args upgrade
Notes: FreeBSD version use
/usr/local/etc/doas.conf as config file.
You can run commands as root or another user the same way as with ‘sudo’. For example,
doas apt update or
doas -u john touch testfile.
You can check its GitHub page or search in its man page (
If you have any suggestion, feel free to contact me via social media or email.
Latest tutorials and articles: