doas has almost all features of sudo with a fraction of the codebase. It’s from OpenBSD but it’s available in most distros under the OpenDoas project.

Table of Contents

Installation

In Debian / Ubuntu, you can install doas. In Arch Linux, the package name is opendoas.

Configuration

  1. Create a file called doas.conf under /etc (as root). This is an example of the content of /etc/doas.conf to allow users from ‘mygroup’ to run commands as other users. 
      permit :mygroup
  2. For security reasons, when you have finished editing the file, give read only permissions for the owner (root). 
      chmod 400 /etc/doas.conf

Obviously, there are more options to tune permissions:

  • permit|deny: the action to be taken, permit or deny. This always goes at the beginning of every line.
  • nopass: user is not required to type a password.
  • persist: After authentication, do not ask for password again for some time.
  • <username>: specify the username to match.
  • :<group>: specify a group to match.
  • as <username>: user/group can run commands as specified username.
  • cmd <command> [args <arguments>]: you can specify a command and even arguments to that command. It’s recommended to use full paths.

These are some examples:

  • john can run commands as root without typing his password. 
    permit nopass john
  • ricardo can update programs but he cannot install or remove packages (if you run doas apt upgrade -y, it will not work unless you add another line with the upgrade and -y arguments to apt command). 
    permit ricardo cmd apt args update
permit ricardo cmd apt args upgrade

Usage

You can run commands as root or another user the same way as with ‘sudo’. For example, doas apt update or doas -u john touch testfile.

More info

You can check its GitHub page or search in its man page (man doas, man doas.conf).