doas: a lightweight alternative to sudo
doas
has almost all features of sudo with a fraction of the codebase. It’s from OpenBSD but it’s available in most distros under the OpenDoas project.
Table of Contents
Installation
In Debian / Ubuntu, you can install doas
. In Arch Linux, the package name is opendoas
.
Configuration
- Create a file called
doas.conf
under/etc
(as root). This is an example of the content of/etc/doas.conf
to allow users from ‘mygroup’ to run commands as other users.permit :mygroup
- For security reasons, when you have finished editing the file, give read only permissions for the owner (root).
chmod 400 /etc/doas.conf
Obviously, there are more options to tune permissions:
permit|deny
: the action to be taken, permit or deny. This always goes at the beginning of every line.nopass
: user is not required to type a password.persist
: After authentication, do not ask for password again for some time.<username>
: specify the username to match.:<group>
: specify a group to match.as <username>
: user/group can run commands as specified username.cmd <command> [args <arguments>]
: you can specify a command and even arguments to that command. It’s recommended to use full paths.
These are some examples:
john
can run commands as root without typing his password.permit nopass john
ricardo
can update programs but he cannot install or remove packages (if you rundoas apt upgrade -y
, it will not work unless you add another line with theupgrade
and-y
arguments toapt
command).permit ricardo cmd apt args update permit ricardo cmd apt args upgrade
Usage
You can run commands as root or another user the same way as with ‘sudo’. For example, doas apt update
or doas -u john touch testfile
.
More info
You can check its GitHub page or search in its man page (man doas
, man doas.conf
).
Featured content: