Doas
{{Short description|Computer software}}
{{Other uses|DOAS (disambiguation){{!}}DOAS}}
{{lowercase title}}
{{Infobox software
| title = doas
| name = doas
| author = Ted Unangst
| developer = OpenBSD Project{{Cite web|title=OpenBSD 5.8|url=http://www.openbsd.org/58.html|website=www.openbsd.org|access-date=2020-05-06|archive-date=2021-05-17|archive-url=https://web.archive.org/web/20210517090822/http://www.openbsd.org/58.html|url-status=live}}
| released = {{start date and age|2015|10|18|df=y}}
| latest release version = {{wikidata|property|edit|Q71455997|P348|P548=Q2804309}}{{Cite web|url=https://cvsweb.openbsd.org/src/usr.bin/doas/doas.c?rev=1.98|title=src/usr.bin/doas/doas.c - view - 1.98|date=2022-12-22|accessdate=2023-07-22}}
| latest release date = {{Start date and age|{{wikidata|qualifier|single|Q71455997|P348|P548=Q2804309|P577}}}}
| programming language = C
| genre = Security software
| license = ISC license
| website = https://man.openbsd.org/doas
}}
doas (“dedicated openbsd application subexecutor”){{Cite web|title=doas - dedicated openbsd application subexecutor|url=https://flak.tedunangst.com/post/doas|access-date=2022-01-01|website=flak.tedunangst.com}} is a program to execute commands as another user. The system administrator can configure it to give specified users privileges to execute specified commands. It is free and open-source under the ISC license{{Cite web |url=https://cvsweb.openbsd.org/src/usr.bin/doas/doas.c?rev=1.82 |title=Archived copy |access-date=2021-09-29 |archive-date=2021-03-03 |archive-url=https://web.archive.org/web/20210303224700/https://cvsweb.openbsd.org/src/usr.bin/doas/doas.c?rev=1.82 |url-status=live }} and available in Unix and Unix-like operating systems.
doas was developed by Ted Unangst{{man|1|doas|OpenBSD}} for OpenBSD as a simpler and safer sudo replacement.{{Cite web|title=OpenBSD 6.0 tightens security by losing Linux compatibility|url=https://www.infoworld.com/article/3099038/openbsd-60-tightens-security-by-losing-linux-compatibility.html|last=Yegulalp|first=Serdar|date=2016-07-25|website=InfoWorld|language=en|access-date=2020-05-06|archive-date=2021-07-25|archive-url=https://web.archive.org/web/20210725010953/https://www.infoworld.com/article/3099038/openbsd-60-tightens-security-by-losing-linux-compatibility.html|url-status=live}}{{Cite web|title=Linux Sudo bug could allow hackers root access|url=https://www.scmagazineuk.com/article/1663022|last=Millman|first=Rene|date=18 October 2019|website=SC Media UK|url-status=live|archive-url=https://web.archive.org/web/20210929013544/https://insight.scmagazineuk.com/|archive-date=2021-09-29|access-date=2020-05-06}} Unangst himself had issues with the default sudo config, which was his motivation to develop doas. doas was released with OpenBSD 5.8 in October 2015 replacing sudo. However, OpenBSD still provides sudo as a package.
Configuration
Definition of privileges should be written in the configuration file, /etc/doas.conf.{{Cite web|title=Privileges {{!}} OpenBSD Handbook|url=https://www.openbsdhandbook.com/system_management/privileges/|access-date=2020-05-06|website=www.openbsdhandbook.com|archive-date=2021-03-03|archive-url=https://web.archive.org/web/20210303224642/https://www.openbsdhandbook.com/system_management/privileges/|url-status=live}} The syntax used in the configuration file is inspired by the packet filter configuration file.
=Examples=
Allow user1 to execute procmap as root without password:{{Citation needed|date=September 2023}}
permit nopass user1 as root cmd /usr/sbin/procmap
Allow members of the wheel group to run any command as root:
permit :wheel as root
Simpler version (only works if default user is root, which it is after install):
permit :wheel
To allow members of wheel group to run any command (default as root) and remember that they entered the password:
permit persist :wheel
Ports and availability
Jesse Smith’s{{Cite web |url=https://github.com/slicer69 |title=Slicer69 (Jesse Smith) · GitHub |website=GitHub |access-date=2020-05-06 |archive-date=2021-08-31 |archive-url=https://web.archive.org/web/20210831120849/https://github.com/slicer69 |url-status=live }} port of doas is packaged for DragonFlyBSD,{{Cite web |url=https://github.com/DragonFlyBSD/DPorts/tree/master/security/doas |title=DPorts/Security/Doas at master · DragonFlyBSD/DPorts · GitHub |website=GitHub |access-date=2020-08-24 |archive-date=2021-03-03 |archive-url=https://web.archive.org/web/20210303224641/https://github.com/DragonFlyBSD/DPorts/tree/master/security/doas |url-status=live }} FreeBSD,{{Cite web |url=https://svnweb.freebsd.org/ports/head/security/doas/pkg-descr |title=[ports] Log of /Head/Security/Doas/PKG-descr |access-date=2020-08-24 |archive-date=2021-09-29 |archive-url=https://web.archive.org/web/20210929013539/https://svnweb.freebsd.org/ports/head/security/doas/pkg-descr |url-status=live }} and NetBSD.{{Cite web|title=The NetBSD Packages Collection: security/doas|url=http://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/security/doas/README.html|website=ftp.netbsd.org|access-date=2020-05-06|archive-date=2021-09-29|archive-url=https://web.archive.org/web/20210929013538/http://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/security/doas/README.html|url-status=live}} According to the author, it also works on illumos and macOS.{{Cite web|url=https://github.com/slicer69/doas|title=doas|access-date=2020-08-24|website=GitHub|last=Smith|first=Jesse|archive-date=2021-04-27|archive-url=https://web.archive.org/web/20210427124214/https://github.com/slicer69/doas|url-status=live}}
OpenDoas, a Linux port, is packaged for Debian, Alpine, Arch, CRUX, Fedora, Gentoo, GNU Guix, Hyperbola, Manjaro, Parabola, NixOS, Ubuntu, and Void Linux.{{Cite web|url=https://repology.org/project/opendoas/information|title=opendoas|website=repology.org|access-date=2020-08-24|archive-date=2021-03-03|archive-url=https://web.archive.org/web/20210303224639/https://repology.org/project/opendoas/information|url-status=live}}
Starting with Alpine Linux v3.16 release, OpenDoas became the suggested replacement for sudo, which got its security maintenance time reduced within the distribution.{{Cite web |title=Alpine 3.16.0 released|url=https://alpinelinux.org/posts/Alpine-3.16.0-released.html |access-date=2023-06-10 |website=alpinelinux.org}}